From mboxrd@z Thu Jan 1 00:00:00 1970 From: Felix Schmoll Subject: Re: [GSoC] GSoC Introduction : Fuzzing Xen hypercall interface Date: Thu, 16 Mar 2017 16:53:38 +0100 Message-ID: References: <2C3140B8-9B96-44F8-A4EA-CDBC07479379@gmail.com> <20170313111439.abjbrw5hyu4eda7y@citrix.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3582891599726019084==" Return-path: Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1coXij-0000aE-Qw for xen-devel@lists.xenproject.org; Thu, 16 Mar 2017 15:53:46 +0000 Received: by mail-it0-f52.google.com with SMTP id g138so48855035itb.0 for ; Thu, 16 Mar 2017 08:53:43 -0700 (PDT) In-Reply-To: <20170313111439.abjbrw5hyu4eda7y@citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" To: Wei Liu Cc: xen-devel@lists.xenproject.org List-Id: xen-devel@lists.xenproject.org --===============3582891599726019084== Content-Type: multipart/alternative; boundary=94eb2c0af918819013054adb1071 --94eb2c0af918819013054adb1071 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable 2017-03-13 12:14 GMT+01:00 Wei Liu : > Hi Felix > > Thanks for your interest in this project. > > On Sun, Mar 12, 2017 at 09:48:11PM +0100, Felix Ekkehard Schmoll wrote: > > Hi, > > > > I=E2=80=99m interested in the =E2=80=9CFuzzing Xen hypercall interface= =E2=80=9D project so I > > just wanted to introduce myself: > > > > I=E2=80=99m a third-year undergraduate CS student at Jacobs University = in > > Bremen, Germany. It=E2=80=99s a rather small university and rather youn= g but > > quite successful in the national rankings (*brag*). > > > > Last semester I spent as part of an exchange program at CMU where I > > took the sort of notorious 15-410 Operating Systems course where you > > have to implement a kernel from scratch in 6 weeks. There the > > professor (amazing guy) mentioned/promoted GSoC quite a couple of > > times, and this seems like a really cool project to work on. > > > > From the course I have quite a substantial amount of experience in C > > and ASM on x86, of the GCC toolchain and obviously of kernel > > programming. I don=E2=80=99t really have any experience with fuzzing ye= t, but > > I=E2=80=99m sure I=E2=80=99ll figure that out. > > > > I=E2=80=99d appreciate it if you could point me to some small patches I= could > > work on to get going (sorry if I missed the link to it). > > > > Also any other comments are of course welcome. > > This project is rather challenging given the time scale. As a starter, > please install Xen from source and try it out -- you can find > instructions on how to install on the wiki. > > Please also have a look at American Fuzzy Lop (the fuzzer we currently > use) and play with it a bit. > > Then, as a small exercise, please provide patches against xen.git for > two tasks: > > 1. implement a hypercall to get back the domain id of the caller domain; > 2. check out gcc 6's -fsanitize-coverage=3Dtrace-pc option and build the > hypervisor with that enabled -- building with a stub is fine; > > Please then provide some ideas on how you would approach this project. > > I know the tasks I described are quite high level so please don't > hesitate to ask questions. > > Note that we don't have to finish all goals listed on the wiki page. > Realistically I think if we manage to extract the execution paths from > xen within three months and commit that in xen.git that would be rather > great progress. > > Wei. > > > > > Felix > Hi, I installed Xen from source and I figured out that for the hypercall I have to make a two-line change in xen/xen/common/kernel.c and a couple of headers. I mostly went with what I got by grepping for the "xen_version"-hypercall. It seems really basic but after struggling with this for quite a while I have some questions: 1. -How do I test this? The usual way to make hypercalls seems to use the libxc-library, so do I have to change that as well? -The "xen_version"-hypercall had a couple of COMPAT_versions, do I need them? This seems to be related with if I need to support both ARM and x86, although I'm really not sure here. Is it fine to just choose to support the one which my hypervisor is running on? -Do I need to make changes in the XSM module? Again, this pops up when grepping for xen_version but it's disabled by default anyways and I'd otherwise just try to have a minimal working set. 2. -A stub for what? dom0? Felix --94eb2c0af918819013054adb1071 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


2017-03-13 12:14 GMT+01:00 Wei Liu <wei.liu2@citrix.com>:
Hi Felix

Thanks for your interest in this project.

On Sun, Mar 12, 2017 at 09:48:11PM +0100, Felix Ekkehard Schmoll wrote:
> Hi,
>
> I=E2=80=99m interested in the =E2=80=9CFuzzing Xen hypercall interface= =E2=80=9D project so I
> just wanted to introduce myself:
>
> I=E2=80=99m a third-year undergraduate CS student at Jacobs University= in
> Bremen, Germany. It=E2=80=99s a rather small university and rather you= ng but
> quite successful in the national rankings (*brag*).
>
> Last semester I spent as part of an exchange program at CMU where I > took the sort of notorious 15-410 Operating Systems course where you > have to implement a kernel from scratch in 6 weeks. There the
> professor (amazing guy) mentioned/promoted GSoC quite a couple of
> times, and this seems like a really cool project to work on.
>
> From the course I have quite a substantial amount of experience in C > and ASM on x86, of the GCC toolchain and obviously of kernel
> programming. I don=E2=80=99t really have any experience with fuzzing y= et, but
> I=E2=80=99m sure I=E2=80=99ll figure that out.
>
> I=E2=80=99d appreciate it if you could point me to some small patches = I could
> work on to get going (sorry if I missed the link to it).
>
> Also any other comments are of course welcome.

This project is rather challenging given the time scale. As a starte= r,
please install Xen from source and try it out -- you can find
instructions on how to install on the wiki.

Please also have a look at American Fuzzy Lop (the fuzzer we currently
use) and play with it a bit.

Then, as a small exercise, please provide patches against xen.git for
two tasks:

1. implement a hypercall to get back the domain id of the caller domain; 2. check out gcc 6's -fsanitize-coverage=3Dtrace-pc option and build th= e
=C2=A0 =C2=A0hypervisor with that enabled -- building with a stub is fine;<= br>
Please then provide some ideas on how you would approach this project.

I know the tasks I described are quite high level so please don't
hesitate to ask questions.

Note that we don't have to finish all goals listed on the wiki page. Realistically I think if we manage to extract the execution paths from
xen within three months and commit that in xen.git that would be rather
great progress.

Wei.

>
> Felix


Hi,

I installed Xen from source and I figured out that for the= hypercall I have to make a two-line change in xen/xen/common/kernel.c and = a couple of headers. I mostly went with what I got by grepping for the &quo= t;xen_version"-hypercall. It seems really basic but after struggling w= ith this for quite a while I have some questions:

1.
-How do I test this? The usual way to make hypercalls seems to use = the libxc-library, so do I have to change that as well?
-The "xen_version"-hypercall had a couple of COMPAT_= versions, do I need them? This seems to be related with if I need to suppor= t both ARM and x86, although I'm really not sure here. Is it fine to ju= st choose to support the one which my hypervisor is running on?
-Do I need to make changes in the XSM module? Again, t= his pops up when grepping for xen_version but it's disabled by default = anyways and I'd otherwise just try to have a minimal working set.
=

2.
-A stub for what? dom0?

Felix


--94eb2c0af918819013054adb1071-- --===============3582891599726019084== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWRldmVs IG1haWxpbmcgbGlzdApYZW4tZGV2ZWxAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3RzLnhlbi5v cmcveGVuLWRldmVsCg== --===============3582891599726019084==--