-
Notifications
You must be signed in to change notification settings - Fork 16
Sanitizers
Sanitizers are an umbrella term used to denote any instrumentation strategy which enforces more rigorous checks on the executing code. If one of these checks fails during runtime, the sanitizer can deliberately crash the process, thus notifying the fuzzer that a potentially vulnerable path has just been discovered.
The memory sanitizer is activated by passing the --sanitize memory option to efi_fuzz.py.
It is mainly responsible for:
- Enabling the sanitized heap offered by Qiling. The sanitized heap augments the standard heap with hooks to detect:
- Pool overflows/underflows
- Out-of-Bounds reads
- Use-After-Free bugs
- Double frees
- Replacing emulated memory services such as
CopyMem()orSetMem()with their corresponding assembly versions.
The SMM sanitizer is activated by passing the --sanitize smm option to efi_fuzz.py.
It works by marking all boot services and runtime services as inaccessible prior to dispatching the SMI handlers. As such, any SMI handler which tries to call a boot/runtime service from SMM will be flagged as vulnerable to SMM Callout attacks.