search

Ledger-Donjon / rainbow

Makes Unicorn traces. Generic Side-Channel and Fault Injection simulator
GNU Lesser General Public License v3.0
172 stars 34 forks source link

RuntimeError: Emulation crashed at 0x80051F8 #60

Open Wpj-001 opened 3 months ago

Wpj-001 commented 3 months ago

I encountered an error while generating a trace for other encrypted codes. How can this be resolved?

Traceback (most recent call last): File "/home/alex/project_wpj/rainbow/rainbow/rainbow.py", line 275, in start self.emu.emu_start(begin, end, timeout=timeout, count=count) File "/home/alex/miniconda3/envs/Rainbow/lib/python3.8/site-packages/unicorn/unicorn.py", line 547, in emu_start raise UcError(status) unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)

The above exception was the direct cause of the following exception:

Traceback (most recent call last): File "/home/alex/project_wpj/rainbow/examples/kyber512/cortexm_aes.py", line 66, in container = CortexMAesContainer(N) File "/home/alex/miniconda3/envs/Rainbow/lib/python3.8/site-packages/lascar/container/container.py", line 427, in init trace = self.generate_trace(0) File "/home/alex/project_wpj/rainbow/examples/kyber512/cortexm_aes.py", line 59, in generate_trace leakage = kyber_enc_dec() File "/home/alex/project_wpj/rainbow/examples/kyber512/cortexm_aes.py", line 28, in kyber_enc_dec e.start(e.functions["PQCLEAN_KYBER512_CLEAN_crypto_kem_keypair"] | 1, 0) File "/home/alex/project_wpj/rainbow/rainbow/generics/cortexm.py", line 79, in start return super().start(begin | 1, *args, **kwargs) File "/home/alex/project_wpj/rainbow/rainbow/rainbow.py", line 279, in start raise RuntimeError(f"Emulation crashed at 0x{pc:X}") from e RuntimeError: Emulation crashed at 0x80051F8

yhql commented 3 months ago

"read unmapped" errors occur when an instruction (in this case the one at 0x80051F8) tries to access memory that was not mapped by the original mapping of your binary/executable. You can try executing that same function with the same parameters, but this time without using the 'side-channel mode' and tracing register values instead to see the culprit:

emulator = rainbow_cortexm(print_config=Print.Code | Print.Registers)
Wpj-001 commented 3 months ago

I changed to a program for analysis, an error occurred at 0X80015B2. Following the method provided by you, I received the following error output. How should I resolve this issue? image

yhql commented 2 months ago

looking at 0x80015a3, you have r3 = 0xdead0400, but in 0x80015b2 the strb instruction tries to write to that address. If you get a UC_ERR_WRITE_UNMAPPED that means the emulator has nothing mapped in 0xdead00xx yet. If you're sure you need to have something available here, you can map it like so:

emulator = rainbow...( ... )
emulator[0xdead0000] = bytes(1024)

which will allocate 1 KB of data starting at 0xdead0000

Wpj-001 commented 2 months ago

Thank you very much for your reply. The previous issue has been resolved. However, a new problem has arisen. When I was analyzing a program, it got stuck at a certain point. I printed the executed functions using print_config=Print.Functions, and found that it keeps hanging at the place shown in the figure below. It neither throws an error nor proceeds further. What could be the reason for this? image