------------------------------------------------------------------------------- UB Canaries: A collection of C/C++ programs that detect undefined behavior exploitation by compilers. ------------------------------------------------------------------------------- To run all tests, type: run-canaries For a complete list of command line options: run-canaries --help ------------------------------------------------------------------------------- Each directory documents and tests an expectation: something a developer might -- perhaps unreasonably! -- expect the compiler to do when faced with undefined behavior. For example, the "uninitialized-variable" directory tests the expectation that an uninitialized scalar variable will consistently return some value that is legal for the variable's type. If any test program in a directory does not display the expected behavior (for a given compiler version + flags), then that compiler is considered to violate that expectation. The toplevel script run-canaries tests the expectations for a specified collection of compilers and compiler flags. For now, you need to edit that file to change the set of compilers and flags. The output of run-canaries is, for each compiler / flag / canary combination, a bit that tells us whether that compiler has been observed to exploit that particular UB (in other words, whether it has been observed violating the expectation). So here, for example, clang has been seen to exploit signed integer overflows and uninitialized variables, but not signed left shifts: clang -O3 signed-left-shift 0 clang -O3 signed-integer-overflow 1 clang -O3 uninitialized-variable 1 ------------------------------------------------------------------------------- Guidelines for writing tests: - Each test program should be entirely contained (except for standard header files) in a single compilation unit. - An expectation should only be tested by looking at a program's stdout, never by looking at its assembly code or observing its memory usage or execution time. - A test program foo.c may have one or more outputs corresponding to the "expected" case where the compiler does not exploit that UB. If there is one such file it should be called foo.output. If there are multiple files they should be called foo.output1, foo.output2, etc. If the actual output does not match any of these files, the compiler is assumed to have exploited the UB. - Every test program must test only a single UB. In other words, each test program is written in a dialect of C that is completely standard except that a single behavior (signed integer overflow or whatever) is actually defined instead of undefined. - Reliance on implementation-defined behavior is unavoidable, but please avoid gratuitous reliance such as assuming a particular size for int or long. It is OK to use the fixed-width types such as int32_t. - A tricky issue to how much to expose to the optimizer and how much to hide. There are no particular good rules of thumb that I am aware of, you just have to try different things. - An easier issue is *how* to hide from the optimizer. I suggest introducing a dependency on argc or on the value loaded from a volatile. Tests may assume that argc == 1. -------------------------------------------------------------------------------
collection of C/C++ programs that try to get compilers to exploit undefined behavior
Overview
You might also like...
Rampin - Try to make Windows preload files into RAM by memory mapping and touching them.
rampin A small C program to try keep a file or few in Windows RAM cache. For a Unix (not only Linux) alternative see vmtouch. Takes one or more filena
1 Apr 11, 2022
A collection of Simple C Programs.
C Practice A collection of Simple C Programs. NOTE: Work in progress! List of programs Basic Hello World Print an Integer Add Two Integers Find ASCII
1 Mar 26, 2022
Demo exploit code for CVE-2020-27904, a tfp0 bug.
xattr-oob-swap CVE-2020-27904: a tfp0 bug for macOS 10.15.x and below. Demo exploit code for my talk at BlackHat ASIA 2021. The vulnerability has been
64 Nov 9, 2022
Exploit to SYSTEM for CVE-2021-21551
CVE-2021-21551 Exploit to SYSTEM for CVE-2021-21551 SpoolPrinter Privesc using SeImpersonatePrivileges was made thanks to
237 Dec 14, 2022
a reliable C based exploit for CVE-2021-3560.
CVE-2021-3560 a reliable C based exploit for CVE-2021-3560. Summary: Yestreday i stumbled upon this blog post by Kevin Backhouse (discovered this vuln
34 Jun 21, 2022
Exploit allowing you to read registry hives as non-admin on Windows 10 and 11
HiveNightmare aka SeriousSam, or now CVE-2021–36934. Exploit allowing you to read any registry hives as non-admin. What is this? An zero day exploit f
618 Jan 1, 2023
This is an exploit for an uninitialized free in nvme:nvme_map_prp()
scavenger This is an exploit for an uninitialized free in nvme:nvme_map_prp(). For more information, see the writeup the slides for the talk in Blackh
50 Nov 9, 2022
Mario Kart 7 semi-primary exploit for the Nintendo 3DS.
kartdlphax kartdlphax is a semiprimary exploit for the download play mode of Mario Kart 7. It can be used to run an userland payload in an unmodified
44 Jan 3, 2023
🎻 Automatic Exploit Generation using symbolic execution
S2E Library This repository contains all the necessary components to build libs2e.so. This shared library is preloaded in QEMU to enable symbolic exec
29 Jan 10, 2022
Comments
-
Canary for &foo->bar when foo is NULL
opened by bmastenbrook 4This is probably my "favorite" instance of UB. I tend to find programs doing this either as a replacement for offsetof (for whatever reason) or just because it's computing some addresses before determining whether the base is NULL or not. I haven't caught clang or gcc exploiting this one yet, but I wouldn't be surprised if it did.
-
*(volatile t *)&local = …; is argued by some to be unreliable, should be a canary
opened by pascal-cuoq 9Here is a POC program:
#include <string.h> #define L 20 void decrypt(unsigned char * plaintext, unsigned char * ciphertext) { unsigned char w[L]; memcpy(w, ciphertext, L); for (int i = 0; i < L; i++) w[i] = w[i] ^ 17; for (int i = 1; i < L; i++) w[i] = w[i] + w[i-1]; memcpy(plaintext, w, L); /* now for the cleanup: */ for (int i = 0; i < L; i++) ((volatile unsigned char *)w)[i] = 0x07; }For my version of Clang, I can detect that the cleanup was preserved thus:
~ $ clang -S -O -Wall t.c && cat t.s | grep \$7 movb $7, -32(%rbp) movb $7, -31(%rbp) movb $7, -30(%rbp) movb $7, -29(%rbp) movb $7, -28(%rbp) movb $7, -27(%rbp) movb $7, -26(%rbp) movb $7, -25(%rbp) movb $7, -24(%rbp) movb $7, -23(%rbp) movb $7, -22(%rbp) movb $7, -21(%rbp) movb $7, -20(%rbp) movb $7, -19(%rbp) movb $7, -18(%rbp) movb $7, -17(%rbp) movb $7, -16(%rbp) movb $7, -15(%rbp) movb $7, -14(%rbp) movb $7, -13(%rbp) ~ $ clang -v Apple LLVM version 5.1 (clang-503.0.40) (based on LLVM 3.4svn) Target: x86_64-apple-darwin13.4.0 Thread model: posixAnd the same oracle works for an oldish version of GCC:
$ gcc -std=c99 -S -O -Wall t.c && cat t.s | grep \$7 movb $7, (%rax) $ gcc -v Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.8/lto-wrapper Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Ubuntu 4.8.4-2ubuntu1~14.04' --with-bugurl=file:///usr/share/doc/gcc-4.8/README.Bugs --enable-languages=c,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.8 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.8 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --disable-libmudflap --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-4.8-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-4.8-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-4.8-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu Thread model: posix gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04) -
Sequencing UB
opened by ScottyBauer 1May need some modification of the expected output. It's extremely hard to reason about what someone would actually expect these programs to do.
Signed-off-by: Scotty Bauer [email protected]
Some hypervisor research notes. There is also a useful exploit template that you can use to verify / falsify any assumptions you may make while auditing code, and for exploit development.
Introduction Over the past few weeks, I've been doing some hypervisor research here and there, with most of my focus being on PCI device emulation cod
130 Nov 18, 2022
Comprehensive Hashing Library for C++ Compilers.
HashLib4CPP HashLib4CPP is a C++11 library that provides an easy to use interface for computing hashes and checksums of strings, files, streams, bytea
24 Jan 2, 2022
Set of examples how to use CLion with various unsupported compilers using Custom Defined Compiler feature
About This repository contains: Set of examples how to use CLion with various unsupported compilers using Custom Defined Compiler feature Public set o
37 Sep 30, 2022
Shader Playground is a website for exploring shader compilers.
Shader Playground is a website for exploring shader compilers. Visit website Supported backends Compilers ANGLE Clspv DXC FXC Glslan
445 Dec 30, 2022
GraphicsFuzz provides tools for automatically finding and simplifying bugs in graphics drivers, specifically graphics shader compilers.
GraphicsFuzz GraphicsFuzz is a set of tools for testing shader compilers GraphicsFuzz provides tools for automatically finding and simplifying bugs in
516 Dec 15, 2022
MiniDumpWriteDump behavior modification hook
MiniDumpWriteDumpPoC MiniDumpWriteDump behavior modification hook Read the full article in our blog: Adepts Of 0xCC: Hooks On Hoot Off This is a funct
48 Nov 9, 2022
Learn how to connect your Flexispot (LoctekMotion) desk to the internet. This repository contains a collection of scripts to get your started, combined with research and instructions.
(image source: Windows Central) Turn your LoctekMotion/FlexiSpot desk into a smart desk Recently I acquired a new standing desk from FlexiSpot. During
216 Dec 28, 2022
a work in progress try to make an IDE with the CSFML
EatSleepCode A work in progress for educational purpose. To help better understanding the CSFML lib. Installation clone this repo and do make Use case
1 Nov 20, 2022
Another try to re-create Project Astoria , or some bridge between A and W...
Bridge 1.0.10.0 Forked from: https://github.com/DroidOnUWP/Bridge Abstract Another "Project Astoria" remake (UWP) Original status: Forgotten (?) My ac
6 Nov 15, 2022
This program try to recreate bash --posix comportement in certain limite
minishell : petitcoquillage This program try to recreate bash --posix comportement in certain limite Execution : To execute this Program you have to b
63 Dec 9, 2022