1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
|
/*
* fault-model.c -- fault injection code for drivers
*
* Copyright (C) 2003 Mike Swift
* Copyright (c) 1999 Wee Teck Ng
*
* The source code in this file can be freely used, adapted,
* and redistributed in source or binary form, so long as an
* acknowledgment appears in derived source files. No warranty
* is attached; we cannot take responsibility for errors or
* fitness for use.
*
*/
/*
* Fault injector for testing the usefulness of NOOKS
*
* Adapted from the SWIFI tools used by Wee Teck Ng to evaluate the RIO
* file cache at the University of Michigan
*
*/
/*
* This tool can inject faults into modules, whether they are loaded into a
* nook or loaded into the kernel (for comparison testing).
*
* There are several classes of faults emulated:
* - Corruption of text
* - corruption
* - simulated programming faults
* - skip initialization (immediate write to EBP-x)
* - remove instruction (replace with NOP)
* - incorrect source/destination (corrupted)
* - remove jmp or rep instruction
* - change address computation for memory access (not stack)
* - change termination condition for loop (change repeat to repeat
* while equal, change condition to !condition)
* - remove instructions loading registers from arguments (ebp+x)
*/
#include <stdio.h>
#include <assert.h>
#include "ddb.h"
#include "db_sym.h"
#include "swifi.h"
#include "extra.h"
#define PDEBUG(args) /* (printf args) */
#define NOP 0x90
static int text_fault(int type, unsigned long btext, unsigned long text_size);
static int randomFaults[] = {
TEXT_FAULT,
NOP_FAULT,
SRC_FAULT,
DST_FAULT,
PTR_FAULT,
LOOP_FAULT,
INTERFACE_FAULT
};
void
swifi_inject_fault(char * module_name,
unsigned long faultType,
unsigned long randomSeed,
unsigned long numFaults)
{
unsigned long btext, etext, text_size;
int type;
/* default number of faults is 5 */
if (numFaults == 0) numFaults = 5;
srandom(randomSeed);
load_nlist(module_name, &btext, &etext);
text_size = etext - btext;
PDEBUG(("text=%lx-%lx, size=%lx\n", btext, etext, text_size));
while (numFaults) {
if ((type = faultType) == RANDOM_FAULT)
type = randomFaults[random() %
(sizeof(randomFaults) / sizeof(randomFaults[0]))];
if (text_fault(type, btext, text_size))
numFaults--;
}
}
static int text_fault(int type, unsigned long btext, unsigned long text_size)
{
unsigned long *addr, taddr;
int j, flip_bit, len, prefix;
unsigned char *c;
/* inject faults into text space */
addr = (unsigned long *)
(btext + ((unsigned long) (random()&~0xf) % text_size));
/* now the tricky part */
taddr=(unsigned long) addr;
if (type != TEXT_FAULT) {
addr = (unsigned long *) find_faulty_instr(taddr, type, &len);
/* do it over again if we can't find the right instruction */
if (!addr || !len)
return FALSE;
}
PDEBUG(("target addr=%lx, instr addr=%p, %lx=>", taddr, addr,
text_read_ul(addr)));
switch (type) {
case TEXT_FAULT:
flip_bit = random() & 0x1f;
PDEBUG(("flip bit %d => ", flip_bit));
flip_bit = 1 << flip_bit;
text_write_ul(addr, text_read_ul(addr)^flip_bit);
break;
case NOP_FAULT:
case INIT_FAULT:
case BRANCH_FAULT:
case INTERFACE_FAULT:
case IRQ_FAULT:
c = (unsigned char *) addr;
for (j = 0; j < len; j++) {
/* replace these bytes with NOP (*c=NOP) */
text_write_ub(c, NOP);
c++;
}
break;
case DST_FAULT:
case SRC_FAULT:
/* skip thru the prefix and opcode, and flip bits in following bytes */
c=(unsigned char *) addr;
do {
switch (text_read_ub(c)) {
case 0x66: case 0x67: case 0x26: case 0x36:
case 0x2e: case 0x3e: case 0x64: case 0x65:
case 0xf0: case 0xf2: case 0xf3:
prefix = 1;
break;
default:
prefix = 0;
break;
}
if (prefix) {
c++;
}
} while (prefix);
if(text_read_ub(c)>=0xd8 && text_read_ub(c)<=0xdf) {
/* don't mess with fp instruction, yet */
PDEBUG(("floating point instruction, bailing out\n"));
return FALSE;
}
if(text_read_ub(c)==0x0f) {
c++;
}
if(text_read_ub(c)==0x0f) {
c++;
}
c++;
len = len-((long) c - (long) addr);
if (len == 0)
{
PDEBUG(("text_fault: len = %d\n", len));
return FALSE;
}
flip_bit = random() % (len*8);
PDEBUG(("flip bit %d (len=%d) => ", flip_bit, len));
for(j=0; j<len; j++) {
/* go to the right byte */
if(flip_bit<8) {
flip_bit = 1 << flip_bit;
text_write_ub(c, (text_read_ub(c)^flip_bit));
j=len;
}
c++;
flip_bit = flip_bit-8;
}
break;
case PTR_FAULT:
/* 5f) ptr: if instruction has regmodrm byte (i_has_modrm),
* flip 1 bit in lower byte (0x0f) or any bit in following
* bytes (sib, imm or disp).
*/
c=(unsigned char *) addr;
do {
switch (text_read_ub(c)) {
case 0x66: case 0x67: case 0x26: case 0x36:
case 0x2e: case 0x3e: case 0x64: case 0x65:
case 0xf0: case 0xf2: case 0xf3:
prefix = 1;
break;
default:
prefix = 0;
break;
}
if (prefix) {
c++;
}
} while (prefix);
if(text_read_ub(c)>=0xd8 && text_read_ub(c)<=0xdf) {
/* don't mess with fp instruction, yet */
PDEBUG(("floating point instruction, bailing out\n"));
return FALSE;
}
if(text_read_ub(c)==0x0f) {
c++;
}
if(text_read_ub(c)==0x0f) {
c++;
}
c++;
len = len-((long) c - (long) addr);
flip_bit = random() % (len*8-4);
PDEBUG(("flip bit %d (len=%d) => ", flip_bit, len));
/* mod/rm byte is special */
if (flip_bit < 4) {
flip_bit = 1 << flip_bit;
text_write_ub(c, text_read_ub(c)^flip_bit);
}
c++;
flip_bit=flip_bit-4;
for(j=1; j<len; j++) {
/* go to the right byte */
if (flip_bit<8) {
flip_bit = 1 << flip_bit;
text_write_ub(c, text_read_ub(c)^flip_bit);
j=len;
}
c++;
flip_bit = flip_bit-8;
}
break;
case LOOP_FAULT:
c=(unsigned char *) addr;
/* replace rep with repe, and vice versa */
if(text_read_ub(c)==0xf3) {
text_write_ub(c, 0xf2);
} else if(text_read_ub(c)==0xf2) {
text_write_ub(c, 0xf3);
} else if( (text_read_ub(c)&0xf0)==0x70 ) {
/* if we've jxx imm8 instruction,
* incl even byte instruction, eg jo (70) to jno (71)
* decl odd byte instruction, eg jnle (7f) to jle (7e)
*/
if(text_read_ub(c)%2 == 0) {
text_write_ub(c, text_read_ub(c)+1);
} else {
text_write_ub(c, text_read_ub(c)-1);
}
} else if(text_read_ub(c)==0x66 || text_read_ub(c)==0x67) {
/* override prefix */
c++;
} else if(text_read_ub(c++)==0xf && (text_read_ub(c)&0xf0)==0x80 ) {
/* if we've jxx imm16/32 instruction,
* incl even byte instruction, eg jo (80) to jno (81)
* decl odd byte instruction, eg jnle (8f) to jle (8e)
*/
if(text_read_ub(c)%2 == 0) {
text_write_ub(c, text_read_ub(c)+1);
} else {
text_write_ub(c, text_read_ub(c)-1);
}
}
break;
case STOP_FAULT:
text_write_ub(addr, BKPT_INST);
break;
default:
assert(0);
}
return TRUE;
}
|
