Sandsifter – The X86 Processor Fuzzer

Sandsifter - The X86 Processor Fuzzer

The sandsifter audits x86 processors for hidden directions and {hardware} bugs, by systematically producing machine code to go looking by means of a processor’s instruction set, and monitoring execution for anomalies. Sandsifter has uncovered secret processor directions from each main vendor; ubiquitous software program bugs in disassemblers, assemblers, and emulators; flaws in enterprise hypervisors; and each benign and safety-important {hardware} bugs in x86 chips.

With the multitude of x86 processors in existence, the purpose of the instrument is to allow customers to verify their very own programs for hidden directions and bugs.

To run a primary audit in opposition to your processor:

sudo ./ --unk --dis --len --sync --tick -- -P1 -t

The laptop is systematically scanned for anomalous directions. In the higher half, you possibly can view the directions that the sandsifter is at present testing on the processor. In the underside half, the sandsifter experiences anomalies it finds.
The search will take from just a few hours to a couple days, relying on the pace of and complexity of your processor. When it’s full, summarize the outcomes:

./ knowledge/log

Typically, a number of million undocumented directions in your processor can be discovered, however these usually fall right into a small variety of totally different teams. After binning the anomalies, the summarize instrument makes an attempt to assign every instruction to a problem class:

  • Software bug (for instance, a bug in your hypervisor or disassembler),
  • Hardware bug (a bug in your CPU), or
  • Undocumented instruction (an instruction that exists within the processor, however just isn’t acknowledged by the producer)

Press ‘Q’ to stop and procure a textual content based mostly abstract of the system scan:
The outcomes of a scan can generally be troublesome for the instruments to routinely classify, and should require guide evaluation. For assist analyzing your outcomes, be happy to ship the ./knowledge/log file to [email protected]. No private data, aside from the processor make, mannequin, and revision (from /proc/cpuinfo) are included on this log.

Scanning with the sandsifter has uncovered undocumented processor options throughout dozens of opcode classes, flaws in enterprise hypervisors, bugs in almost each main disassembly and emulation instrument, and significant {hardware} bugs opening safety vulnerabilities within the processor itself.
Details of the outcomes may be discovered within the undertaking whitepaper.
(TODO: detailed outcomes enumeration right here)

Sandsifter requires first putting in the Capstone disassembler: Capstone can sometimes be put in with:

sudo apt-get set up libcapstone3 libcapstone-dev
sudo pip set up capstone

Sandsifter may be constructed with:


and is then run with

sudo ./ --unk --dis --len --sync --tick -- -P1 -t

Flags are handed to the sifter with –flag, and to the injector with — -f.

sudo ./ --unk --dis --len --sync --tick -- -P1 -t

Sifter flags:

 seek for size variations in all directions (directions that
 executed in a different way than the disassembler anticipated, or didn't
 exist when the disassembler anticipated them to

 seek for size variations in legitimate directions (directions that
 executed in a different way than the disassembler anticipated)

 seek for unknown directions (directions that the disassembler does not
 learn about however efficiently execute)

 the inverse of --unk, seek for invalid disassemblies (directions that do
 not efficiently execute however that the disassembler acknowledges)

 periodically write the present instruction to disk

 save search progress on exit

 resume search from final saved state

 write search outcomes to disk as they're discovered

 don't retailer ends in reminiscence

Injector flags:

 mode: brute pressure

 mode: randomized fuzzing

 mode: tunneled fuzzing

 mode: externally directed fuzzing

 uncooked output mode

 textual content output mode

 write periodic progress to stderr

 permit null dereference (requires sudo)

 permit duplicate prefixes

 no nx bit help

-s seed
 in random search, seed worth

-B brute_depth
 in brute search, most search depth

-P max_prefix
 most variety of prefixes to go looking

-i instruction
 instruction at which to start out search (inclusive)

-e instruction
 instruction at which to finish search (unique)

-c core
 core on which to carry out search

-X blacklist
 blacklist the desired instruction

-j jobs
 variety of simultaneous jobs to run

-l range_bytes
 variety of base instruction bytes in every sub vary

m: Mode – change the search mode (brute pressure, random, or tunnel) for the sifter
q: Quit – exit the sifter
p: Pause – pause or unpause the search

The scanning helps 4 totally different search algorithms, which may be set on the command line, or cycled by way of hotkeys.

  • Random looking generates random directions to check; it usually produces outcomes rapidly, however is unable to seek out complicated hidden directions and bugs.
  • Brute pressure looking tries directions incrementally, as much as a person-specified size; in virtually all conditions, it performs worse than random looking.
  • Driven or mutation pushed looking is designed to create new, more and more complicated directions by means of genetic algorithms; whereas promising, this strategy was by no means totally realized, and is left as a stub for future analysis.
  • Tunneling is the strategy described within the presentation and white paper, and in virtually all instances supplies one of the best commerce-off between thoroughness and pace.


  • sudo
    For greatest outcomes, the instrument ought to be run as the foundation person. This is critical in order that the method can map into reminiscence a web page at handle 0, which requires root permissions. This web page prevents many directions from seg-faulting on reminiscence accesses, which permits a extra correct fault evaluation.
  • Prefixes
    The main limitation for the depth of an instruction search is the variety of prefix bytes to discover, with every extra prefix byte growing the search area by round an element of 10. Limit prefix bytes with the -P flag.
  • Colors
    The interface for the sifter is designed for a 256 coloration terminal. While the main points fluctuate vastly relying in your terminal, this will roughly be achieved with:
     export TERM='xterm-256coloration'
  • GUI
    The interface assumes the terminal is of no less than a sure dimension; if the interface just isn’t rendering correctly, strive growing the terminal dimension; this will usually be achieved by lowering the terminal font dimension.
    In some instances, it might be fascinating or essential to run the instrument with out the graphical entrance finish. This may be carried out by working the injector straight:
     sudo ./injector -P1 -t -0

    To filter the outcomes of a direct injector invocation, grep can be utilized. For instance,

     sudo ./injector -P1 -r -0 | grep '.r' | grep -v sigill

    searches for directions for which the processor and disassembler disagreed on the instruction size (grep ‘.r’), however the instruction efficiently executed (grep -v sigill).

  • Targeted fuzzing
    In many instances, it’s worthwhile to direct the fuzzer to a particular goal. For instance, for those who suspect that an emulator has flaws round repeated ‘lock’ prefixes (0xf0), you would direct the fuzzer to go looking this area of the instruction area with the -i and -e flags:
     sudo ./ --unk --dis --len --sync --tick -- -t -i f0f0 -e f0f1 -D -P15
  • Legacy programs
    For scanning a lot older programs (i586 class processors, low reminiscence programs), go the –low-mem flag to the sifter and the -N flag to the injector:
     sudo ./ --unk --dis --len --sync --tick --low-mem -- -P1 -t -N

    If you observe your scans finishing too rapidly (for instance, a scan completes in seconds), it’s sometimes as a result of these flags are required for the processor you’re scanning.

  • 32 vs. 64 bit
    By default, sandsifter is constructed to focus on the bitness of the host working system. However, some directions have totally different behaviors when run in a 32 bit course of in comparison with when run in a 64 bit course of. To discover these eventualities, it’s generally worthwhile to run a 32 bit sandsifter on a 64 bit system.
    To construct a 32 bit sandsifter on a 64 bit system, Capstone have to be put in as 32 bit; the directions for this may be discovered at
    Then sandsifter have to be constructed for a 32 bit structure:
     make CFLAGS=-m32

    With this, the 32 bit instruction area may be explored on a 64 bit system.


  • A dialogue of the methods and outcomes may be discovered within the Black Hat presentation.
  • Technical particulars are described within the whitepaper.
  • Slides from the Black Hat presentation are here.

sandsifter is a analysis effort from Christopher Domas (@xoreaxeaxeax).


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.