sandsifter
trapcc
Our great sponsors
sandsifter | trapcc | |
---|---|---|
15 | 9 | |
4,826 | 1,241 | |
- | - | |
0.0 | 0.0 | |
2 months ago | about 11 years ago | |
Python | C | |
BSD 3-clause "New" or "Revised" License | BSD 3-clause "New" or "Revised" License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sandsifter
- Cascade: CPU Fuzzing via Intricate Program Generation
- Sandsifter: The x86 Processor Fuzzer
- How would undocummented, private ISA extensions work in Linux-based systems?
- I found a bug in Intel Skylake processors
-
Is there any opensource switch brand?
This has some background.
- Clever Hack Finds Mystery CPU Instructions
- Sandsifter – The x86 Processor Fuzzer
-
The Cursed Computer Iceberg Meme
sandsifter
-
Speculating the Entire x86-64 Instruction Set in Seconds with One Weird Trick
This is a really clever technique! I was impressed by sandsifter[1] when it originally came out, and this seems an awful lot faster and less prone to false negatives (since it's purely speculative and doesn't require sandsifter's `#PF` hack).
At the risk of unwarranted self-promotion: the other side of this equation is fidelity in software instruction set decoders. x86's massive size and layers of historical complexity make it among the most difficult instruction formats to accurately decode; I've spent a good part of the last two years working on a fuzzer that's discovered thousands of bugs in various popular x86 decoders[2][3].
[1]: https://github.com/xoreaxeaxeax/sandsifter
[2]: https://github.com/trailofbits/mishegos
[3]: https://ww.easychair.org/publications/preprint_download/1LHr
-
Capstone Disassembler Framework
Idea:
If any assembler/disassembler author/team out there wants to produce an assembler/disassembler which is authoritative (difficult to do on x86, because there are so many different possible combinations of instruction encoding, https://github.com/xoreaxeaxeax/sandsifter : "Typically, several million undocumented instructions on your processor will be found, but these generally fall into a small number of different groups.") -- then what they'd do is to create a third program -- which "pits" the output of Assembler A vs. Assembler B, Disassembler A vs. Disassembler B...
That is, between any two assemblers (for the same CPU architecture/instruction set), or any two disassemblers, where are the anomalies?
If we think about an assembler as a simple function, y=f(x), that is, I give it a string of ascii bytes as input (x), and I get a string (1..n) binary bytes as output (y),
trapcc
- trapcc - computing with traps
-
Subtraction Is Functionally Complete
A variation of this has been done using Intel MMU fault handling. Behold: https://github.com/jbangert/trapcc
This is a proof by construction that the Intel MMU's fault handling mechanism is Turing complete. We have constructed an assembler that translates 'Move, Branch if Zero, Decrement' instructions to C source that sets up various processor control tables. After this code has executed, the CPU computes by attempting to fault without ever executing a single instruction. Optionally, the assembler can also generate X86 instructions that will display variables in the VGA frame buffer and will cause control to be transferred between the native (display) instructions and 'weird machine' trap instructions.
-
Building Processors from the Ground Up
This thread is about hacking something up and not building a product.
For example imagine somebody shares the "one instruction set computer" (https://en.wikipedia.org/wiki/One-instruction_set_computer) project or x86 MMU being turing complete (https://github.com/jbangert/trapcc). Both are clearly just interesting hacks (which may have some interesting implications about security and what does it mean to be "code" etc) and certainly are not intended to be practical products
-
x86 is Turing-complete with no registers
fwiw, linked to from the article:
> As others have shown, we can compute using alphanumeric machine code[1] or English sentences[2], using only the mov instruction[3], or using the MMU[4] as it handles a never-ending double-fault. Here is my contribution to this genre of Turing tarpit: x86 is Turing-complete with no registers.
[1] http://www.phrack.org/issues.html?issue=57&id=15#article
[2] http://www.cs.jhu.edu/~sam/ccs243-mason.pdf
[3] http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf
[4] https://github.com/jbangert/trapcc
- Trapcc – Computing with Traps
-
Insane x86 Turing Machine that does not run any x86 instructions
I think trapcc is what you're thinking about maybe?
-
So, what's your favourite programming language?
MMU gang.
-
The Cursed Computer Iceberg Meme
page fault handling is Turing complete
What are some alternatives?
tatradas - Disassembler for x86 executables (16-bit and 32-bit) which supports PE, NE, MZ, COM and ELF file formats
rust - Empowering everyone to build reliable and efficient software.
fuzzing - Tutorials, examples, discussions, research proposals, and other resources related to fuzzing
wcc - The Witchcraft Compiler Collection
lazarus - Free Pascal Lazarus Project - Sync'ed with Lazarus SubVersion trunk every 15 minutes
movfuscator - The single instruction C compiler
capstone - Capstone disassembly/disassembler framework: Core (Arm, Arm64, BPF, EVM, M68K, M680X, MOS65xx, Mips, PPC, RISCV, Sparc, SystemZ, TMS320C64x, Web Assembly, X86, X86_64, XCore) + bindings. [Moved to: https://github.com/capstone-engine/capstone]
Bootstrap - The Bootstrap Book
docs - Hardware and software docs / wiki
Metasploit - Metasploit Framework
sail-riscv - Sail RISC-V model