scrashme v1.0

Original program by Kurt Garloff <garloff@suse.de>
Subsequent rewrite by Dave Jones <davej@redhat.com>

######## Improvements over original version ######################

o Now tests all syscalls, not just 256
o Certain syscalls made things get out of hand too quickly.
  Forkbombing a box with this app kills it very quickly.
  (An alternative would be to only run this with strict rlimits, but
  there are a few other syscalls we also take care of..)
o Do the syscall in a child process so if something hangs, we can continue.
o Printing of the syscall name/return code.
o Several extra modes of attack.


######### options ###############################################

The first option that scrashme has is '--mode=', which must
be one of the following..

'random'
 Good for stress testing, just does zillions of random junk syscalls.
 -sN: use N as random seed.

'rotate'
 This will call every syscall sequentially, with a specific value in a register,
 and will "rotate" it through all possible register combinations.
 For example, the values of the registers being passed change thusly over time..
  random, random, random, random, random, VALUE
  random, random, random, random, VALUE, random
  random, random, random, random, VALUE, VALUE 
  random, random, random, VALUE, random, random
  etc.. 

 until it eventually gets to calling with the value in all registers.

'capcheck'
 This will check syscalls that call capable() to make sure they return -EPERM.


For random and rotate modes, there exist a number of further options that
define what kinds of values are passed in registers to the syscalls.

structures:
  -Sxx:  pass a struct filled with any hex value (xx).
  This calls syscalls with a pointer to a struct that is filled with hex xx
  as arguments.
 or
  -Sr:  pass struct filled with random byte values.
  As above, but with a struct filled with random chars.
 In all cases, the structure passed is the size of one page.
 (Ie, 4KB on most archs)


 -z:  Use all zeros as register parameters.
This calls every syscall with zeros in each of the registers in turn, in
every possible combination, with random junk in the other registers.
Useful for testing for missing NULL checks.



There also exist some options which apply to all available modes.

-bN: begin at offset N.
Useful for reproducing bugs that start after a certain # of runs.

-cN: do syscall N with random inputs.
Good for concentrating on a certain syscall, if for eg, you just added one.

-i: Use Intelligent parameters.
Given a vast number of syscalls do some checking, chances are a majority
of the calls will get something like -EINVAL back.  This option passes
some almost sensible looking parameters to defeat the simplest checks.
This requires a .sanitise method for each syscall, and right now,
hardly any of the syscalls provide this.


Other useful arguments:
--list will dump all available syscalls, and their syscall number.

#######################################################################

Examples:
./scrashme -c 275 -r -i
Stress test the splice syscall, with random parameters, but sanitise
the passed params so they look almost sensible.


######### Other words of warning ######################################

- This will call syscalls which do things like deleting files, creating
  files etc with random arguments. You could get really unlucky and
  lose something, or end up with a lot of crap files in the dir you
  run this from. Better to run it from a tmp dir or the likes.
  (Or better yet, a chroot?)
- It will also do things which affect memory consumption of the process.
  Setting rlimits may be wise. The child which makes the process grow
  will be killed, leaving the parent to continue issuing more syscalls.

######### Links to similar projects ####################################

tsys - 1991.
http://groups.google.com/groups?q=syscall+crashme&hl=en&lr=&ie=UTF-8&selm=1991Sep20.232550.5013%40smsc.sony.com&rnum=1

