The Story about Codex Assumptions (Mini-OS?) -------------------------------------------- This page documents all the assumptions Codex currently makes with regards to properties of the ELF Application containg an Operating System and its Tasks to be analyzed. While the stated goal of Codex has been analysis of any operating system, some information can not be automatically inferred, such as the entry point of the kernel. Two mechanisms are currently used to add information: - Symbols (in the ELF binary) - Annotations (in Codex source code) Finally certain behaviour is required from some symbols: ``_start`` in particular seems expected to prepare the system for task-switching, and eventually drop privileges. An incomplete analysis is presented in section :ref:`start-section`. Symbols ^^^^^^^ * ``_begin_of_all``: (address label) Indicates start of kernel- and user-code address space, i.e. code and data segments. * ``_end_of_readonly``: (address label) Indicates end of read-only kernel- and user-code address space, i.e. after code, before data. Because Codex does not support self-modifying code, this must be start of, or offset into data segment. * ``_end_of_kernel``: (address label) Despite its name, this appears to indicate the end of both kernel and user application. TBD: validate this assumption! * ``user_tasks_image``: (address label) Start of structured data describing all tasks to the Operating System. OS-specific, structure implemented in Codex at *src/codex/x86_types.ml*. * ``_start``: (function) Probably the kernel entry point. * ``asm_syscall_handler``: (function) * ``copy_context``: * ``error_infinite_loop``: * ``init_reserve``: * ``fatal``: * ``terminal_initialize``: * ``terminal_newline``: * ``terminal_writestring``: These are functions are OS-specific, and have custom handling implemented in Codex at *src/codex/x86_settings.ml*. There are more symbols not yet documented, because they are only used in a later execution stage of Codex - such as ``_start_of_user_tasks``. TODO: add them here! Annotations ^^^^^^^^^^^ Codex source files *src/codex/x86_settings.ml* and *src/codex/x86_types.ml* contains most of the annotations. They allow the abstract interpretation to reason about saved registers, stack pointers and address spaces that are used for context switching - and specify expected invariants that must hold for error-free execution. Experiments ^^^^^^^^^^^ Learning about Symbol Lookups """"""""""""""""""""""""""""" The following one-line change can be added to Codex, so that every time a symbol is looked up - a message appears on stdout for later use: .. code-block:: diff diff --git a/binsec/src/loader/loader_utils.ml b/binsec/src/loader/loader_utils.ml index 0110fa8..c519adb 100644 --- a/binsec/src/loader/loader_utils.ml +++ b/binsec/src/loader/loader_utils.ml @@ -28,6 +28,7 @@ let get_byte_at img addr = let address_of_symbol ~name img = let symbols = Loader.Img.symbols img in + Printf.printf "Looking for symbol %s\n" name; try Some (Loader.Symbol.value (Array_utils.find Tracing Exceptions """""""""""""""""" Binsec has not been designed to print meaningful error messages, when its assumptions on particular features of the input executable do not hold. Error messages can look inconclusive: .. code-block:: text [codex:debug] attempt to set esp [codex:debug] Setting esp to ( + [--..--], Top) [codex:debug] load: returns Bottom minor_words: 5275096 major_words: 574656 promoted_words: 484821 total_allocated: 5364931 Fatal error: exception Not_found As a first hint, OCaml does support showing traces when exceptions occur. This feature can be activated for any OCaml binary with debug info (built with ``-g``, unstripped) through the ``OCAMLRUNPARAM`` environment variable: .. code-block: sh env OCAMLRUNPARAM=b binsec -config binsec.ini main.exe ... The extended output for the exception above shows the entire call-trace, indicating which source-files and line numbers lead to the exception: .. code-block: sh Fatal error: exception Not_found Raised at file "hashtbl.ml", line 506, characters 17-32 Called from file "codex/analyze.ml" (inlined), line 506, characters 4-44 Called from file "codex/analyze.ml", line 877, characters 26-54 Called from file "codex/analyze.ml", line 1082, characters 22-117 Called from file "hashtbl.ml", line 266, characters 8-18 Called from file "hashtbl.ml", line 272, characters 6-21 Re-raised at file "hashtbl.ml", line 277, characters 4-13 Called from file "main.ml", line 88, characters 0-7 Minimal 386 assembly """""""""""""""""""" For complete symbol happiness, and to get Codex to startits interpretation, a small program can be written in assembly, without any meaningful application logic - as basis for further experiments. This program does not complete all symbols used by Codex yet, only those discovered during operating-system startup (``_start``). .. literalinclude:: codex_assumptions/min-app.S :language: gas after code .. _start-section: Behaviour of ``_start`` ^^^^^^^^^^^^^^^^^^^^^^^ The first execution stage interprets operating system startup, by following the _start symbol. There is a currently unknown implicit expectation from codex for how start must terminate. When this expectation isn't met, a rather meaningless error similar to the following will be generated: .. code-block:: text minor_words: 4913804 major_words: 561295 promoted_words: 474994 total_allocated: 5000105 Fatal error: exception Not_found The authors of Codex have provided 4 example combinations of educrtos, user tasks and injected errors. The educrtos example with 10 tasks, also called rq3, is used for a side-by-side comparison with a minimal elf application producing the aforementioned error. During analysis, several dot-files are generated that represent the execution trace traversedby Codex. The first generated trace is `init_cpu0.dot`. It is the result of analysing the _start symbol - which should implement operating-system startup and initialization of state. When the error condition occurs, this is also the only graph generated - indicating that the problem lies within _start or its analysis. .. image:: codex_assumptions/init_cpu0.svg :width: 150 From the trace above it is clear that analysis eventually terminates at address 0xcafecaf0. Based on comments in the Codex implementation, this is a mock address for internal purposes. The previous execution point is at 0x104125. A disassembly from ``objdump`` shows that 0x104125 is near the end of the ``hw_context_switch_no_idle`` function, where the ``DS`` register is overwritten with an unknown value from memory. .. code-block:: c-objdump 0010407d : 104120: e8 ef 0c 00 00 call 104e14 104125: 8e 5b 30 mov ds,WORD PTR [ebx+0x30] 104128: 89 dc mov esp,ebx 10412a: 61 popa 10412b: cf iret Further experiments with explicitly modifying the ``DS`` register in custom code did not lead to success. Rather it appears that Codex is waiting for a change in execution privilege level. This is very likely hidden right in the write to ``DS``. Values written to the 386 segment registers include a 5-bit index into either the General Description Table or a Local Description Table, an additional bit to choose between GDT and LDT, and finally 2 bits to specify a permission level. As the value written is not easily known, a different experiment is needed to gain more insight into this suspicion: The error message can be traced to a particular piece of Codex code near the end of the ``analyze``-function: .. code-block:: ocaml (* Do an analysis and returns the set of written data addresses, the set of * read data addresses, and the state at {expected_last_instr} (or one of them, * if it is present several times in the CFG). If {expected_last_instr} is not * in the CFG, {Invalid_argument} is thrown. *) let analyze img start ctx init_state graph_filename expected_last_instr = ... if not except_thrown then begin ... match expected_last_instr with | Some instr -> let final_state = Regex_tbl.latest_state instr in ret, Some final_state, Record_cfg.visited_instructions trace | None -> ret, None, Record_cfg.visited_instructions trace end .. code-block:: diff diff --git a/binsec/src/codex/analyze.ml b/binsec/src/codex/analyze.ml index 012de0c..dbb483b 100644 --- a/binsec/src/codex/analyze.ml +++ b/binsec/src/codex/analyze.ml @@ -870,6 +870,7 @@ let analyze img start ctx init_state graph_filename expected_last_instr = let ret = !written_data_addrs, !read_data_addrs in written_data_addrs := empty; read_data_addrs := empty; (* Return state at {expected_last_instr} *) + Printf.printf "Going to match Record_cfg.visited_instructions with expected_last_instr %s\n" to_string expected_last_instr; match expected_last_instr with | Some instr -> let final_state = Regex_tbl.latest_state instr in At this point the abstract interpretation has finished, and something called an *expected last instruction* is searched in the execution trace, but - according to the error message - "Not_found". By adding a ``printf`` right above the matching logic, this particular moment in Codex execution can be uniquely identified in its length debug output. First, with the failing application: .. code-block:: text $ binsec -config binsec.ini app.exe -codex-x86-types rr -codex-nb-tasks 1 -codex-no-dyn-threads -codex-debug-level 9 ... [codex:debug] Dereferenced type: ParamT ((context)[10]* with (self != 0), + {0}, + {-10}, 0) Going to match Record_cfg.visited_instructions with expected_last_instr minor_words: 4953047 major_words: 564207 promoted_words: 477486 total_allocated: 5039768 Fatal error: exception Not_found Then with the known educrtos binary: .. literalinclude:: codex_assumptions/codex-educrtos-debug.log :language: text :lines: 39081-39100 The Full log-file is available here: :download:`codex_assumptions/codex-educrtos-debug.log` The last event changes the privilege level, right after what looks like a full context switch. This seems to confirm that Codex expects _start to eventually lead to either context switch, or dropping of privilege. Further effort will be required to confirm what exactly it is, or find a small example.