Skip to content

Latest commit

 

History

History
150 lines (111 loc) · 4.94 KB

README.tpl.md

File metadata and controls

150 lines (111 loc) · 4.94 KB
Raw

Build Status Code Climate Issue Count Test Coverage Inline docs Yard Docs MIT License

Seccomp Tools

Provide powerful tools for seccomp analysis.

This project targets to (but is not limited to) analyze seccomp sandbox in CTF pwn challenges. Some features might be CTF-specific, but also useful for analyzing seccomp of real cases.

Features

  • Dump - Automatically dumps seccomp BPF from execution file(s).
  • Disasm - Converts seccomp BPF to a human readable format.
    • With simple decompilation.
    • With syscall names and arguments whenever possible.
    • Colorful!
  • Asm - Makes writing seccomp rules similar to writing codes.
  • Emu - Emulates seccomp rules.
  • Supports multi-architecture.

Installation

Available on RubyGems.org!

$ gem install seccomp-tools

If you failed when compiling, try:

sudo apt install gcc ruby-dev make

and install seccomp-tools again.

Command Line Interface

seccomp-tools

SHELL_OUTPUT_OF(seccomp-tools --help)
SHELL_OUTPUT_OF(seccomp-tools dump --help)

dump

Dumps the seccomp BPF from an execution file. This work is done by utilizing the ptrace syscall.

NOTICE: beware of the execution file will be executed.

SHELL_OUTPUT_OF(file spec/binary/twctf-2016-diary)
SHELL_OUTPUT_OF(seccomp-tools dump spec/binary/twctf-2016-diary)
SHELL_OUTPUT_OF(seccomp-tools dump spec/binary/twctf-2016-diary -f inspect)
SHELL_OUTPUT_OF(seccomp-tools dump spec/binary/twctf-2016-diary -f raw | xxd)

disasm

Disassembles the seccomp from raw BPF.

SHELL_OUTPUT_OF(xxd spec/data/twctf-2016-diary.bpf | head -n 3)
SHELL_OUTPUT_OF(seccomp-tools disasm spec/data/twctf-2016-diary.bpf)

asm

Assembles the seccomp rules into raw bytes. It's very useful when one wants to write custom seccomp rules.

Supports labels for jumping and uses syscall names directly. See examples below.

SHELL_OUTPUT_OF(seccomp-tools asm)
# Input file for asm
SHELL_OUTPUT_OF(cat spec/data/libseccomp.asm)
SHELL_OUTPUT_OF(seccomp-tools asm spec/data/libseccomp.asm)
SHELL_OUTPUT_OF(seccomp-tools asm spec/data/libseccomp.asm -f c_source)
SHELL_OUTPUT_OF(seccomp-tools asm spec/data/libseccomp.asm -f assembly)

# let's asm then disasm!
SHELL_OUTPUT_OF(seccomp-tools asm spec/data/libseccomp.asm -f raw | seccomp-tools disasm -)

Since v1.6.0 [not released yet], asm has switched to using a yacc-based syntax parser, hence supports more flexible and intuitive syntax!

SHELL_OUTPUT_OF(cat spec/data/example.asm)
SHELL_OUTPUT_OF(seccomp-tools asm spec/data/example.asm -f raw | seccomp-tools disasm -)

The output of seccomp-tools disasm <file> --asm-able is a valid input of asm:

SHELL_OUTPUT_OF(seccomp-tools disasm spec/data/x32.bpf --asm-able)

# disasm then asm then disasm!
SHELL_OUTPUT_OF(seccomp-tools disasm spec/data/x32.bpf --asm-able | seccomp-tools asm - -f raw | seccomp-tools disasm -)

Emu

Emulates seccomp given sys_nr, arg0, arg1, etc.

SHELL_OUTPUT_OF(seccomp-tools emu --help)
SHELL_OUTPUT_OF(seccomp-tools emu spec/data/libseccomp.bpf write 0x3)

Screenshots

Dump

dump

Emu

emu

emu

Supported Architectures

  • x86_64
  • x32
  • x86
  • arm64 (@saagarjha)
  • s390x (@iii-i)

Pull Requests of adding more architectures support are welcome!

Development

I recommend to use rbenv for your Ruby environment.

Setup

  • Install bundler
    • $ gem install bundler
  • Clone the source
    • $ git clone https://github.com/david942j/seccomp-tools && cd seccomp-tools
  • Install dependencies
    • $ bundle install

Run tests

$ bundle exec rake

I Need You

Any suggestions or feature requests are welcome! Feel free to file issues or send pull requests. And, if you like this work, I'll be happy to be starred 😬