From eeea39c717e97ef1bd4b6eb49bfa3fa064cb73d2 Mon Sep 17 00:00:00 2001 From: oblivia simplex <lucca.fraser@gmail.com> Date: Sat, 19 Nov 2016 12:55:04 -0400 Subject: [PATCH] OpenBSD_Notes_re_DEP: Added an md file in docs/ explaining how to disable W^X protections on the filesystem you're using to execute Unicorn-using programmes, so that the OS will allow those programmes to run. --- docs/OPENBSD-NOTES.md | 69 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 docs/OPENBSD-NOTES.md diff --git a/docs/OPENBSD-NOTES.md b/docs/OPENBSD-NOTES.md new file mode 100644 index 00000000..ab66566f --- /dev/null +++ b/docs/OPENBSD-NOTES.md @@ -0,0 +1,69 @@ +## Circumventing OpenBSD 6.0's W^X Protections + +OpenBSD 6.0 and above enforces data-execution prevention (DEP or +W^X) by default, preventing memory from being mapped as +simultaneously writeable and executable (i.e., W|X). This causes +problems for Unicorn, if left in place. If you're seeing +errors like the following: +``` +/home/git/unicorn >> ./sample_arm +Emulate ARM code +zsh: abort (core dumped) ./sample_arm +``` +then W^X is likely the culprit. If we run it again with ktrace +and look at the output with kdump, we see that this is indeed +the issue: +``` + 82192 sample_arm CALL mmap(0,0x800000,0x7<PROT_READ|PROT_WRITE|PROT_EXEC>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) + 82192 sample_arm PSIG SIGABRT SIG_DFL + 82192 sample_arm NAMI "sample_arm.core" +``` +Right now, we're in the /home filesystem. Let's look at its mount +options in /etc/fstab: +``` +1234abcdcafef00d.g /home ffs rw,nodev,nosuid 1 2 +``` +If we edit the options to include ```wxallowed```, appending +this after nosuid, for example, then we're golden: +``` +1234abcdcafef00d.g /home ffs rw,nodev,nosuid,wxallowed 1 2 +``` + +Note that this *does* diminish the security of your filesystem +somewhat, and so if you're particularly particular about such +things, we recommend setting up a dedicated filesystem for +any activities that require ```(W|X)```, such as unicorn +development and testing. + +In order for these changes to take effect, you will need to +reboot. + +_Time passes..._ + +Let's try this again. There's no need to recompile unicorn or +the samples, as (W^X) is strictly a runtime issue. + +First, we double check to see if /home has been mounted with +wxallowed: +``` +/home >> mount | grep home +/dev/sd3g on /home type ffs (local, nodev, nosuid, wxallowed) +``` +Okay, now let's try running that sample again... +``` +/home/git/unicorn/samples >> ./sample_arm +Emulate ARM code +>>> Tracing basic block at 0x10000, block size = 0x8 +>>> Tracing instruction at 0x10000, instruction size = 0x4 +>>> Emulation done. Below is the CPU context +>>> R0 = 0x37 +>>> R1 = 0x3456 +========================== +Emulate THUMB code +>>> Tracing basic block at 0x10000, block size = 0x2 +>>> Tracing instruction at 0x10000, instruction size = 0x2 +>>> Emulation done. Below is the CPU context +>>> SP = 0x1228 +``` +works fine. +