SPADE is a static code analysis tool for identifing sub-page DMA vulnerabilites.
- README.md - this file.
- prep_kernel.sh - sets up an evironment on a
Debian/Ubuntu
distro. - mmo.pl - The SPADE tool main script.
- cscope.sh - setsup the cscope files (used by prep_kernel.sh).
- try_set.sh - helper script.
- cd <path to>/mmo-static
- ./prep_kernel.sh
make take a couple of hours as this compiles a kernel with ALL device drivers
- <path to>/mmo-static/mmo.pl
-
prep_kernel.sh: does all the needed steps for before mmo.pl can work.
- create a working directory (e.g., ~/dev/mmo) in which all help files will be stored.
- get the needed libraries (e.g., build-essential, git, cscope, dwarves)
- clone a Linux git repositry (e.g., Linus Linux Git )
- configure the .config will allmodconfig & compile -- hence the long run time.
- prepare cscope files for the compiled kernel.
-
mmo.pl: performs a static analysis for the kernel in the working directory.
-
Read output: less -LR /tmp/logs/*.txt
- For DMA Vulnerabilities
grep -in Vulnerability /tmp/logs/*
- For DMA vulnerabilities due to struct skb_shared_info:
grep -n SKB /tmp/logs/*
- For DMA Vulnerabilities
-
At the end of the analysis mmo.pl shows the following
- Number of files that were checked
- Number of DMA vulnerabilities found
- Number of DMA vulnerabilities due to struct skb_shared_info found:
-
The detailed output is in the /tmp/log/* files. There is a log file per thread.
Found in /tmp/logs/*
/*** Spoofed Vulnerability:*/ |931| Callbacks reachable via struct nvme_fc_fcp_op : DMA_FROM_DEVICE
/*** Direct Vulnerability: */ |1 | Callback exposed in struct nvme_fc_fcp_op : DMA_FROM_DEVICE
/*mapped type:*/ struct nvme_fc_fcp_op
/*DECLARATION*/["__nvme_fc_init_request:1698"]:__nvme_fc_init_request(struct nvme_fc_ctrl *ctrl,
struct nvme_fc_queue *queue, struct nvme_fc_fcp_op *op, ...)
/*CALL*/["__nvme_fc_init_request:1731"]: fc_dma_map_single(ctrl->lport->dev, &op->rsp_iu,
sizeof(op->rsp_iu), DMA_FROM_DEVICE);
/*mapped type:*/ void
/*DECLARATION*/["fc_dma_map_single:935"]:fc_dma_map_single(struct device *dev, void *ptr, ...) {
/*CALL*/["fc_dma_map_single:939"]: return dev ? dma_map_single(dev, ptr, size, dir) : (dma_addr_t)0L;
mmo.pl is a perl 5 script which uses some eixting perl libraries. In case of missing library erros please install from CPAN.
Install cpanm to make installing other modules easier (you'll thank us later). You need to type these commands into a Terminal emulator (Mac OS X, Win32, Linux)
$ cpan App::cpanminus
Accept all defaults
$ source ~/.bashrc
Now install any module you can find.
$ cpanm Module::Name