Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

qemu.protocols.execution should not be shutted down for ShannonEMU #28

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

qemu.protocols.execution should not be shutted down for ShannonEMU #28

wants to merge 1 commit into from

Conversation

Mem2019
Copy link

@Mem2019 Mem2019 commented Mar 8, 2023

ShannonEMU also requires breakpoint here.

FirmWire/firmwire/vendor/shannon/machine.py

Line 827 in 490163e

self.set_breakpoint(

If qemu.protocols.execution is stopped, the execution will hang at breakpoint forever. This solves issue #26.

@mariusmue
Copy link
Contributor

Hi,

The protocols are only shut down when going into fuzzing mode for Shannon. This is a conscious design decision for performance, the idea is that one would either:
a) create snapshots after the required breakpoints for boot.
b) Use panda hooks.

However, I can see how this can turn problematic. Possibly you can adjust the pull request to add a --keep-breakpoints-enabled flag which under fuzzing mode does not shutdown the execution protocol.

@mariusmue mariusmue mentioned this pull request Mar 8, 2023
Open
@Mem2019
Copy link
Author

Mem2019 commented Mar 8, 2023

Hi,

The protocols are only shut down when going into fuzzing mode for Shannon. This is a conscious design decision for performance, the idea is that one would either: a) create snapshots after the required breakpoints for boot. b) Use panda hooks.

However, I can see how this can turn problematic. Possibly you can adjust the pull request to add a --keep-breakpoints-enabled flag which under fuzzing mode does not shutdown the execution protocol.

I have tried to fix it in this way. Please take a look. :)

@grant-h
Copy link
Contributor

grant-h commented Mar 10, 2023
edited
Loading

I don't think this solution will work if breakpoints are expected to work after AFL takes over. When AFL forks, by nature of the fork syscall, all threads except for the calling thread will be shutdown. Since Avatar uses a separate Python thread to read and process GDB events and commands, the breakpoint will never bubble its way back to the caller. But in the case where you are running in fuzzing mode and expect breakpoints to be hit before the forkserver has started, then this solution will work.

Instead of adding another flag to the command line, maybe it would be best to measure if there is any noticeable performance impact of fuzzing with or without this protocol being shutdown. If there isn't an impact, then we can remove the shutdown call entirely. Given that the GDB avatar thread should no longer exist, but the GDB server may still exist, it is unclear what will happen in this case.

@Mem2019
Copy link
Author

Mem2019 commented Mar 10, 2023

I don't think this solution will work if breakpoints are expected to work after AFL takes over. When AFL forks, by nature of the fork syscall, all threads except for the calling thread will be shutdown. Since Avatar uses a separate Python thread to read and process GDB events and commands, the breakpoint will never bubble its way back to the caller.

I agree. However, it seems that Avatar2 always works by creating multiple threads, so this problem could be hard to solve if we have to use Avatar2 breakpoint.

@icryo icryo mentioned this pull request May 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Mem2019 @mariusmue @grant-h