The following commits are from the first version of Transformations;

function splicing, etc.

Squashed commit of the following:

commit 59f71e40a709e43ef9c5a96a1a14397b8fee6d82
Author: elfmaster <ryan@bitlackeys.org>
Date:   Mon Mar 20 11:37:54 2023 -0700

    added some more transform macros for pairing registers and stack locations

commit d8077fa9a92cd10a558ce16189e344001fa20d32
Author: elfmaster <ryan@bitlackeys.org>
Date:   Thu Mar 9 18:03:10 2023 -0800

    had broke RELATIVE relocation patching on indirect adrp references, and .bss interposing was broken. Fixed that. It was broken due to some changes in naming and handling symbols within an struct xref_site

commit 8bc5eeba448619617f73a8c11e5c2152e8bb59d2
Author: elfmaster <ryan@bitlackeys.org>
Date:   Wed Mar 8 16:21:18 2023 -0800

    fixed shiva_tf_relink_new_func so that has sanity checking on which xrefs it relinks in the transformed function

commit 23c622080e18766ab9c9324b15487144b4a715f1
Author: elfmaster <ryan@bitlackeys.org>
Date:   Tue Mar 7 22:39:54 2023 -0800

    added example6

commit 26ba5dc246460040db714300b5ed12a14be1268d
Author: elfmaster <ryan@bitlackeys.org>
Date:   Tue Mar 7 15:39:59 2023 -0800

    Handles example5 correctly. We are using a macro for binding a stack memory location such as [bp + 16] to a variable in the patch. We will expand more on this, for now just PoC.

commit bad3cf7d213a291207d76c39a6b67e78d2809cd1
Author: elfmaster <ryan@bitlackeys.org>
Date:   Tue Mar 7 10:51:28 2023 -0800

    transformed function relinking is now working completely... I think

commit 13da8ea021e1c1fbe2d3cefc7fa3a97ccdebdec4
Author: elfmaster <ryan@bitlackeys.org>
Date:   Mon Mar 6 16:23:19 2023 -0800

    added fsplice/example5 patch

commit 8a2fc59df1eac010ea2362327ecbdf119bb72caa
Author: elfmaster <ryan@bitlackeys.org>
Date:   Mon Mar 6 15:52:45 2023 -0800

    have gotten xref re-linking on transformed top and bottom half functions

commit 3feaa0c83d95109edb740292752570239188fdb9
Author: elfmaster <ryan@bitlackeys.org>
Date:   Mon Mar 6 11:26:25 2023 -0800

    temporary commit, relinking of transformed function global branches and xrefs nearly complete. This commit is broken.

commit e97f69bb1c8e9d1836c3f5fb310af7f26c423eba
Author: elfmaster <ryan@bitlackeys.org>
Date:   Sun Feb 26 17:43:23 2023 -0800

    misc. peripheral code cleanup

commit c89ea2cd8936d5b5fbafa50ff57a0c071f61f2df
Author: elfmaster <ryan@bitlackeys.org>
Date:   Tue Feb 21 13:53:19 2023 -0800

    added more complex fsplice examples for patching

commit c3d66ce75d1c3ad1a977b2c0294ce535c2ba12b7
Author: elfmaster <ryan@bitlackeys.org>
Date:   Sat Feb 18 14:52:56 2023 -0800

    spliced in relocatable code is now able to properly link to functions within its own module body after the transform operation

commit fa84fe5a29c54efa98fa578a4049840fc88a5693
Author: elfmaster <ryan@bitlackeys.org>
Date:   Fri Feb 17 11:45:22 2023 -0800

    got register to variable pairing working

commit aad63213b5f995f6e79d148064c5d86537c80f33
Author: elfmaster <ryan@bitlackeys.org>
Date:   Wed Feb 15 21:29:22 2023 -0800

    got decoding of b instruction working properly

commit 269237992364e55827296fab6e5228c7976b512c
Author: elfmaster <ryan@bitlackeys.org>
Date:   Wed Feb 15 13:53:34 2023 -0800

    fixed shiva_analyze.c where instruction addresses and their mnemonic were not being paired correctly. Also fixed an issue in shiva_transform.c that prevented the ptr from pointing to the correct branch instruction to re-write when the branch existed after the transform offset. We have to increase the ptr by transform->offset + new_len - old_len bytes

commit 7cf7b5491f1d170bb5e3e9d0a84dd404f3a220b5
Author: elfmaster <ryan@bitlackeys.org>
Date:   Tue Feb 14 10:23:12 2023 -0800

    Function splicing version 1 now works. Relinking to a single transformed function foo and an interposition of regular function bar, in the fsplice patch example. Still need to handle relinking of adrp/add/ldr xrefs etc.

commit 71e0a2f9aa0c6f4f7dbffff20586c0e1ebe9b095
Author: elfmaster <ryan@bitlackeys.org>
Date:   Mon Feb 13 18:05:55 2023 -0800

    made quite a few fixes, text encoded relocations and relocations that reference those text encodings work now. However having some trouble with .rodata now seeming corrupted possibly?

commit 1797a106167f46066a529a19c99b40e26b08ba20
Author: elfmaster <ryan@bitlackeys.org>
Date:   Sun Feb 12 21:42:34 2023 -0800

    partial commit. having to reconstruct spliced function to handle .text encodings at the end of the final splice function. Made good progress tonight

commit 667e604c7394529f9a9477869e1e02ff33a41d65
Author: elfmaster <ryan@bitlackeys.org>
Date:   Sat Feb 11 15:07:23 2023 -0800

    External relinking is now working with transformed functions, but in our splicing example the function epilogue from the patch seems to be getting inserted instead of from the original function, so this is causing a crash after a transformed function has been called and returned

commit c6bd4dfc3c1c7019dee10a5ed9f05de3c0598bef
Author: elfmaster <ryan@bitlackeys.org>
Date:   Sat Feb 11 13:07:26 2023 -0800

    trying to fix bug where not all bl branches are being found in the call iterator

commit 65764d5587b2806d77fba67be72123e84f2e8c33
Author: elfmaster <ryan@bitlackeys.org>
Date:   Fri Feb 10 13:30:27 2023 -0800

    progress is being made on external relinking after splicing

commit a2218987514e8f789468e56da944a7e3da91555c
Author: elfmaster <ryan@bitlackeys.org>
Date:   Wed Feb 8 14:18:33 2023 -0800

    relocatable spliced code now working properly with program_c again

commit 80daaf2b03689f726034c09f03c1049f6d31b685
Author: elfmaster <ryan@bitlackeys.org>
Date:   Mon Feb 6 20:37:06 2023 -0800

    fixed issue of when there is no next function to find

commit 8cf748297c974b0a9769586da4c32cd08ec045c0
Author: elfmaster <ryan@bitlackeys.org>
Date:   Mon Feb 6 14:27:36 2023 -0800

    shiva_tf_relink_local_branch patches either a positive or negative ssize_t delta

commit cff24dc02e7756e76ed564a9033f55cdd1b97d60
Author: elfmaster <ryan@bitlackeys.org>
Date:   Mon Feb 6 12:11:33 2023 -0800

    cleaned up transform relinking forward code, got it to compile. next.... to test

commit 41932e7b13cf0c5f6e1c6f8dd60b182c472392f4
Author: elfmaster <ryan@bitlackeys.org>
Date:   Sun Feb 5 19:59:32 2023 -0800

    transform relinking code is coming along

commit 98165f3a74d7168d7c3bfcede8814ef29edd38ab
Author: elfmaster <ryan@bitlackeys.org>
Date:   Sun Feb 5 15:35:30 2023 -0800

    figuring out the encodings for branch

commit 507e3afd3693774dd296aa0f2d75c272ca9c2335
Author: elfmaster <ryan@bitlackeys.org>
Date:   Sun Feb 5 13:54:40 2023 -0800

    began instruction decoding for branches

commit 817d7945a172c455611b783e5488e314f283bee4
Author: elfmaster <ryan@bitlackeys.org>
Date:   Sat Feb 4 14:20:58 2023 -0800

    began writing shiva_tf_relink_local_branch_forward.

commit 9d821d445eac9cd5d81d9b9ad0cf321997494418
Author: elfmaster <ryan@bitlackeys.org>
Date:   Fri Feb 3 19:13:00 2023 -0800

    updated shiva_transform.c with beginning of local_branch_forward code

commit bcbe095192e27e06cfe17acc31de6d8c247259d1
Author: elfmaster <ryan@bitlackeys.org>
Date:   Fri Feb 3 08:06:34 2023 -0800

    began writing code to relink top and bottom half of code around splice

commit 3dc2344a136ec67e25a4044eee37b4cb3816d54e
Author: elfmaster <ryan@bitlackeys.org>
Date:   Wed Feb 1 20:05:53 2023 -0800

    Relocations on spliced code now actually work!

commit a8239c2d8c4f50a6fafa28d622082799231f019b
Author: elfmaster <ryan@bitlackeys.org>
Date:   Mon Jan 30 18:00:00 2023 -0800

    spliced in patch is now properly relocated by apply_relocation

commit 200673d0f69942226a07878638a8efc879ae92e9
Author: elfmaster <ryan@bitlackeys.org>
Date:   Mon Jan 30 17:11:11 2023 -0800

    continuing to work on function splicing.

commit 7adfae029dd824e1dd81f6f087012a9c818937e6
Author: elfmaster <ryan@bitlackeys.org>
Date:   Mon Jan 30 13:36:18 2023 -0800

    added fsplice patching scenario for fsplice testing. Updated shiva_module.c:internal_symresolve() to handle basic external resolutions, just like we do during initial linking phase and setting up the internal module plt/got

commit 29a7575ab0e2aaf28c75070c7297987c26998f27
Author: elfmaster <ryan@bitlackeys.org>
Date:   Wed Jan 25 00:47:24 2023 -0800

    module path can now be specified by the SHIVA_MODULE_PATH environment variable

commit ffa10fdab0732561c4299eafbdfaae50ba7fa558
Author: elfmaster <ryan@bitlackeys.org>
Date:   Tue Jan 24 09:32:50 2023 -0800

    updated apply_relocation to handle transforms

commit 6ba37bf552fc2e91b14bf1915a5ad8a2a2154689
Author: elfmaster <ryan@bitlackeys.org>
Date:   Thu Jan 19 12:06:55 2023 -0800

    shiva transform code nops out the procedure prologue and epilogue of the patch code. The patch code is now being inserted properly.

commit bc3ecc0505ff5bf78cc112a4f7d42220050db2b9
Author: elfmaster <ryan@bitlackeys.org>
Date:   Wed Jan 18 23:07:44 2023 -0800

    fixed bug. second half of function is now being copied correctly. Fixed patch offsets, the code is now being spliced in correctly. Next step, update relocation tables for module, for any relocs that pertain to the transform source function in the module. The r_offset must be added to transform->offset. After that full relinking must be done on top and bottom of the patch code (positive and negative offsets are adjusted).

commit 4c7837d0a739ba19dabf90e8be6fa551d58404c1
Author: elfmaster <ryan@bitlackeys.org>
Date:   Wed Jan 18 22:07:29 2023 -0800

    function splicing is beginning to come together. Next step is to update relocation records for the transform source function (The patch function) so that it reflects the transform->offset of
    the target function.

commit a7515ffd7e0c2d05ea3c5761e0a5194ba19fc8ef
Author: elfmaster <ryan@bitlackeys.org>
Date:   Tue Jan 17 11:49:10 2023 -0800

    updated process transforms.

commit 2c7ef8edac5def513bd725534eae65148e9f21f0
Author: elfmaster <ryan@bitlackeys.org>
Date:   Mon Jan 16 21:11:25 2023 -0800

    updated elf_section_map for transform operations. added shiva_transform.c for transform code.

commit ea3694bdceb97679eeb7f30352d0bdd05925e5fd
Author: elfmaster <ryan@bitlackeys.org>
Date:   Mon Jan 16 12:35:30 2023 -0800

    fixed a newly introduced bug or two that was causing backwards compatibility issue.

commit 351fd544aa2baf11287dbf7092b47a58a9446a9d
Author: elfmaster <ryan@bitlackeys.org>
Date:   Sun Jan 15 14:44:43 2023 -0800

    added symbol information about the src function of an xref or branch, these information is needed for transformations such as function splicing

commit 1bee6f4e8fc2214a188f2786d0ba4330110b78dd
Author: elfmaster <ryan@bitlackeys.org>
Date:   Sun Jan 15 12:34:32 2023 -0800

    half commit, not finished.

commit 96eed7526cebc8fe923190c093da759df43fd615
Author: elfmaster <ryan@bitlackeys.org>
Date:   Fri Jan 13 18:37:43 2023 -0800

    code is currently not finished, started creating get_tf_function_refs

commit c343b3fb8df99939a69926606183506f4449495a
Author: elfmaster <ryan@bitlackeys.org>
Date:   Thu Jan 12 19:21:29 2023 -0800

    added full branch analysis for aarch64

commit ded4f8b92b8ede2629c020b88922a47833579241
Author: elfmaster <ryan@bitlackeys.org>
Date:   Wed Jan 11 18:59:14 2023 -0800

    added a branch and xref list to each transform entry

commit 215c75f9e2bee745f5c6e69f5e5f435e930d54ce
Author: elfmaster <ryan@bitlackeys.org>
Date:   Wed Jan 11 18:28:23 2023 -0800

    created initial code leading up to actual function splicing. Laid the groundwork for other transform operations as well.

commit 6ec577f725a5944dc3a9e1d83c9a56e94365911d
Author: elfmaster <ryan@bitlackeys.org>
Date:   Wed Jan 11 16:32:55 2023 -0800

    transform validation is now working

commit b33fc952cf84344a771b180bfc0ebccff7d6de09
Author: elfmaster <ryan@bitlackeys.org>
Date:   Wed Jan 11 12:34:07 2023 -0800

    updated amp_challenge10

commit c81706d5bb59bdce81623e6c53761ca06f6bd9b3
Author: elfmaster <ryan@bitlackeys.org>
Date:   Wed Jan 11 11:09:05 2023 -0800

    fixed patch Makefiles so that they use a local verison of shiva-ld, since /bin/shiva-ld is not installed when we build the patches. We also added some fixes to the transform validation function, still in its early development.

commit be2af8c1c1b85bf5d35b644a2e0ce8b1146f6a25
Author: elfmaster <ryan@bitlackeys.org>
Date:   Thu Jan 5 19:18:36 2023 -0800

    first draft of validate_transform is mostly done. will finish it up soon.

commit d01f0329e968d4d56d8c954d390afa735bc6ab26
Author: elfmaster <ryan@bitlackeys.org>
Date:   Thu Jan 5 15:50:18 2023 -0800

    almost finished verifying splice functionality.

commit 0afd38fc441196e13511cf7bae2ac053de179274
Author: elfmaster <ryan@bitlackeys.org>
Date:   Wed Jan 4 19:33:56 2023 -0800

    added initial commit for elf transformations

commit 191306f29ebf5f13715d19f4487cb21cf6428604
Author: elfmaster <ryan@bitlackeys.org>
Date:   Tue Jan 3 19:01:33 2023 -0800

    added patch10.c

commit d44e827d55720e768247002704124b8828740d1c
Author: elfmaster <ryan@bitlackeys.org>
Date:   Tue Jan 3 19:01:08 2023 -0800

    added SHIVA_SPLICE_FUNCTION and shiva_module.h

Author: elfmaster

Makefile

@@ -1,9 +1,10 @@
 BUILD_DIR = './build'
 INTERP_PATH = $(PWD)/build/shiva
+PATCH_PATH = "modules/aarch64_patches"
 GCC_OPTS= -fPIC -ggdb -c
 OBJ_LIST=shiva.o shiva_util.o shiva_signal.o shiva_ulexec.o shiva_auxv.o	\
     shiva_module.o shiva_trace.o shiva_trace_thread.o shiva_error.o shiva_maps.o shiva_analyze.o \
-    shiva_callsite.o shiva_target.o shiva_xref.o
+    shiva_callsite.o shiva_target.o shiva_xref.o shiva_transform.o
 STATIC_LIBS=/opt/elfmaster/lib/libelfmaster.a libcapstone.a
 CC=gcc
 MUSL=musl-gcc
@@ -25,6 +26,7 @@ interp:
 	$(CC) $(GCC_OPTS) shiva_callsite.c -o	shiva_callsite.o
 	$(CC) $(GCC_OPTS) shiva_target.c -o	shiva_target.o
 	$(CC) $(GCC_OPTS) shiva_xref.c -o		shiva_xref.o
+	$(CC) $(GCC_OPTS) shiva_transform.c -o	shiva_transform.o
 	$(MUSL) -static -Wl,-undefined=system -Wl,-undefined=prctl -Wl,-undefined=pause -Wl,-undefined=puts -Wl,-undefined=putchar $(OBJ_LIST) $(STATIC_LIBS) -o $(BUILD_DIR)/shiva
 
 shiva-ld:
@@ -36,11 +38,13 @@ patches:
 install:
 	cp build/shiva /lib/shiva
 	ln -sf build/shiva shiva
+	ln -sf /lib/shiva /usr/bin/shiva
 	cp build/shiva /usr/bin
 	cp tools/shiva-ld/shiva-ld /usr/bin
 	mkdir -p /opt/shiva/modules
-	cp modules/aarch64_patches/*interposing*/*.o /opt/shiva/modules
-	cp modules/aarch64_patches/cfs_patch1/*.o /opt/shiva/modules
+	cp $(PATCH_PATH)/*interposing*/*.o /opt/shiva/modules
+	cp $(PATCH_PATH)/cfs_patch1/*.o /opt/shiva/modules
+	cp $(PATCH_PATH)/amp_challenge10/*.o /opt/shiva/modules
 	cat shiva.ansi
 clean:
 	rm -f *.o shiva

SHIVA_MODULE.specs

@@ -0,0 +1,37 @@
+
+## Shiva modules
+
+The microcode patching process of building an additional runtime image
+for the Shiva module is explained in this document along with the details
+on symbol resolution, relocations, transformations, and external re-linking.
+
+Shiva modules are ELF relocatable objects that define patch code and data.
+At runtime, Shiva parses the ELF object, and builds a process image by mapping
+all of the modules code and data into corresponding ELF sections in memory.
+For example, the .text and .rodata sections are allocatable readonly sections
+and are therefore copied into the modules text segment. Shiva creates an internal
+entry that represents where each section lives within memory.
+
+- From shiva.h
+```
+typedef enum shiva_module_section_map_attr {
+        LP_SECTION_TEXTSEGMENT = 0,
+        LP_SECTION_DATASEGMENT,
+        LP_SECTION_BSS_SEGMENT,
+        LP_SECTION_UNKNOWN
+} shiva_module_section_map_attr_t;
+
+struct shiva_module_section_mapping {
+        struct elf_section section;
+        shiva_module_section_map_attr_t map_attribute;
+        uint64_t vaddr; /* Which memory address the section contents is placed in */
+        uint64_t offset;
+        uint64_t size;
+        char *name;
+        TAILQ_ENTRY(shiva_module_section_mapping) _linkage;
+};
+```
+
+## Symbol resolution, interposition, ordering
+
+

modules/aarch64_patches/Makefile

@@ -1,4 +1,4 @@
-SUBDIRS = dataonly_interposing data_interposing rodata_interposing bss_interposing cfs_patch1
+SUBDIRS = dataonly_interposing data_interposing rodata_interposing bss_interposing cfs_patch1 amp_challenge10 fsplice
 subdirs:
 		for dir in $(SUBDIRS); do \
 			$(MAKE) -C $$dir; \

modules/aarch64_patches/amp_challenge10/Makefile

@@ -0,0 +1,9 @@
+INTERP_PATH="/lib/shiva"
+SHIVA_LD_PATH="../../../tools/shiva-ld/shiva-ld"
+all:
+	gcc -fomit-frame-pointer -mcmodel=large -fno-pic -I ../ -I ../../include -fno-stack-protector -c patch10.c
+	$(SHIVA_LD_PATH) -e program_c -p patch10.o -i /lib/shiva -s /opt/shiva/modules -o program_c.patched
+
+clean:
+	rm *.o
+

modules/aarch64_patches/amp_challenge10/patch10.c

@@ -1,5 +1,6 @@
 #include <stdint.h>
 #include <stdio.h>
+#include "shiva_module.h"
 
 /*
  * These are external .bss variables.
@@ -8,13 +9,11 @@ extern uint16_t size;
 extern uint8_t num_packets;
 
 /*
- * In the future a gcc plugin will offer 
- * __attribute__((shiva_patch(start_vaddr, len))
+ * Example of using a "Shiva Transformation". The
+ * Splice transformation allows us to splice C code
+ * into an existing function.
  */
-uint64_t shiva_insert_patch1_start_0x9b74 = 0;
-uint64_t shiva_insert_patch1_end_0x9b8c = 0;
-
-void * __attribute__((naked)) shiva_insert_patch1(void)
+SHIVA_T_SPLICE_FUNCTION(transport_handler, 0x9b6c, 0x9b94)
 {
 	if ((num_packets * 7) != size) {
 		printf("RTS mismatch detected\n");

modules/aarch64_patches/amp_challenge10/patch_notes.txt

@@ -0,0 +1,26 @@
+0000000000000000 <shiva_insert_0xc490>:
+   0:   a9bf7bfd        stp     x29, x30, [sp, #-16]!
+   4:   910003fd        mov     x29, sp
+  
+
+/*
+ NOTE: This is relocatable code that hasn't been fixed up yet.
+ */
+
+   8:   90000000        adrp    x0, 0 <shiva_insert_0xc490>
+   c:   91000000        add     x0, x0, #0x0 
+  10:   f9400000        ldr     x0, [x0] ; x0 = num_packets
+  14:   39400000        ldrb    w0, [x0] ; w0 = (uint8_t)num_packets;
+  18:   2a0003e1        mov     w1, w0   ; w1 = (uint8_t)num_packets;
+  1c:   2a0103e0        mov     w0, w1
+  20:   531d7000        lsl     w0, w0, #3 ; w0 = num_packets * 8
+  24:   4b010000        sub     w0, w0, w1 ; w0 = num_packets * 7
+  28:   90000001        adrp    x1, 0 <shiva_insert_0xc490>
+  2c:   91000021        add     x1, x1, #0x0
+  30:   f9400021        ldr     x1, [x1] ; x1 = size
+  34:   79400021        ldrh    w1, [x1] ; w1 = (uin16_t)size;
+  38:   6b01001f        cmp     w0, w1 ; if ((num_packets * 7) == size)
+  3c:   540000e0        b.eq    58 <shiva_insert_0xc490+0x58>  // b.none
+...
+...
+

modules/aarch64_patches/amp_challenge10/program_c

@@ -0,0 +1,6 @@
+#include <stdio.h>
+
+int main(void)
+{
+	printf("Hello World\n");
+}

modules/aarch64_patches/amp_challenge10/test.c

@@ -1,8 +1,12 @@
 INTERP_PATH="/lib/shiva"
+SHIVA-LD_PATH="../../../tools/shiva-ld/shiva-ld"
+
 all:
 	gcc -mcmodel=large -fno-pic -I ../ -fno-stack-protector -c bss_patch.c
 	gcc -O0 test_bss.c -o test_bss
-	shiva-ld -e test_bss -p bss_patch.o -i /lib/shiva -s /opt/shiva/modules -o test_bss.patched
+	$(SHIVA-LD_PATH) -e test_bss -p bss_patch.o -i /lib/shiva -s /opt/shiva/modules -o test_bss.patched
+install:
+	cp bss_patch.o /opt/shiva/modules/
 clean:
 	rm -f test_bss test_bss.patched bss_patch.o
 

modules/aarch64_patches/bss_interposing/Makefile

@@ -0,0 +1,9 @@
+INTERP_PATH="/lib/shiva"
+SHIVA-LD_PATH="../../../tools/shiva-ld/shiva-ld"
+
+all:
+	gcc -mcmodel=large -fno-pic -I ../ -fno-stack-protector -c bss_patch2.c
+	gcc -O0 -g bss_vuln.c -o bss_vuln
+	$(SHIVA-LD_PATH) -e bss_vuln -p bss_patch2.o -i /lib/shiva -s /opt/shiva/modules -o bss_vuln.patched
+	chown root:root bss_vuln
+	chmod u+s bss_vuln