DECAF 1.6

Makefile.objs

@@ -431,9 +431,11 @@ QEMU_CFLAGS+=$(GLIB_CFLAGS)
 QEMU_CPPFLAGS+=$(QEMU_CFLAGS)
 #LOK: moved the callback interface into the shared directory
 libdecaf-y=DECAF_callback.o DECAF_main.o DECAF_cmds.o
-libdecaf-y+=procmod.o read_linux.o hookapi.o windows_vmi.o vmi.o linux_vmi.o
+libdecaf-y+=procmod.o hookapi.o windows_vmi.o vmi.o
+#Kevin: read_linux.o is removed, also add some read ELF stuff heres -- 10/23/2013
+libdecaf-y+=linux_procinfo.o linux_readelf.o linux_vmi.o
 libdecaf-y+=function_map.o
-libdecaf-y+=tainting/reduce_taint.o tainting/taintcheck_opt.o tainting/tainting.o 
+libdecaf-y+=tainting/reduce_taint.o tainting/taintcheck_opt.o tainting/tainting.o
 libdecaf-y+=tainting/taint_memory.o tainting/tcg_taint.o tainting/analysis_log.o
 #libdecaf-y+=sqlite3/sqlite3.o
 libdecaf-y+=DECAF_vm_compress.o

Makefile.target

@@ -213,7 +213,7 @@ obj-$(CONFIG_REALLY_VIRTFS) += 9pfs/virtio-9p-device.o
 obj-$(CONFIG_KVM) += kvm.o kvm-all.o
 obj-$(CONFIG_NO_KVM) += kvm-stub.o
 obj-y += memory.o
-LIBS+=-lz
+LIBS+=-lz -lrt
 
 QEMU_CFLAGS += $(VNC_TLS_CFLAGS)
 QEMU_CFLAGS += $(VNC_SASL_CFLAGS)

configure

@@ -112,6 +112,8 @@ target_list=""
 enable_vmi="yes"
 #AWH - TCG tainting off by default
 tcg_taint="no"
+#AWH - TCG IR logging off by default
+tcg_ir_log="no"
 bluez=""
 brlapi=""
 curl=""
@@ -482,8 +484,7 @@ Haiku)
   linux="yes"
   linux_user="yes"
   usb="linux"
-  # AWH - No KVM support
-  #kvm="yes"
+  kvm="yes"
   vhost_net="yes"
   if [ "$cpu" = "i386" -o "$cpu" = "x86_64" ] ; then
     audio_possible_drivers="$audio_possible_drivers fmod"
@@ -673,7 +674,7 @@ for opt do
   ;;
   --disable-kvm) kvm="no"
   ;;
-  --enable-kvm) kvm="no" # AWH - No KVM support
+  --enable-kvm) kvm="yes"
   ;;
   --disable-tcg-interpreter) tcg_interpreter="no"
   ;;
@@ -805,6 +806,11 @@ for opt do
   ;;
   --disable-tcg-taint) tcg_taint="no"
   ;;
+  # AWH - TCG IR logging
+  --enable-tcg-ir-log) tcg_ir_log="yes"
+  ;;
+  --disable-tcg-ir-log) tcg_ir_log="no"
+  ;;
   # AWH - VMI support
   --enable-vmi) enable_vmi="yes"
   ;;
@@ -898,6 +904,7 @@ default_target_list=""
 if [ "$softmmu" = "yes" ] ; then
     default_target_list="\
 i386-softmmu \
+arm-softmmu \
 "
 fi
 #x86_64-softmmu \
@@ -1105,6 +1112,9 @@ echo "  --enable-guest-agent     enable building of the QEMU Guest Agent"
 # AWH - TCG tainting
 echo "  --disable-tcg-taint      disable taint IR generation via TCG (default)"
 echo "  --enable-tcg-taint       enable taint IR generation via TCG"
+# AWH - TCG IR logging
+echo "  --disable-tcg-ir-log     disable TCG IR logging buffers (default)"
+echo "  --enable-tcg-ir-log      enable TCG IR logging buffers"
 # AWH - VMI enable
 echo "  --disable-vmi            disable VMI support"
 echo "  --enable-vmi             enable VMI support (default)"
@@ -2907,6 +2917,8 @@ echo "libiscsi support  $libiscsi"
 echo "build guest agent $guest_agent"
 # AWH - TCG tainting
 echo "enable TCG taint  $tcg_taint"
+# AWH - TCG IR logging
+echo "enable IR logging $tcg_ir_log"
 # AWH - VMI
 echo "enable VMI        $enable_vmi"
 
@@ -2960,7 +2972,10 @@ fi
 if test "$tcg_taint" = "yes" ; then
   echo "CONFIG_TCG_TAINT=y" >> $config_host_mak
 fi
-
+#AWH - TCG IR logging
+if test "$tcg_ir_log" = "yes" ; then
+  echo "CONFIG_TCG_IR_LOG=y" >> $config_host_mak
+fi
 echo "ARCH=$ARCH" >> $config_host_mak
 if test "$debug_tcg" = "yes" ; then
   echo "CONFIG_DEBUG_TCG=y" >> $config_host_mak
@@ -3606,24 +3621,23 @@ case "$target_arch2" in
   *)
     echo "CONFIG_NO_XEN=y" >> $config_target_mak
 esac
-#AWH - Disable KVM support
-#case "$target_arch2" in
-#  i386|x86_64|ppcemb|ppc|ppc64|s390x)
-#    # Make sure the target and host cpus are compatible
-#    if test "$kvm" = "yes" -a "$target_softmmu" = "yes" -a \
-#      \( "$target_arch2" = "$cpu" -o \
-#      \( "$target_arch2" = "ppcemb" -a "$cpu" = "ppc" \) -o \
-#      \( "$target_arch2" = "ppc64"  -a "$cpu" = "ppc" \) -o \
-#      \( "$target_arch2" = "ppc"    -a "$cpu" = "ppc64" \) -o \
-#      \( "$target_arch2" = "ppcemb" -a "$cpu" = "ppc64" \) -o \
-#      \( "$target_arch2" = "x86_64" -a "$cpu" = "i386"   \) -o \
-#      \( "$target_arch2" = "i386"   -a "$cpu" = "x86_64" \) \) ; then
-#      echo "CONFIG_KVM=y" >> $config_target_mak
-#      if test "$vhost_net" = "yes" ; then
-#        echo "CONFIG_VHOST_NET=y" >> $config_target_mak
-#      fi
-#    fi
-#esac
+case "$target_arch2" in
+  i386|x86_64|ppcemb|ppc|ppc64|s390x)
+    # Make sure the target and host cpus are compatible
+    if test "$kvm" = "yes" -a "$target_softmmu" = "yes" -a \
+      \( "$target_arch2" = "$cpu" -o \
+      \( "$target_arch2" = "ppcemb" -a "$cpu" = "ppc" \) -o \
+      \( "$target_arch2" = "ppc64"  -a "$cpu" = "ppc" \) -o \
+      \( "$target_arch2" = "ppc"    -a "$cpu" = "ppc64" \) -o \
+      \( "$target_arch2" = "ppcemb" -a "$cpu" = "ppc64" \) -o \
+      \( "$target_arch2" = "x86_64" -a "$cpu" = "i386"   \) -o \
+      \( "$target_arch2" = "i386"   -a "$cpu" = "x86_64" \) \) ; then
+      echo "CONFIG_KVM=y" >> $config_target_mak
+      if test "$vhost_net" = "yes" ; then
+        echo "CONFIG_VHOST_NET=y" >> $config_target_mak
+      fi
+    fi
+esac
 if test "$target_arch2" = "ppc64" -a "$fdt" = "yes"; then
   echo "CONFIG_PSERIES=y" >> $config_target_mak
 fi

cpu-defs.h

@@ -154,7 +154,8 @@ typedef struct CPUWatchpoint {
 } CPUWatchpoint;
 
 #ifdef CONFIG_TCG_TAINT
-#define CPU_TEMP_BUF_NLONGS 256
+#define CPU_TEMP_BUF_NLONGS 1024
+// AWH - Was 256
 #else
 #define CPU_TEMP_BUF_NLONGS 128
 #endif /* CONFIG_TCG_TAINT */

cpus.c

@@ -932,14 +932,16 @@ static void qemu_kvm_start_vcpu(CPUState *env)
     }
 }
 
+extern int DECAF_kvm_enabled;
+
 void qemu_init_vcpu(void *_env)
 {
     CPUState *env = _env;
 
     env->nr_cores = smp_cores;
     env->nr_threads = smp_threads;
     env->stopped = 1;
-    if (kvm_enabled()) {
+    if (kvm_enabled() && DECAF_kvm_enabled) { // Added by Heng Yin
         qemu_kvm_start_vcpu(env);
     } else {
         qemu_tcg_init_vcpu(env);

exec-all.h

@@ -21,6 +21,9 @@
 #define _EXEC_ALL_H_
 
 #include "qemu-common.h"
+#ifdef CONFIG_TCG_IR_LOG 
+#include "tcg-target.h" /* AWH - For TCG_TARGET_REG_BITS */
+#endif /* CONFIG_TCG_IR_LOG */
 
 /* allow to see translation results - the slowdown should be negligible, so we leave it */
 #define DEBUG_DISAS
@@ -48,7 +51,7 @@ typedef struct TranslationBlock TranslationBlock;
 #else
 #define MAX_OPC_PARAM_PER_ARG 1
 #endif
-#ifdef CONFIG_TCG_TAINT
+#if 0 //def CONFIG_TCG_TAINT
 /* AWH - We can have a whole bunch of input args to a CALL that
    logs taint information (reg numbers and concrete values). */
 #define MAX_OPC_PARAM_IARGS 10
@@ -62,6 +65,7 @@ typedef struct TranslationBlock TranslationBlock;
  * and up to 4 + N parameters on 64-bit archs
  * (N = number of input arguments + output arguments).  */
 #define MAX_OPC_PARAM (4 + (MAX_OPC_PARAM_PER_ARG * MAX_OPC_PARAM_ARGS))
+
 #ifdef CONFIG_TCG_TAINT
 /* AWH - We need to increase the size of the opcode buffer to be big
   enough to hold all of our added taint IR and logging CALL ops.  But,
@@ -96,14 +100,19 @@ typedef struct TranslationBlock TranslationBlock;
   <- OPC_MAX_SIZE: 432 -><- MAX_OP_PER_INSTR: 5968 ->
 */
 #define OPC_BUF_SIZE 6400
-#define MAX_OP_PER_INSTR (OPC_BUF_SIZE - 640 + 208)
 #else
 /* XXX: make safe guess about sizes */
-#define MAX_OP_PER_INSTR 208
 #define OPC_BUF_SIZE 640
 #endif /* CONFIG_TCG_TAINT */
+#define MAX_OP_PER_INSTR (OPC_BUF_SIZE - 208)
+/* AWH - We want to reduce the number of IR ops that are generated in
+   a single TB to reduce the number of IRs that we have to store if we
+   are storing the IRs for a plugin to examine later. */
+#ifdef CONFIG_TCG_IR_LOG
+#define OPC_MAX_SIZE 200
+#else
 #define OPC_MAX_SIZE (OPC_BUF_SIZE - MAX_OP_PER_INSTR)
-
+#endif /* CONFIG_TCG_IR_LOG */
 /* Maximum size a TCG op can expand to.  This is complicated because a
    single op may require several host instructions and register reloads.
    For now take a wild guess at 192 bytes, which should allow at least
@@ -201,6 +210,18 @@ struct TranslationBlock {
     struct TranslationBlock *jmp_next[2];
     struct TranslationBlock *jmp_first;
     uint32_t icount;
+#ifdef CONFIG_TCG_IR_LOG
+    uint8_t DECAF_logged; /* AWH - Has this been logged to disk? */
+    uint16_t *DECAF_gen_opc_buf; /* AWH - IR ops in this TB */
+#if TCG_TARGET_REG_BITS == 32
+    uint32_t *DECAF_gen_opparam_buf; /* AWH - IR parms in this TB */
+#else
+    uint64_t *DECAF_gen_opparam_buf; /* AWH - IR parms in this TB */
+#endif /* TCG_TARGET_REG_BITS */
+    uint32_t DECAF_num_opc;
+    uint32_t DECAF_num_opparam;
+    unsigned long DECAF_tb_id; /* AWH - offset of this in "tbs" (exec.c) */
+#endif /* CONFIG_TCG_IR_LOG */
 };
 
 static inline unsigned int tb_jmp_cache_hash_page(target_ulong pc)

exec.c

@@ -24,12 +24,6 @@
 #include <sys/mman.h>
 #endif
 
-//#include "test_tlb_cb.h"
-
-#ifdef CONFIG_VMI_ENABLE
-#include "shared/DECAF_callback_to_QEMU.h"
-#endif
-
 #include "qemu-common.h"
 #include "cpu.h"
 #include "tcg.h"
@@ -64,6 +58,7 @@
 #endif
 
 #include "DECAF_main.h"
+#include "shared/DECAF_callback_to_QEMU.h"
 
 //#define DEBUG_TB_INVALIDATE
 //#define DEBUG_FLUSH
@@ -84,6 +79,14 @@
 
 #define SMC_BITMAP_USE_THRESHOLD 10
 
+#ifdef CONFIG_TCG_IR_LOG
+static uint16_t *gDECAF_gen_opc_buf;
+#if TCG_TARGET_REG_BITS == 32
+uint32_t *gDECAF_gen_opparam_buf;
+#else
+uint64_t *gDECAF_gen_opparam_buf;
+#endif /* TCG_TARGET_REG_BITS */
+#endif /* CONFIG_TCG_IR_LOG */
 static TranslationBlock *tbs;
 static int code_gen_max_blocks;
 TranslationBlock *tb_phys_hash[CODE_GEN_PHYS_HASH_SIZE];
@@ -475,6 +478,9 @@ static void code_gen_alloc(unsigned long tb_size)
     map_exec(code_gen_buffer, code_gen_buffer_size);
 #else
     code_gen_buffer_size = tb_size;
+#ifdef CONFIG_TCG_IR_LOG
+    unsigned long i;
+#endif /* CONFIG_TCG_IR_LOG */
     if (code_gen_buffer_size == 0) {
 #if defined(CONFIG_USER_ONLY)
         code_gen_buffer_size = DEFAULT_CODE_GEN_BUFFER_SIZE;
@@ -565,8 +571,32 @@ static void code_gen_alloc(unsigned long tb_size)
     map_exec(code_gen_prologue, sizeof(code_gen_prologue));
     code_gen_buffer_max_size = code_gen_buffer_size -
         (TCG_MAX_OP_SIZE * OPC_BUF_SIZE);
+#if (defined(CONFIG_TCG_IR_LOG) && (TCG_TARGET_REG_BITS == 32))
+/* AWH - For people running DECAF on a 32-bit machine, the IR storage
+  will require too much RAM.  So, for 32-bit systems, we make the number
+  of code blocks much smaller. */
+    code_gen_max_blocks = code_gen_buffer_size / CODE_GEN_AVG_BLOCK_SIZE / 16;
+#else
     code_gen_max_blocks = code_gen_buffer_size / CODE_GEN_AVG_BLOCK_SIZE;
+#endif /* CONFIG_TCG_IR_LOG && (TCG_TARGET_REG_BITS == 32) */
     tbs = g_malloc(code_gen_max_blocks * sizeof(TranslationBlock));
+#ifdef CONFIG_TCG_IR_LOG
+fprintf(stderr, "AWH: code_gen_alloc(): code_gen_max_blocks: %d\n", code_gen_max_blocks);
+fprintf(stderr, "AWH: code_gen_alloc(): gDECAF_gen_opc_buf: %d\n", OPC_MAX_SIZE * sizeof(uint16_t) * code_gen_max_blocks);
+    gDECAF_gen_opc_buf = g_malloc(OPC_MAX_SIZE * sizeof(uint16_t) * code_gen_max_blocks);
+fprintf(stderr, "AWH: code_gen_alloc(): gDECAF_gen_opparam_buf: %d\n", OPC_MAX_SIZE * sizeof(uint16_t) * 6 * code_gen_max_blocks);
+    gDECAF_gen_opparam_buf = g_malloc(OPC_MAX_SIZE * sizeof(TCGArg) * 6 * code_gen_max_blocks);
+
+    for (i = 0; i < code_gen_max_blocks; i++) {
+      tbs[i].DECAF_tb_id = i;
+      tbs[i].DECAF_gen_opc_buf = 
+        gDECAF_gen_opc_buf + (OPC_MAX_SIZE * i);
+      /* Allocate 6 arguments per IR opcode */
+      tbs[i].DECAF_gen_opparam_buf = 
+        gDECAF_gen_opparam_buf + (OPC_MAX_SIZE * 6 * i);
+      //printf("Allocating block %d of %d\n", i+1, code_gen_max_blocks);
+    }
+#endif /* CONFIG_TCG_IR_LOG */
 }
 
 /* Must be called before using the QEMU cpus. 'tb_size' is the size
@@ -684,6 +714,11 @@ static TranslationBlock *tb_alloc(target_ulong pc)
     tb = &tbs[nb_tbs++];
     tb->pc = pc;
     tb->cflags = 0;
+#ifdef CONFIG_TCG_IR_LOG
+    tb->DECAF_logged = 0;  /* AWH - Has this been logged to disk? */
+    tb->DECAF_num_opc = 0;
+    tb->DECAF_num_opparam = 0;
+#endif /* CONFIG_TCG_IR_LOG */
     return tb;
 }
 
@@ -695,6 +730,9 @@ void tb_free(TranslationBlock *tb)
     if (nb_tbs > 0 && tb == &tbs[nb_tbs - 1]) {
         code_gen_ptr = tb->tc_ptr;
         nb_tbs--;
+#ifdef CONFIG_TCG_IR_LOG
+        tb->DECAF_logged = 0;
+#endif /* CONFIG_TCG_TAINT */
     }
 }
 
@@ -2336,8 +2374,7 @@ void tlb_set_page(CPUState *env, target_ulong vaddr,
 #ifdef CONFIG_VMI_ENABLE
         if (DECAF_is_callback_needed(DECAF_TLB_EXEC_CB))
         	DECAF_invoke_tlb_exec_callback(env, vaddr);
-#endif
-
+#endif /* CONFIG_VMI_ENABLE */
     } else {
         te->addr_code = -1;
     }

kvm-all.c

@@ -35,7 +35,6 @@
 
 /* KVM uses PAGE_SIZE in it's definition of COALESCED_MMIO_MAX */
 #define PAGE_SIZE TARGET_PAGE_SIZE
-
 //#define DEBUG_KVM
 
 #ifdef DEBUG_KVM

qemu-options.hx

@@ -2297,6 +2297,16 @@ STEXI
 Start right away with a saved state (@code{loadvm} in monitor)
 ETEXI
 
+DEF("toggle-kvm", HAS_ARG, QEMU_OPTION_toggle_kvm, \
+    "-toggle-kvm [0|1]\n" \
+    "                toggle KVM on or off at runtime\n", \
+    QEMU_ARCH_ALL)
+STEXI
+@item -toggle-kvm @var{file}
+@findex -toggle-kvm
+Toggle KVM on or off at runtime. 
+ETEXI
+
 DEF("after_loadvm", HAS_ARG, QEMU_OPTION_after_loadvm, \
     "-after_loadvm [???]\n" \
     "                NO DESCRIPTION\n", \
@@ -2307,13 +2317,13 @@ STEXI
 NO DESCRIPTION
 ETEXI
 
-DEF("load_plugin", HAS_ARG, QEMU_OPTION_load_plugin, \
-    "-after_loadvm [path to plugin]\n" \
+DEF("load-plugin", HAS_ARG, QEMU_OPTION_load_plugin, \
+    "-load-plugin [path to plugin]\n" \
     "                load the specified plugin at startup\n", \
     QEMU_ARCH_ALL)
 STEXI
-@item -load_plugin @var{file}
-@findex -load_plugin
+@item -load-plugin @var{file}
+@findex -load-plugin
 Load the specified plugin immediately upon startup of QEMU. 
 ETEXI