LibAFL icon indicating copy to clipboard operation
LibAFL copied to clipboard
verified publisher icon AFLplusplus

WIP: QEMU exit handler

Open rmalmain opened this issue 2 years ago • 2 comments

Proposal to add a standardized exit handler when going out of QEMU. For now, it works for breakpoints and sync exit commands. It should work correctly with usermode and systemmode examples (at least it works on my side). Some parts are adapted to "just work" for now. It still requires some polishment to be mergeable. Andrea proposed using backdoors for some commands when possible. I'll think of how it could be cleanly integrated. A snapshot management trait has also been added.

The patch also includes a few fixes and crate updates. Two new examples have been added to illustrate this new mechanism (qemu_systemmode_breakpoints and qemu_systemmode_sync_exit). A new exit reason has been added to know if the exit was initiated by QEMU internally (e.g. guest crash, signal received, etc.)

rmalmain avatar Dec 20 '23 18:12 rmalmain

If this is still WIP it should probably be a draft PR?

domenukk avatar Jan 01 '24 17:01 domenukk

The PR is getting closer to something we could merge. There are still some issues I need to address before:

  • [x] Find a solution to get QEMU hooks generically from the harness (for now the solution is quite dirty).
  • [ ] Cleanup

rmalmain avatar Jan 24 '24 08:01 rmalmain

The PR is now in a reviewable state. What has been changed since the last comment:

  • Most of (all?) the extern declarations have been moved to libafl_qemu_sys
  • Now, Emulator has been split into 2 parts: Qemu (low-level struct with all the calls to export C functions) and Emulator (high-level abstraction of Qemu with most of the things being automated). I believe we should rename Emulator to something more explicit.
  • I removed the bound for IsEmuExitHandler in most places where it was irrelevant, thanks to the above split.
  • I included the changes on QemuExecutor to remove the old dirty generic casts that could make the high-level abstraction crash.
  • Emulator is allowed to be Clone in a lightweight way thanks to some unsafe trick. With the new implementation, this may be useless now. I have to think about it.
  • More stuff I probably forgot

Sorry for the huge PR; things were quite intricate, which made it hard to split into smaller PRs.

rmalmain avatar Mar 13 '24 19:03 rmalmain