collection of C/C++ programs that try to get compilers to exploit undefined behavior

Overview
-------------------------------------------------------------------------------

UB Canaries: A collection of C/C++ programs that detect undefined
behavior exploitation by compilers.

-------------------------------------------------------------------------------

To run all tests, type:

  run-canaries

For a complete list of command line options:

  run-canaries --help

-------------------------------------------------------------------------------

Each directory documents and tests an expectation: something a developer might
-- perhaps unreasonably! -- expect the compiler to do when faced with undefined
behavior. For example, the "uninitialized-variable" directory tests the
expectation that an uninitialized scalar variable will consistently return some
value that is legal for the variable's type.

If any test program in a directory does not display the expected behavior (for a
given compiler version + flags), then that compiler is considered to violate
that expectation.

The toplevel script run-canaries tests the expectations for a
specified collection of compilers and compiler flags. For now, you
need to edit that file to change the set of compilers and flags.

The output of run-canaries is, for each compiler / flag / canary
combination, a bit that tells us whether that compiler has been
observed to exploit that particular UB (in other words, whether it has
been observed violating the expectation). So here, for example, clang
has been seen to exploit signed integer overflows and uninitialized
variables, but not signed left shifts:

clang -O3 signed-left-shift 0
clang -O3 signed-integer-overflow 1
clang -O3 uninitialized-variable 1

-------------------------------------------------------------------------------

Guidelines for writing tests:

- Each test program should be entirely contained (except for standard header
  files) in a single compilation unit.

- An expectation should only be tested by looking at a program's stdout, never
  by looking at its assembly code or observing its memory usage or execution
  time.

- A test program foo.c may have one or more outputs corresponding to the
  "expected" case where the compiler does not exploit that UB. If there is one
  such file it should be called foo.output. If there are multiple files they
  should be called foo.output1, foo.output2, etc. If the actual output does not
  match any of these files, the compiler is assumed to have exploited the UB.

- Every test program must test only a single UB. In other words, each test
  program is written in a dialect of C that is completely standard except that a
  single behavior (signed integer overflow or whatever) is actually defined
  instead of undefined.

- Reliance on implementation-defined behavior is unavoidable, but please avoid
  gratuitous reliance such as assuming a particular size for int or long. It is
  OK to use the fixed-width types such as int32_t.

- A tricky issue to how much to expose to the optimizer and how much to hide.
  There are no particular good rules of thumb that I am aware of, you just have
  to try different things.

- An easier issue is *how* to hide from the optimizer. I suggest introducing a
  dependency on argc or on the value loaded from a volatile. Tests may assume
  that argc == 1.

-------------------------------------------------------------------------------
You might also like...
Rampin - Try to make Windows preload files into RAM by memory mapping and touching them.

rampin A small C program to try keep a file or few in Windows RAM cache. For a Unix (not only Linux) alternative see vmtouch. Takes one or more filena

Learn how to connect your Flexispot (LoctekMotion) desk to the internet. This repository contains a collection of scripts to get your started, combined with research and instructions.
Learn how to connect your Flexispot (LoctekMotion) desk to the internet. This repository contains a collection of scripts to get your started, combined with research and instructions.

(image source: Windows Central) Turn your LoctekMotion/FlexiSpot desk into a smart desk Recently I acquired a new standing desk from FlexiSpot. During

Demo exploit code for CVE-2020-27904, a tfp0 bug.

xattr-oob-swap CVE-2020-27904: a tfp0 bug for macOS 10.15.x and below. Demo exploit code for my talk at BlackHat ASIA 2021. The vulnerability has been

Exploit to SYSTEM for CVE-2021-21551
Exploit to SYSTEM for CVE-2021-21551

CVE-2021-21551 Exploit to SYSTEM for CVE-2021-21551 SpoolPrinter Privesc using SeImpersonatePrivileges was made thanks to

a reliable C based exploit for CVE-2021-3560.

CVE-2021-3560 a reliable C based exploit for CVE-2021-3560. Summary: Yestreday i stumbled upon this blog post by Kevin Backhouse (discovered this vuln

Exploit allowing you to read registry hives as non-admin on Windows 10 and 11
Exploit allowing you to read registry hives as non-admin on Windows 10 and 11

HiveNightmare aka SeriousSam, or now CVE-2021–36934. Exploit allowing you to read any registry hives as non-admin. What is this? An zero day exploit f

This is an exploit for an uninitialized free in nvme:nvme_map_prp()

scavenger This is an exploit for an uninitialized free in nvme:nvme_map_prp(). For more information, see the writeup the slides for the talk in Blackh

Mario Kart 7 semi-primary exploit for the Nintendo 3DS.
Mario Kart 7 semi-primary exploit for the Nintendo 3DS.

kartdlphax kartdlphax is a semiprimary exploit for the download play mode of Mario Kart 7. It can be used to run an userland payload in an unmodified

🎻 Automatic Exploit Generation using symbolic execution

S2E Library This repository contains all the necessary components to build libs2e.so. This shared library is preloaded in QEMU to enable symbolic exec

Comments
  • Canary for &foo->bar when foo is NULL

    Canary for &foo->bar when foo is NULL

    This is probably my "favorite" instance of UB. I tend to find programs doing this either as a replacement for offsetof (for whatever reason) or just because it's computing some addresses before determining whether the base is NULL or not. I haven't caught clang or gcc exploiting this one yet, but I wouldn't be surprised if it did.

    opened by bmastenbrook 4
  • *(volatile t *)&local = …; is argued by some to be unreliable, should be a canary

    *(volatile t *)&local = …; is argued by some to be unreliable, should be a canary

    Here is a POC program:

    #include <string.h>
    
    #define L 20
    
    void decrypt(unsigned char * plaintext, unsigned char * ciphertext) {
      unsigned char w[L];
      memcpy(w, ciphertext, L);
      for (int i = 0; i < L; i++) w[i] = w[i] ^ 17;
      for (int i = 1; i < L; i++) w[i] = w[i] + w[i-1];
      memcpy(plaintext, w, L);
    
      /* now for the cleanup: */
      for (int i = 0; i < L; i++) ((volatile unsigned char *)w)[i] = 0x07;
    }
    

    For my version of Clang, I can detect that the cleanup was preserved thus:

    ~ $ clang -S -O  -Wall t.c && cat t.s | grep \$7
        movb    $7, -32(%rbp)
        movb    $7, -31(%rbp)
        movb    $7, -30(%rbp)
        movb    $7, -29(%rbp)
        movb    $7, -28(%rbp)
        movb    $7, -27(%rbp)
        movb    $7, -26(%rbp)
        movb    $7, -25(%rbp)
        movb    $7, -24(%rbp)
        movb    $7, -23(%rbp)
        movb    $7, -22(%rbp)
        movb    $7, -21(%rbp)
        movb    $7, -20(%rbp)
        movb    $7, -19(%rbp)
        movb    $7, -18(%rbp)
        movb    $7, -17(%rbp)
        movb    $7, -16(%rbp)
        movb    $7, -15(%rbp)
        movb    $7, -14(%rbp)
        movb    $7, -13(%rbp)
    ~ $ clang -v
    Apple LLVM version 5.1 (clang-503.0.40) (based on LLVM 3.4svn)
    Target: x86_64-apple-darwin13.4.0
    Thread model: posix
    

    And the same oracle works for an oldish version of GCC:

    $ gcc -std=c99 -S -O  -Wall t.c && cat t.s | grep \$7
        movb    $7, (%rax)
    $ gcc -v
    Using built-in specs.
    COLLECT_GCC=gcc
    COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.8/lto-wrapper
    Target: x86_64-linux-gnu
    Configured with: ../src/configure -v --with-pkgversion='Ubuntu 4.8.4-2ubuntu1~14.04' --with-bugurl=file:///usr/share/doc/gcc-4.8/README.Bugs --enable-languages=c,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.8 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.8 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --disable-libmudflap --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-4.8-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-4.8-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-4.8-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
    Thread model: posix
    gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04) 
    
    opened by pascal-cuoq 9
  • Sequencing UB

    Sequencing UB

    May need some modification of the expected output. It's extremely hard to reason about what someone would actually expect these programs to do.

    Signed-off-by: Scotty Bauer [email protected]

    opened by ScottyBauer 1
Owner
John Regehr
CS professor at the University of Utah
John Regehr
Some hypervisor research notes. There is also a useful exploit template that you can use to verify / falsify any assumptions you may make while auditing code, and for exploit development.

Introduction Over the past few weeks, I've been doing some hypervisor research here and there, with most of my focus being on PCI device emulation cod

Faith 127 Sep 14, 2022
MiniDumpWriteDump behavior modification hook

MiniDumpWriteDumpPoC MiniDumpWriteDump behavior modification hook Read the full article in our blog: Adepts Of 0xCC: Hooks On Hoot Off This is a funct

Adepts of 0xCC 49 Jul 12, 2022
Comprehensive Hashing Library for C++ Compilers.

HashLib4CPP HashLib4CPP is a C++11 library that provides an easy to use interface for computing hashes and checksums of strings, files, streams, bytea

Telepati 24 Jan 2, 2022
Set of examples how to use CLion with various unsupported compilers using Custom Defined Compiler feature

About This repository contains: Set of examples how to use CLion with various unsupported compilers using Custom Defined Compiler feature Public set o

JetBrains 35 Sep 6, 2022
GraphicsFuzz provides tools for automatically finding and simplifying bugs in graphics drivers, specifically graphics shader compilers.

GraphicsFuzz GraphicsFuzz is a set of tools for testing shader compilers GraphicsFuzz provides tools for automatically finding and simplifying bugs in

Google 502 Sep 9, 2022
Shader Playground is a website for exploring shader compilers.

Shader Playground is a website for exploring shader compilers. Visit website Supported backends Compilers ANGLE Clspv DXC FXC Glslan

Tim Jones 433 Sep 16, 2022
A collection of Simple C Programs.

C Practice A collection of Simple C Programs. NOTE: Work in progress! List of programs Basic Hello World Print an Integer Add Two Integers Find ASCII

TORPEDO 1 Mar 26, 2022
a work in progress try to make an IDE with the CSFML

EatSleepCode A work in progress for educational purpose. To help better understanding the CSFML lib. Installation clone this repo and do make Use case

Saverio 2 Jul 9, 2022
Another try to re-create Project Astoria , or some bridge between A and W...

Bridge 1.0.10.0 Forked from: https://github.com/DroidOnUWP/Bridge Abstract Another "Project Astoria" remake (UWP) Original status: Forgotten (?) My ac

Media Explorer 5 Sep 10, 2022
This program try to recreate bash --posix comportement in certain limite

minishell : petitcoquillage This program try to recreate bash --posix comportement in certain limite Execution : To execute this Program you have to b

null 62 Sep 13, 2022