The file, calc_msg.h, not found in Keystone/struct-padding.

[a2102107]

In line 22 of the keystone/struct-padding/keystone-struct-padding.diff file, there is +#include "../calc_msg.h". But I can't find this header file.

I tried to construct a simple data structure, calc_message_t, on my own from the output of the readme file. But it didn't work out.

Here is the simple data structure I constructed:

typedef struct calc_message
{
  unsigned short msg_type;
  unsigned long len;
  unsigned char msg[7];
}calc_message_t;

Can you provide calc_msg.h file? thank you.

[jovanbulck]

Hi @a2102107 ,

thanks for your interest in our research!

I checked and indeed something went wrong here and calc_msg.h should have been included, sorry for the confusion!

I tried to find back the original PoC but can't immediately find it anymore and I also don't have a working Keystone installation on my current machine. Based on the sample output from the README, it is possible to reconstruct the struct though:

• first a 2-byte int, followed by 6 bytes of padding (the compiler always aligns 8-byte ints on 8-byte boundaries
• then an 8-byte int
• I honestly don't know why the diff m.msg, this seems not to be used and also not in the hex print in the README, so this can be dropped I think

To validate I quickly hacked the following C program which yields identical output to the README on my machine (gcc) afais (not validated on Keystone!):

#include <stdio.h>
#include <string.h>
#include <stdint.h>

typedef struct calc_message
{
  uint16_t msg_type;
  uint64_t len;
} calc_message_t;

unsigned long ocall_print_string(calc_message_t* str)
{
   printf("sizeof(calc_message_t) = %ld\n", sizeof(calc_message_t));
   printf("sizeof(msg_type) = %ld\n", sizeof(str->msg_type));
   printf("sizeof(len) = %ld\n", sizeof(str->len));

   unsigned char* p = (char*)str;
   for(unsigned int i = 0; i < sizeof(calc_message_t); i++)
   {
       printf("%02x ", p[i]);
   }
   printf("\n\n");
   return 0;
}

void do_print()
{
  calc_message_t m;
  m.msg_type = 0xab;
  m.len = 0x12;

  ocall_print_string(&m);
}

void secret_stuff()
{
  volatile char secret[128];
  memset((char*) secret, 0x41, 128);
}

int main(void)
{
  secret_stuff();
  do_print();
}

Hope this helps! Do let me know if you figure it out :)

[a2102107]

Dear Author,

Thank you for your quick response.

I am pleased to inform you that I have successfully replicated the issue in the latest version of Keystone. I found that can be reproduced by setting the compiler optimization level to O0. Your provided C program was very helpful.

Below is the PoC(eapp_native.c):

#include "eapp_utils.h"
#include "string.h"
#include "edge_call.h"
#include <syscall.h>

typedef struct calc_message
{
  uint16_t msg_type;
  uint64_t len;
} calc_message_t;


#define OCALL_PRINT_STRING 1

unsigned long ocall_print_string(calc_message_t* m);
void secret_stuff();
void do_print();

int main()
{
  secret_stuff();
 
  do_print();
 
  EAPP_RETURN(0);
 }

volatile void do_print()
{
  calc_message_t m;
  m.msg_type = 0xab;
  m.len = 0x12;

  ocall_print_string(&m);
}

volatile void secret_stuff(){
  unsigned char secret[128];
  memset(secret, 0x41, 128);
}

unsigned long ocall_print_string(calc_message_t* m){
   unsigned long retval;
  ocall(OCALL_PRINT_STRING, m, sizeof(calc_message_t), &retval ,sizeof(unsigned long));
   return retval;
}

Thank you once again for your valuable assistance.

[jovanbulck]

hi @a2102107

Great, happy to hear you could reproduce the issue!

In case any future readers stumble on the same problem, perhaps consider if you'd like the above code to be included in this repo?

Please feel free to open a PR with the above code and perhaps reference output/instructions in the keystone directory!