Skip to content

CTSRD-CHERI/chericat

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

80 Commits
docs
docs
 
 
includes
includes
 
 
jupyter_notebook
jupyter_notebook
 
 
python
python
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
chericat.1
chericat.1
 
 
chericat.jpg
chericat.jpg
 
 
todo.txt
todo.txt
 
 

Repository files navigation

chericat

chericat

A Capability Analysis Tool for CHERI

The program “chericat” is a standalone tool that runs on CheriBSD. It can be used by attaching to a running process to produce capability-related data, which is stored in a local SQL database. The data can then be queried to retrieve information regarding the capabilities created at that snapshot.

When the -p option is used, chericat uses the procstat utility functions to take a snapshop of the running process with the provided and extract the mmap data. At the same time chericat obtains the ELF data using the ELF Toolchain library. The data is then written to either a SQLite database if a valid database name is provided via the -f option, or to memory just to output the data without storing permanently.

To display formatted data on the console, the -v or -c options can be used. The -v option shows a table with twelve colunms:

Name Description
START The address of the start of the scanned vm block
END The address of the end of the scanned vm block
PRT Protection flags of the vm block, r=read, w=write, x=executable, R=can read capabilities, W=can write capabilities, -=not allowed
ro Number of read-only capabilities found in this vm block
rw Number of read-write capabilities found in this vm block
rx Number of read-and-executable enabled capabilities found in this vm block
rwx Number of read-write-executable enabled capabilities found in this vm block
TOTAL Total number of capabilities found in this vm block
DENSITY Percentage of capabilities found
FLAGS Vm mapping flags
TP Vm object type
PATH Library name/path where the scanned vm block belongs

To display the obtained symbols for the capabilities within a specific library, use the -c option:

Name Description
CAP_LOC Address of the capabilities
CAP_LOC_SYM (TYPE) Name of the symbol (if found on ELF) for the capability, the type could be NOTYPE if the information is not available, OBJECT if the capability is an object type, or FUNC, if the capability is a function type
CAP_INFO Referenced address stored in this capability, the permissions, end address of the capability (which in turns shows how big it is)
CAP_SYM (TYPE) Name of the symbol (if found on ELF) of the referenced capability 
Usage: chericat [-d <debug level>] [-f <database name>] [-p <pid>] [-v] [-c <binary name>]
     debug level - 0 = No output; 1 = INFO; 2 = VERBOSE; 3 = TROUBLESHOOT
     pid - pid of the target process for a snapshot of caps info
     database name - name of the database to store data captured by chericat
Options:
     -d Determine the level of debugging messages to be printed. If omitted, the default is INFO level
     -f Provide the database name to capture the data collected by chericat. If omitted, an in-memory db is used
     -p Scan the mapped memory and persist the caps data to a database
     -v Show virtual summary info of capabilities in the target process, arranged in mmap order
     -c Show capabilities with corresponding symbols located in the provided binary

About

No description, website, or topics provided.

Resources

Readme

License

View license
Activity
Custom properties

Stars

2 stars

Watchers

32 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages