Google Summer of Code 2024 project ideas

[disconnect3d]

Below I list Pwndbg organization project ideas for Google Summer of Code 2024.

Resolution / EDIT2: Pwndbg is a sub-org for the Python organization in GSoC 2024

Most of the projects here are only about Pwndbg and would require the contributor to write Python code and send PRs to this repository. However, since Pwndbg is a GDB plugin, it would benefit from improving GDB as well. Because of this, we may list a project idea about GDB - which is written in C - and which would require sending patches to it instead of Pwndbg. We would of course mentor these project ideas as well if a contributor decides to do that.

Unless otherwise stated, the projects require knowledge of Python programming language, GDB debugging and a little bit of C or C++.

Linux kernel debugging: more libslub features

Description

When researching Linux kernel bugs it is useful to have an insight into the Linux kernel SLAB/SLUB allocator[s].

A part of this is already implemented as a slab command in Pwndbg. We want this extended further with more features by integrating or porting the features from https://github.com/nccgroup/libslub into Pwndbg.

For what is worth, we have an established chat with libslub developers and they would help mentor this project if its choosen.

Ideally this would be done in such a way that the new module could be used as a mostly standalone tool (for instance to allow use by gef users), while still leveraging pwndbg API. Ideally the module would also be fully integrated into pwndbg as a regular module for pwndbg users. There is already a WIP fork that partially integrates into pwndbg, however completing this work would also involve modularizing core parts of pwndbg to make it possible to work standalone without conflicting with other plugins. The existing WIP fork also adds significant number of kernel tests, which could be further improved.

Project information

• Length: ~175 hours
• Difficulty: Medium
• Mentors: @fidgetingbits, @disconnect3d, @gsingh93

Expected Outcome

• Integration or port of nccgroup/libslub project features into Pwndbg
  • Extend the slab {list,info,contains} commands to support use cases available in libslub

Linux kernel debugging: load kernel symbols from kallsyms

Description

Our users sometimes debug Linux kernel without debug symbols, e.g., during a CTF security competition or when debugging a kernel dumped from an embedded device.

Most Linux kernels keep track of its symbol addresses and allows reading them from the /proc/kallsyms file. This means that the symbol information is somewhere in the Linux kernel memory and can be fetched with us to provide better UX.

This loading should be implemented as a kallsyms command.

Project information

• Length: ~175 hours
• Difficulty: Medium
• Mentors: @disconnect3d, @fidgetingbits, @gsingh93

Expected Outcome

• Implement a kallsyms -l|--load <file> command that would parse a kallsyms file from a given path and set up its symbols in the current debugging session
• Research how kallsyms are stored within a kernel memory
• Implement a way to find and load kallsyms from a currently debugged kernel as a kallsyms command

Resources

• Linux kernel: kallsyms command? #1836 - issue for tracking kallsyms command
• https://cateee.net/lkddb/web-lkddb/KALLSYMS_ALL.html - Linux kernel config option that may be required here
• https://github.com/pagabuc/kallsyms-extractor/
• https://github.com/marin-m/vmlinux-to-elf

---

Annotate dissassembly code for architecture through emulation

Pwndbg uses Capstone disassembler which provides lots of metadata information about instructions, e.g., whether an instruction is a jump. This is currently used mostly to determine which instructions are jumps or calls so that we can emulate code up until the branch and show the user whether a branch is taken or not.

However, we can do better than that: since we are emulating the code up until a branch anyway, we can show the values of certain registers or memory locations in the disassembly.

Such a feature has already been developed in #2001 for the X86-64 architecture which will be soon reviewed and merged.

The idea of this project is to do the same, but for other architectures that are supported by Pwndbg and Capstone: arm, arm64 (aarch64), risc-v (and maybe some other too).

This may be a big effort project and ideally, some of the code can probably be abstract/put in a base class to be used by many architectures.

Project information

• Length: ~175 hours
• Difficulty: Medium
• Mentors: @disconnect3d, @gsingh93
• Other knowledgable people: @OBarronCS

Expected Outcome

• Add assembly annotations similar to Annotate disasm #2001 to one or multiple architectures: ARM, ARM64/AARCH64, RISC-V
• Benchmark the cost of annotations (does it slowdown the context display)
• Enable a way to disable annotations (should work out of the box, but writing this explicitly here)

---

Improve procinfo display

The main idea of this project is to improve the information provided by the Pwndbg's procinfo command by:

1. Improving display of certain socket types such as unix domain or netlink sockets as well as researching and adding support for any other socket types for which we can display more information.
2. Adding additional process information such as: seccomp mode, NoNewPrivs flag, linux namespaces information, user namespaces mappings (uid_map, gid_map), linux capabilities

The Pwndbg's procinfo command shows various process information that can normally be seen in procfs (/proc/$pid/) files including a list of file descriptors that the process has opened. This list, apart from listing the file descriptor numbers, also shows the target filepaths or connection information for TCP sockets.

An example output can be seen below (for gdb nc + run onet.pl 80):

pwndbg> procinfo
exe        '/usr/bin/nc'
cmdline    /usr/bin/nc -vvv onet.pl 80 ''
cwd        '/root'
pid        3865282
tid        3865282
ppid       3865278
uid        [0, 0, 0, 0]
gid        [0, 0, 0, 0]
groups     [0]
fd[0]      /dev/pts/1
fd[1]      /dev/pts/1
fd[2]      /dev/pts/1
fd[3]      tcp 46.101.104.250:49274 => 108.138.7.23:80 (established)

Here, we can see that fds=0-2 points to /dev/pts/1 and that fd=3 corresponds to a TCP connection with the given IP and port data.

For sockets, we can do better for Netlink sockets and for Unix domain sockets (UDS) by:

• For Netlink, we listed some ideas in procinfo should display netlink sockets better? #1875
• For UDS, we should list other processes that are connected to the same UDS

All of this would be very useful when debugging a new target for the first time and investigating what are all the file descriptors - files, sockets etc. - it interacts at a given time. It can be useful when looking at things like Chrome and Firefox and figuring out the IPCs they talk to.

Optionally, this project can be extended further by moving the relevant feature of parsing procfs files and returning specific information to a separate library and using this library as a dependency in Pwndbg. This would allow other Python projects to benefit from the same code.

Project information

• Length: ~90 hours
• Difficulty: Easy
• Mentors: @disconnect3d, @gsingh93, @arcz
• Other knowledgable people: @patryk4815

Expected Outcome

• Extend the procinfo command display with more process information such as: seccomp mode, NoNewPrivs flag, linux namespaces information, user namespaces mappings (uid_map, gid_map), linux capabilities
• Improve the current procinfo command display for socket file descriptors
  • procinfo should display netlink sockets better? #1875 for Netlink sockets
  • For Unix Domain Sockets find all processes that connect to them and display them
• [Optional] Extract the procfs parsers to an external Python library managed by Pwndbg organization and set it up as a Python dependency

---

[GDB?] Add an option to ask user if a fork follows parent or child

It would be nice if Pwndbg would have an option to stop on fork calls and ask the user if they want to continue debugging the child, or, the parent.

Note that there is a set follow-fork-mode [parent|child] option in GDB that does this, but here we want a better UX by giving the user a choice before the fork happens.

I mark this as [GDB?] since this can be implemented either in Pwndbg, as a command that will be executed before fork syscalls, or, in GDB which could be another option of follow-fork-mode.

This would have to be discussed with GDB folks but I am pretty sure they would accept such an option.

Project information

• Length: ~90 or 175 hours
  • Depends on the choice: if done on Pwndbg side, 90h, if done on GDB side: 175h
• Difficulty: Easy or Medium
• Mentors: @disconnect3d, @gsingh93

Expected Outcome

• Ability to choose where to follow fork within Pwndbg/GDB

[gsingh93]

Built-in hex editor like this: #1043

Description

It would be nice to be able to more easily edit memory while in GDB, e.g. via hex editor, in some interactive manner, perhaps via ncurses UI.

Example:

Project information

• Length: 175 hours
• Difficulty: Medium
• Mentors: @disconnect3d, @gsingh93

Expected Outcome

Ability to edit memory within Pwndbg in an interactive hex editor.

[gsingh93]

Add LLDB debugger support to Pwndbg

Description

pwndbg is currently tied to a single debugger: GDB. While usually this is not a problem, there are cases when one would want to use the LLDB debugger instead of GDB, for example, for debugging Android apps or services, because according to Android GDB is no longer supported or provided.

In this project idea, we would like to refactor Pwndbg to be debugger agnostic and add support for the LLDB debugger. This would require the contributor to:

• Learn how Pwndbg leverages GDB Python API
• Research the LLDB Python API and see how it all compares to GDB's API
• Propose and discuss potential refactoring to Pwndbg with project mentors
• Refactor Pwndbg to be debugger agnostic
• Hook Pwndbg into LLDB API
• Provide a way to choose LLDB or GDB when installing Pwndbg
• Add some tests against LLDB, or, refactoring current tests to support both gdb and lldb
• Note any GDB vs LLDB incompatibilities in Pwndbg

A part of pwndbg refactoring to make it debugger agnostic has been done by splitting pwndbg codebase into lib/ and gdblib/ directories but more has to be done in this regard.

Project information

• Length: 350 hours
• Difficulty: Hard
• Mentors: @disconnect3d, @gsingh93
• Required things: optionally, an Android device to connect to and debug processes on

Expected Outcome

• Ability to run Pwndbg with LLDB, ideally with all commands supported
• Ideally, ability to run Pwndbg against Android (with LLDB)

[CptGibbon]

jemalloc Heap Inspection

Description

pwndbg's heap inspector only supports GLIBC's default memory allocator. I think there's appetite for supporting other popular dynamic memory allocators e.g. jemalloc

I believe jemalloc is suitable for this project because it can easily integrate into existing development environments, an LD_PRELOAD is all contributors need to get started. I'd like to see at least 2 jemalloc heap inspection commands implemented, a version of pwndbg's existing malloc_chunk command and something similar to its heap command. If this is completed in time, there are many more commands to implement if contributors wish. Preferably there will be automatic detection of jemalloc, with an override option if this fails. Hopefully the new jemalloc inspector will be easy to switch out with the GLIBC allocator (and future allocators), there is already some boilerplate for this.

Project Size & Difficulty

I consider this a medium-sized project at ~175 hours.
I consider this a medium-difficulty project.
I believe the goals of this project to be modest, with plenty of room for extending the project if contributors wish.

• Mentors: @CptGibbon (myself), @disconnect3d
• Other knowledgeable people: @lebr0nli & other contributors/maintainers with dynamic memory allocator knowledge

Expected Outcome

• Addition of at least 2 jemalloc heap inspection commands to pwndbg
• Automatic detection of the jemalloc allocator in a process
• An option to allow users to switch between heap inspectors manually if automatic detection fails

Resources

pwndbg's malloc_chunk command
pwndbg's heap command
pwndbg's heap abstraction code
jemalloc GitHub page
Getting Started with jemalloc
jemalloc Installation
jemalloc manual page

[disconnect3d]

Improve certain commands

This is a project to improve the following commands:

• Add cyclic -d|--detect to detect cyclic pattern offsets in registers and stack values (Detect cyclic pattern in registers or pointers #1965)
• Fix the dq (various dX commands) interface to allow for 0x prefixed values; likely, we may want to make this configurable? (dq and telescope commands have an inconsistent interface #1957)
• Extend cymbol command to allow for reading structs from files (cymbol: load symbols from header files #1973)
• Save history of previous context display (Save history of previous context output #1899)
• Allow for saving outputs of commands and diffing them
• <possibly something more, if time allows>

Project information

• Difficulty: Easy
• Length: 175h
• Mentor: @disconnect3d, @gsingh93, @arcz

[nikoshell]

Enhancing Pwndbg Landing Page

Description

Pwndbg, an open-source debugger for the GNU/Linux platform, plays a critical role in the security community by providing powerful features for reverse engineering and exploit development. As part of this Google Summer of Code project, we aim to enhance the landing page of Pwndbg, making it more accessible, user-friendly, and informative for both new and experienced users.

Project information

• Difficulty: Medium
• Length: 90h
• Mentors: @disconnect3d, @arcz
• Knowledgeable people: @nikoshell
• Requirements:
  • Knowledge of HTML, CSS, JavaScript
  • (Optionally) Familiarity with Astro framework for integrating dynamic content
  • (Optionally) Experience with UX design

Expected outcome

• Modern Design Overhaul: Revamp the visual appearance of the landing page to give it a modern and polished look. This includes updating the color scheme, typography, and layout to create a cohesive and visually appealing design.
• Improved Navigation: Enhance the navigation experience by implementing intuitive menus, breadcrumbs, and navigation bars. Ensure that users can easily find the information they need, whether it's documentation, tutorials, or community resources.
• Interactive Features: Integrate interactive elements such as collapsible sections, tooltips, and hover effects to enhance user engagement and provide a more dynamic browsing experience.
• Responsive Design: Optimize the landing page for various devices and screen sizes, ensuring that it remains functional and visually pleasing on desktops, laptops, tablets, and smartphones.
• Documentation Integration: Integrate documentation directly into the landing page, making it easier for users to access relevant guides, API references, and tutorials without navigating to separate pages.
• Community Engagement: Implement features to encourage community participation, such as a blog section, user forums, or links to social media channels. Foster a sense of community among Pwndbg users and contributors.
• Performance Optimization: Improve the loading speed and overall performance of the landing page by optimizing code, compressing images, and leveraging caching techniques.

[nikoshell]

Dynamic features screenshots with annotations for docs

Description

This enhancement aims to provide users with visual guidance and insight into Pwndbg's capabilities, making it easier for them to understand and utilize its powerful debugging functionalities.

Project Size & Difficulty:

• Difficulty: Medium
• Length: 90h
• Mentors: @disconnect3d, @CptGibbon
• Knowledgeable people: @nikoshell

The project size is medium, requiring proficiency in web development technologies such as HTML, CSS, JavaScript, and Python. Familiarity with libraries for generating and manipulating images, such as Pillow for Python, will be beneficial. Additionally, understanding SVG (Scalable Vector Graphics) documentation and integration will be necessary for creating annotated screenshots. This project offers an exciting opportunity for a motivated student to contribute to Pwndbg while gaining experience in image generation, annotation, and web development.

Feature Description:

• Screenshot Generation: Develop a feature that dynamically generates screenshots of Pwndbg's various features in action. This functionality will capture the debugger's interface during specific operations, such as setting breakpoints, inspecting memory, and analyzing registers.

• Annotation Overlay: Implement an annotation system to overlay explanatory text, arrows, and highlights onto the generated screenshots. Annotations will provide context and guidance, helping users understand the purpose and functionality of each feature showcased in the screenshot.

• Interactive Annotation Editor: Create an interactive editor that allows users to customize annotations, such as changing the text content, adjusting the position of arrows, and modifying the appearance of highlights. This editor will empower users to tailor the annotations to their preferences and requirements.

• Integration with Documentation: Integrate the annotated screenshots seamlessly into Pwndbg's documentation, providing users with visual aids alongside textual explanations. Ensure that the screenshots are appropriately linked within relevant sections of the documentation, enhancing the learning experience for users.

• SVG Documentation: Provide comprehensive SVG documentation detailing the structure, attributes, and usage of the annotated screenshots. This documentation will serve as a valuable resource for developers and contributors, facilitating further enhancements and maintenance of the feature.

• Accessibility Considerations: Ensure that the generated screenshots and annotations are accessible to users with disabilities by implementing appropriate alt text and ensuring compatibility with screen readers.

By implementing this feature, you will contribute to making Pwndbg more user-friendly and accessible, enhancing its educational value and usability for developers and security enthusiasts worldwide. This project will provide you with valuable experience in image generation, annotation, and documentation, as well as exposure to the cybersecurity community and open-source development practices.

[nikoshell]

Golden Sample Tests for all pwndbg features

Project Size & Difficulty:

• Difficulty: Medium
• Length: 90h
• Mentors: @disconnect3d, @CptGibbon

Feature Description:

• Objective: Develop a suite of golden sample tests to validate the functionality of Pwndbg's features automatically. Golden sample tests will serve as reference outputs, ensuring consistent behavior across different environments and code changes.

• Implementation: Create test cases that cover various aspects of Pwndbg's functionality, including its commands and context outputs in various configurations. Each test case will include input commands and the expected output, serving as a baseline for comparison during automated testing.

• Integration with Testing Framework: Integrate the golden sample tests into Pwndbg's existing testing framework, ensuring seamless execution alongside unit tests and integration tests. Use tools such as pytest for Python to automate the execution of test cases and report any failures or discrepancies.

• Continuous Integration: Configure continuous integration (CI) pipelines to run the golden sample tests automatically whenever changes are made to the Pwndbg codebase. CI pipelines will execute the tests in various environments and configurations, providing timely feedback to developers and maintainers.

• Coverage Analysis: Analyze test coverage to ensure comprehensive validation of Pwndbg's features. Identify any gaps or areas lacking sufficient testing and prioritize the creation of additional golden sample tests to achieve thorough coverage.

• Documentation: Document the purpose, structure, and usage of the golden sample tests to facilitate understanding and contribution by developers and contributors. Provide clear instructions on how to run the tests locally and interpret the results.

• Benefits: By implementing golden sample tests, Pwndbg will benefit from improved reliability, stability, and maintainability. Automated validation of features will reduce the risk of regressions and facilitate the development of new features with confidence.

This project presents an opportunity to enhance the quality and robustness of Pwndbg, contributing to its reputation as a reliable and trustworthy tool in the cybersecurity community. You will gain valuable experience in test automation, quality assurance, and software engineering best practices, positioning you as a skilled contributor to open-source projects and future software development endeavors.

[jetchirag]

Resolution / EDIT: Unfortunately, we were not choosen for GSoC 2024. However, the project list here still adds value since it lists what can be improved and how.

I think pwndbg is now successfully accepted under PSF. Mentioned here: https://python-gsoc.org/ideas.html

[disconnect3d]

@jetchirag Yup, I edited the main post once more to reflect that we are now a sub-org of Python org in GSoC 2024.