We Keep Coding

arm64 ptrace SINGLESTEP: are the steps described in this paper correct?

I was reading the paper Hiding in the Shadows: Empowering ARM for Stealthy Virtual Machine Introspection and I was wondering whether the steps they are described in paragraph "2.3 Debug Exceptions" were correct or not:
AArch64 allows to generate Software Step exceptions by setting the SS
bit of the Monitor Debug System Control MDSCR_EL1 and Saved Program
Status Register SPSR of the target exception level. For instance, to
single-step a hit breakpoint in EL1 the monitor must set the
MDSCR_EL1.SS and SPSR_EL1.SS bits. After returning to the trapped
instruction, the SPSR will be written to the process state PSTATE
register in EL1. Consequently, the CPU executes the next instruction
and generates a Software Step exception.
I have tried to understand how single-stepping happens in freeBSD, and I am noticing a mismatch.
I am basing the following lines of code to the release 12.3.0 of freeBSD (4 December 2021), commit: 70cb68e7a00ac0310a2d0ca428c1d5018e6d39e1. I chose to base this question on freeBSD because, in my opinion, following its code is easier than Linux, but the same principles shall be common to both families.
According to my understanding, this is what happens in freeBSD:
1- Ptrace single step is invoked, arriving in the architecture-independent code proc_sstep(), in sys_process.c:
int proc_sstep(struct thread *td)
{
PROC_ACTION(ptrace_single_step(td));
}
2- Architecture-dependent code ptrace_single_step()is called, in arm64/ptrace_machdep.c:
int ptrace_single_step(struct thread *td)
{
td->td_frame->tf_spsr |= PSR_SS;
td->td_pcb->pcb_flags |= PCB_SINGLE_STEP;
return (0);
}
Here single step bit (number 21) is set in the "Process State" of the tracee (tracee = thread that is traced) and a flag is set.
3- After a while, the traced task will be selected for scheduling. In cpu_throw() of swtch.S (where the new thread takes place), the flags of the new thread are checked, to see if it must single step:
/* If we are single stepping, enable it */
ldr w5, [x4, #PCB_FLAGS]
set_step_flag w5, x6
4- set_step_flag macro in defined in the same swtch.S:
.macro set_step_flag pcbflags, tmp
tbz \pcbflags, #PCB_SINGLE_STEP_SHIFT, 999f
mrs \tmp, mdscr_el1
orr \tmp, \tmp, #1
msr mdscr_el1, \tmp
isb
999:
.endm
Here, if the single-step flag is set, it sets the single step bit of register MDSCR_EL1 (bit in position 0).
4- To the best of my understanding, the combination of single step bit on SPSR_EL1 of the "Pstate" + single step bit on MDSCRL_EL1 implies that the tracee execute 1 instruction and it traps.
5- Trap is recognized as a EXCP_SOFTSTP_EL0 and it is handled in do_el0_sync() function of trap.c:
case EXCP_SOFTSTP_EL0:
td->td_frame->tf_spsr &= ~PSR_SS;
td->td_pcb->pcb_flags &= ~PCB_SINGLE_STEP;
WRITE_SPECIALREG(mdscr_el1,
READ_SPECIALREG(mdscr_el1) & ~DBG_MDSCR_SS);
call_trapsignal(td, SIGTRAP, TRAP_TRACE,
(void *)frame->tf_elr, exception);
userret(td, frame);
break;
Here, all the flags are reset and the traced thread receives a SIGTRAP (sent by itself, I think). Being traced, it will stop. And the tracer, at this point, can return from a possible waitpid().
What I could observe differs from the paper explanation. Can you check and correct the steps that I listed, please ?

What control lines are asserted/set to 1 when a load double word instruction is called?

Using this diagram, I am looking at this instruction to determine what control lines are necessary.
ld x5, 40(x9)
x5 = 0x000000ff
x9 = 0x00000fff
I am curious what control lines (RegWrite, MemRead, MemWrite, MemtoReg, Branch, Zero, ALUSrc) are asserted or set to 1 in order for this instruction to run, and why I understand the parts of the load double instruction to be ld RT, Disp(RA) - but what is required for execution and why? Thank you - resources on these things (that make sense to me) are extremely limited on the internet.

Its a LOAD instruction in which the memory address to be read is calculated by adding 40 to the contents of the register x9, the result is then stored in register x5.
Instruction is writing to registers, therefore assert RegDst and RegWrite
Instruction is required to add 40 to the contents of x5. Set ALUSrc to 1 to select 40 as one of the source.
Assert MemReadas its a memory read. Also set MemtoReg to 1 so that mux will get the data from Memory rather than ALU.

Matlab GPIB - how to read Message AVailable from Status Byte Register?

as the title says...
I want to check the SBR register of device connected over GPIB. I am interested in reading the MAV bit 4, which should be set if instrument has something it would like to send me.
The problem is, that in order to check the SBR, I inevitably have to send another query (*STB?), which clears the device output buffer by default. In other words, whenever I check if there is something to read, I remove it just by looking. Here is code to reproduce it, problem is at the last call to fscanf():
>> fid = gpib('agilent', 7, 26);
>> fopen(fid)
>> fprintf(fid, '*SRE 255; *SRE?') % Enable everything in SBR
>> fscanf(fid) % Returns +191 as expected (255 - 64 for MSS)
>> fprintf(fid, '*IDN?') % Make any query...
>> fprintf(fid, '*STB?') % Read SBR
% The line above generates device Query Error (beep)
>> fscanf(fid) % << Returns +0 !!!
>> fclose(fid) % Just to prevent flames :]
I suspect, that there is some way to check the SBR without querying the device, but I could not find anything. MATLAB help for VISA drivers is silent on the topic of communicating directly with the driver or the bus.
I also tried to check for BusManagementStatus with no avail.
For reference, I am using MATLAB R2011b, with 32-bit Agilent VISA drivers, and the GPIB enabled device is Agilent E4980A LCR Meter. Thanks for any help.

OK, I think that I figured it out. Please correct me if I am wrong...
First of all I need to anticipate the need to check for available message, because in my solution I won't be able to check for Error Queue, Master Summary, and other bits, that are set in SBR.
Then, before my actual commands (that may produce some output), I need to mask the Service Request Enable Register (SRER) to only allow MAV bit. Thats done like so (following from example in question):
>> fprintf(fid, '*SRE 16');
>> fprintf(fid, '...ACTUAL COMMANDS THAT ARE TO BE EXECUTED...');
Now I can check, whether the device sends a service request, using the aforementioned BusManagementStatus command. The following command returns true iff there is MAV bit set in SBR.
>> strcmp(fid.BusManagementStatus.ServiceRequest, 'on')
The disadvantage is that there is no way to check for errors during my ACTUAL COMMANDS execution. If I do so, it might produce errors... :]

serial monitoring method to test communication via com ports without a serial communication device

I have a Verilog code simulated and synthesized on ISE design toolkit. I've got an FPGA spartan 6 device which is to be used for the implementation. But there is a problem with the device (probably a power issue) which makes the device unavailable in any of the COM ports when I connected it to my PC. So I want to check whether my Matlab code which I made for serial communication through the device does the desired job. So I need a method to test serial communication via any of the COM ports without connecting a serial com device to the PC. Is there any such method that I can Tx Rx serial data from Matlab to COM ports? Any software or any other method would be highly appreciated :)

I found a way to test Matlab serial communication using virtual serial ports.
Download "Freeware Virtual COM Ports Emulator" from: http://freevirtualserialports.com/
I installed it in Windows 10, and it's working (as trial).
Add a pair of two serial ports:
Execute the following Matlab code sample to verify it's working:
s3 = serial('COM3','BaudRate',115200);
s4 = serial('COM4','BaudRate',115200);
fopen(s3);
fopen(s4);
fwrite(s3, uint8([1, 2, 3, 4, 5]));
%fprintf(s3, '12345');
pause(0.1);
RxBuf = fread(s4, 5)
fclose(s3);
delete(s3);
clear s3
fclose(s4);
delete(s4);
clear s4
The output is:
RxBuf =
1
2
3
4
5
Bypassing the problem "it only stays for a single test session".
There is a problem when creating a pair of virtual ports using the software, it only stays for a single test session.
I guess it's a problem with the COM port emulation software.
The following solution, is not a good practice (and not a true solution).
Declare the serial object as global, keeping the object persistent.
Create the serial object only if it's not created.
Don't delete and don't clear the serial object.
See the following code sample:
global s3 s4
if isempty(s3)
s3 = serial('COM3','BaudRate',115200);
end
if isempty(s4)
s4 = serial('COM4','BaudRate',115200);
end
fopen(s3);
fopen(s4);
fwrite(s3, uint8([1, 2, 3, 4, 5]));
pause(0.1);
RxBuf = fread(s4, 5)
fclose(s3);
%delete(s3);
%clear s3
fclose(s4);
%delete(s4);
%clear s4
You can also look for a better virtual COM port software.

As Rotem suggested, if you need to communicate via serial line between 2 program of your PC you need a virtual COM port emulator.
It seems you are running on Windows OS so I would recommend a completely free emulator (not a trial one). For Windows I use com0com Null-modem emulator (from SourceForge).
In the example below I will show how to communicate with "another" device so Matlab will not handle both side of the communication. The other device will be simulated by a simple terminal. For windows I use RealTerm: Serial/TCP Terminal (also from SourceForge).
Setup:
Execute the setup of both program with all default options. by default com0com will create a virtual pair COM3/COM4 but if these port already exist on your system the program may assign other numbers. Check the numbers before you run the example. (it will also create a CNCA0/CNCB0 pair but you can ignore this one for now).
For RealTerm, once installed (don't forget to activate the server registration at the end of the setup, it should be ticked by default though), it will look like below. Keep all default options, just set the port number and the baud rate if they need to be changed.
Test MATLAB -> Terminal
You are ready to send Ascii characters or binary values from MATLAB to your device. The animation below shows you an example of both option:
you can click on the picture to see it full size. It is running in loop so you may want to wait until it restart from the beginning.
Test Terminal -> MATLAB
Below animation shows you how to test the communication in the other way:
Don't forget to tick [CR] [LF] on RealTerm when you send Ascii characters and want to use the '%s' format specifier on MATLAB, as it needs these characters to detect the end of the string.
Note:
If you have another terminal program that you are more used too, it
will work the same.
If the RealTerm option does not suit you, or if you want to handle
both sides of communication from Matlab, then you can use the code
provided by Rotem in his first answer. Just install com0com but
ignore all the RealTerm part.

WinDBG - how to set all exception to be passed into app?

How can I set all exceptions behavior to pass to application and not appear in debugger?
I'm using IDA Pro 6.6 and WinDbg.

It's a bit awkward to do that for all exception types at once
.foreach(exc {sx}) {.catch{sxd ${exc}}}
What it does:
{sx}: list all exception types (and current settings, which you actually don't want)
exc: assign a variable
.foreach(...) {...}: cut it into pieces of single words and execute a command
sxd ${exc}: disable whatever is in variable exc
.catch{...}: ignore all the error messages which come from the settings information
The advantage of the above approach is that it is WinDbg version independent. If new exception codes are introduced, it will still work.
Processing of unwanted text can be avoided with PyKd. Save the following script into a file sdx.py and run !py sxd.py:
from pykd import *
sx = dbgCommand("sx")
for s in sx.splitlines():
ex = s[:4]
if not ex=="" or ex.isspace():
print("sxd "+ex)
dbgCommand("sxd "+ex)
Another option is processing all the exceptions manually:
.foreach(exc {.echo "ct et cpr epr ld ud ser ibp iml out av asrt aph bpe bpec eh clr clrn cce cc dm dbce gp ii ip dz iov ch hc lsq isc 3c svh sse ssec sbo sov vs vcpp wkd rto rtt wob wos *"}) {.catch{sxd ${exc}}}
However, if there are new exception codes in WinDbg, you have to add them to the .echo command.

In Windbg the sx family of commands is used to control how
exceptions should be handled.
For passing an exception directly to the application, use the sxd command which disable a specific exception.
(Actually disable mean ignore first chance exception)
To my knowledge, you must use sxd on all specific exceptions,
because sxd * means all exceptions that are not otherwise explicitly named.
Use the sx command to see the available exceptions and current settings. And use sxd on all you want to disable.
0:000> sx
ct - Create thread - ignore
et - Exit thread - ignore
cpr - Create process - ignore
<cut>
av - Access violation - break - not handled
0:000> sxd av
0:000> sx
ct - Create thread - ignore
et - Exit thread - ignore
<cut>
av - Access violation - second-chance break - not handled
The output is in my opinion a bit difficult to interpret; the av (access violation) will now not be handled by the debugger in any visible way.
The “Controlling Exceptions and Events” section in the help explains
the first chance and second-chance concept.

You can optionally control this from the WinDbg GUI 'Debug>Event Filters...' this will open a dialog box like so:
Here you can set how WinDbg handles each exception type and whether they should be enabled, disabled, outputted to the WinDbg console output or ignored and then on the event firing whether WinDbg or your app should handle it.
So in your case you can select 'Ignore' and 'Not Handled' there a MSDN page that explains a little more: https://msdn.microsoft.com/en-us/library/windows/hardware/ff541752(v=vs.85).aspx