Integrate Icicle into fuzzware

icicle-emu · Nov 10, 2022 · 05307bf · 05307bf
1 parent 075dbb5
commit 05307bf
Show file tree

Hide file tree

Showing 41 changed files with 4,264 additions and 252 deletions.
diff --git a/.gitmodules b/.gitmodules
@@ -1,3 +1,3 @@
 [submodule "unicorn/fuzzware-unicorn"]
 	path = unicorn/fuzzware-unicorn
-	url = ../unicorn
+	url = https://github.com/fuzzware-fuzzer/unicorn
diff --git a/harness/fuzzware_harness/__init__.py b/harness/fuzzware_harness/__init__.py
@@ -0,0 +1,3 @@
+def main():
+    from fuzzware_harness import harness
+    harness.main()
diff --git a/harness/fuzzware_harness/harness.py b/harness/fuzzware_harness/harness.py
@@ -4,7 +4,8 @@
 import sys
 import logging
 
-from unicorn import (UC_ARCH_ARM, UC_MODE_MCLASS, UC_MODE_THUMB, Uc)
+from icicle import Uc
+from unicorn import (UC_ARCH_ARM, UC_MODE_MCLASS, UC_MODE_THUMB)
 from unicorn.arm_const import UC_ARM_REG_PC, UC_ARM_REG_SP
 
 from . import globs, interrupt_triggers, native, timer, user_hooks
@@ -18,6 +19,7 @@
                    parse_symbols, resolve_region_file_paths)
 
 logger = logging.getLogger("emulator")
+logging.basicConfig(level=logging.DEBUG)
 
 def unicorn_trace_syms(uc, address, size=0, user_data=None):
     if address in uc.syms_by_addr:
@@ -51,8 +53,11 @@ def configure_unicorn(args):
         logger.error("Memory Configuration must be in config file")
         sys.exit(1)
 
+    # Icicle doesn't currently handle shadow stacks for context switches
+    disable_shadow_stack = any('Soldering_Iron' in region['file'] for rname, region in config['memory_map'].items() if 'file' in region)
+
     # Create the unicorn
-    uc = Uc(UC_ARCH_ARM, UC_MODE_THUMB | UC_MODE_MCLASS)
+    uc = Uc(UC_ARCH_ARM, UC_MODE_THUMB | UC_MODE_MCLASS, disable_shadow_stack)
 
     uc.symbols, uc.syms_by_addr = parse_symbols(config)
 
@@ -61,6 +66,10 @@ def configure_unicorn(args):
     entry_image_base = None
     resolve_region_file_paths(args.config, config)
 
+    debug_info = config.get("debug_info")
+    if debug_info:
+        uc.set_debug_file(debug_info)
+
     # Entry region recovery
     file_backed_regions = {rname: region for rname, region in config['memory_map'].items() if 'file' in region}
     num_entry_regions = [region.get('is_entry', False) is True for region in file_backed_regions.values()].count(True)
@@ -99,7 +108,7 @@ def configure_unicorn(args):
                 sys.exit(1)
 
         start, size = parse_address_value(uc.symbols, region['base_addr']), region['size']
-        logger.debug(f"Mapping region {str(rname)} at {hex(size)}, perms: {int(prot)}")
+        logger.debug(f"Mapping region {str(rname)} at {hex(start)} (size: {hex(size)}), perms: {int(prot)}")
 
         if size & (globs.PAGE_SIZE-1) != 0:
             logger.warning(f"Size 0x{size:x} of region '{rname}' not page aligned. Aligning to next page boundary size.")
@@ -374,7 +383,7 @@ def main():
     if any(debug_flags):
         args.debug = True
 
-    globs.debug_enabled = args.debug
+    globs.debug_enabled = True
 
     uc = configure_unicorn(args)
     globs.uc = uc

diff --git a/harness/fuzzware_harness/mmio_models/passthrough.py b/harness/fuzzware_harness/mmio_models/passthrough.py
@@ -10,7 +10,7 @@ def register_passthrough_handlers(uc, addrs, pcs, vals):
 
         ensure_rw_mapped(uc, address, address)
 
-    set_ignored_mmio_addresses(addrs, pcs)
+    set_ignored_mmio_addresses(uc, addrs, pcs)
 
 def parse_passthrough_handlers(symbols, declarations):
     addrs = []

diff --git a/harness/fuzzware_harness/native.py b/harness/fuzzware_harness/native.py
diff --git a/harness/fuzzware_harness/native/Makefile b/harness/fuzzware_harness/native/Makefile
@@ -2,12 +2,13 @@ OWN_DIR := $(dir $(realpath $(firstword $(MAKEFILE_LIST))))
 UC_DIRNAME := fuzzware-unicorn
 
 LIBDIR = $(OWN_DIR)/../../../unicorn/$(UC_DIRNAME)/
-INC=-I$(OWN_DIR)/../../../unicorn/$(UC_DIRNAME)/include
+# INC=-I$(OWN_DIR)/../../../unicorn/$(UC_DIRNAME)/include
+INC=
 BIN_EXT = .so
 
 CC = clang
 CFLAGS += -fpic -Wall -Werror $(INC) -g -O3
-LDFLAGS += -shared -L$(LIBDIR) -lunicorn
+LDFLAGS += -shared
 
 .PHONY: all clean
 

diff --git a/harness/fuzzware_harness/native/arm.h b/harness/fuzzware_harness/native/arm.h
@@ -0,0 +1,165 @@
+/* Unicorn Engine */
+/* By Nguyen Anh Quynh <aquynh@gmail.com>, 2015-2017 */
+/* This file is released under LGPL2.
+   See COPYING.LGPL2 in root directory for more details
+*/
+
+#ifndef UNICORN_ARM_H
+#define UNICORN_ARM_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifdef _MSC_VER
+#pragma warning(disable:4201)
+#endif
+
+//> ARM registers
+typedef enum uc_arm_reg {
+    UC_ARM_REG_INVALID = 0,
+    UC_ARM_REG_APSR,
+    UC_ARM_REG_APSR_NZCV,
+    UC_ARM_REG_CPSR,
+    UC_ARM_REG_FPEXC,
+    UC_ARM_REG_FPINST,
+    UC_ARM_REG_FPSCR,
+    UC_ARM_REG_FPSCR_NZCV,
+    UC_ARM_REG_FPSID,
+    UC_ARM_REG_ITSTATE,
+    UC_ARM_REG_LR,
+    UC_ARM_REG_PC,
+    UC_ARM_REG_SP,
+    UC_ARM_REG_SPSR,
+    UC_ARM_REG_D0,
+    UC_ARM_REG_D1,
+    UC_ARM_REG_D2,
+    UC_ARM_REG_D3,
+    UC_ARM_REG_D4,
+    UC_ARM_REG_D5,
+    UC_ARM_REG_D6,
+    UC_ARM_REG_D7,
+    UC_ARM_REG_D8,
+    UC_ARM_REG_D9,
+    UC_ARM_REG_D10,
+    UC_ARM_REG_D11,
+    UC_ARM_REG_D12,
+    UC_ARM_REG_D13,
+    UC_ARM_REG_D14,
+    UC_ARM_REG_D15,
+    UC_ARM_REG_D16,
+    UC_ARM_REG_D17,
+    UC_ARM_REG_D18,
+    UC_ARM_REG_D19,
+    UC_ARM_REG_D20,
+    UC_ARM_REG_D21,
+    UC_ARM_REG_D22,
+    UC_ARM_REG_D23,
+    UC_ARM_REG_D24,
+    UC_ARM_REG_D25,
+    UC_ARM_REG_D26,
+    UC_ARM_REG_D27,
+    UC_ARM_REG_D28,
+    UC_ARM_REG_D29,
+    UC_ARM_REG_D30,
+    UC_ARM_REG_D31,
+    UC_ARM_REG_FPINST2,
+    UC_ARM_REG_MVFR0,
+    UC_ARM_REG_MVFR1,
+    UC_ARM_REG_MVFR2,
+    UC_ARM_REG_Q0,
+    UC_ARM_REG_Q1,
+    UC_ARM_REG_Q2,
+    UC_ARM_REG_Q3,
+    UC_ARM_REG_Q4,
+    UC_ARM_REG_Q5,
+    UC_ARM_REG_Q6,
+    UC_ARM_REG_Q7,
+    UC_ARM_REG_Q8,
+    UC_ARM_REG_Q9,
+    UC_ARM_REG_Q10,
+    UC_ARM_REG_Q11,
+    UC_ARM_REG_Q12,
+    UC_ARM_REG_Q13,
+    UC_ARM_REG_Q14,
+    UC_ARM_REG_Q15,
+    UC_ARM_REG_R0,
+    UC_ARM_REG_R1,
+    UC_ARM_REG_R2,
+    UC_ARM_REG_R3,
+    UC_ARM_REG_R4,
+    UC_ARM_REG_R5,
+    UC_ARM_REG_R6,
+    UC_ARM_REG_R7,
+    UC_ARM_REG_R8,
+    UC_ARM_REG_R9,
+    UC_ARM_REG_R10,
+    UC_ARM_REG_R11,
+    UC_ARM_REG_R12,
+    UC_ARM_REG_S0,
+    UC_ARM_REG_S1,
+    UC_ARM_REG_S2,
+    UC_ARM_REG_S3,
+    UC_ARM_REG_S4,
+    UC_ARM_REG_S5,
+    UC_ARM_REG_S6,
+    UC_ARM_REG_S7,
+    UC_ARM_REG_S8,
+    UC_ARM_REG_S9,
+    UC_ARM_REG_S10,
+    UC_ARM_REG_S11,
+    UC_ARM_REG_S12,
+    UC_ARM_REG_S13,
+    UC_ARM_REG_S14,
+    UC_ARM_REG_S15,
+    UC_ARM_REG_S16,
+    UC_ARM_REG_S17,
+    UC_ARM_REG_S18,
+    UC_ARM_REG_S19,
+    UC_ARM_REG_S20,
+    UC_ARM_REG_S21,
+    UC_ARM_REG_S22,
+    UC_ARM_REG_S23,
+    UC_ARM_REG_S24,
+    UC_ARM_REG_S25,
+    UC_ARM_REG_S26,
+    UC_ARM_REG_S27,
+    UC_ARM_REG_S28,
+    UC_ARM_REG_S29,
+    UC_ARM_REG_S30,
+    UC_ARM_REG_S31,
+
+    UC_ARM_REG_C1_C0_2,
+    UC_ARM_REG_C13_C0_2,
+    UC_ARM_REG_C13_C0_3,
+
+    UC_ARM_REG_IPSR,
+    UC_ARM_REG_MSP,
+    UC_ARM_REG_PSP,
+    UC_ARM_REG_CONTROL,
+
+    // Fuzzware registers
+    UC_ARM_REG_XPSR,
+    UC_ARM_REG_OTHER_SP,
+    UC_ARM_REG_CURR_SP_MODE_IS_PSP,
+    UC_ARM_REG_SPSEL,
+    UC_ARM_REG_BASEPRI,
+    UC_ARM_REG_PRIMASK,
+    UC_ARM_REG_ENDING,		// <-- mark the end of the list or registers
+
+    //> alias registers
+    UC_ARM_REG_R13 = UC_ARM_REG_SP,
+    UC_ARM_REG_R14 = UC_ARM_REG_LR,
+    UC_ARM_REG_R15 = UC_ARM_REG_PC,
+
+    UC_ARM_REG_SB = UC_ARM_REG_R9,
+    UC_ARM_REG_SL = UC_ARM_REG_R10,
+    UC_ARM_REG_FP = UC_ARM_REG_R11,
+    UC_ARM_REG_IP = UC_ARM_REG_R12,
+} uc_arm_reg;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif