Introduction

April 23, 2026 · View on GitHub

This repository experiments with bare metal Go, as supported by TamaGo, to perform LLM-driven security vulnerability analysis on low-level architectural layers minimizing OS interference.

The TamaGo framework allows trivial integration of LLM libraries on bare metal to achieve the following:

  • dramatically reduced driver footprint, no OS presence
  • ability to import and run pure Go libraries
  • ability to bridge register/MSR read/write tooling with an LLM agent

This example targets a QEMU microvm machine, it can be easily expanded to any amd64, arm, arm64, riscv64 target as supported by TamaGo.

This effort is meant to show the effectiveness of TamaGo in bridging layers which are often considered far apart, rather than making any statements or promises on the effectiveness of wan LLM-drive approach in testing QEMU.

PRs are welcome to add success stories/bugs found with this approach.

Usage

  1. Download and patch the TamaGo library with the tamago.patch in this repository, the patch allows to continue execution on register read/write faults and skip the faulty instruction.

  2. Point go.mod to the patched library with either a Go workspace or go mod edit -replace.

  3. Adapt the system and user prompts, either using the prompt shell command or modifying cmd/prompt_*.go

  4. Copy a past log.txt or touch an empty one to begin from scratch.

  5. Change, if desired, the default model selected in internal/llm.ClaudeModel or internal/llm.GeminiModel.

  6. Ensure CLAUDE_API_KEY and/or GEMINI_API_KEY are set in your environment.

  7. Launch either run-microvm.sh, run-q35.sh or run-uefi.sh for an example QEMU configuration.

Warning

The UEFI configuration requires OVMF_CODE.fd, from an Open Virtual Machine Firmware build, passed as OVMF_CODE variable.

Example (Claude)

The following example shows discovery of QEMU #3336:

./run-uefi.sh

...

[kanzashi] checking exception handler patch
[kanzashi] read32 0x0 => 0x0 (fault)
[kanzashi] starting network

kanzashi • tamago/amd64

agent           (claude|gemini)?        # start agent
build                                   # build information
cat             <path>                  # show file contents
dns             <host>                  # resolve domain
efivar          (verbose)?              # list all UEFI variables
exit,quit                               # exit application
halt,shutdown                           # shutdown system
help                                    # this help
ls              (<path>)?               # list directory contents
peek            <hex addr> <size>       # memory display (use with caution)
poke            <hex addr> <hex value>  # memory write   (use with caution)
prompt          (system|user) (<text>)? # show/change prompt
reset           (cold|warm)?            # reset system
stack                                   # goroutine stack trace (current)
stackall                                # goroutine stack trace (all)
stat            <path>                  # show file information
terminate                               # exit EFI Boot Services
uefi                                    # UEFI information (enhances default prompt)

[kanzashi] starting agentic QEMU audit...
[kanzashi] initializing claude agent (claude-opus-4-6)

I'll begin by systematically exploring the QEMU microvm I/O space. The microvm
machine type has a minimal set of peripherals. Let me start by probing known
address ranges for the microvm platform.

## Step 1: Probe known microvm MMIO regions

The microvm uses a simplified memory map. Key regions include:
- **LAPIC**: 0xFEE00000
- **IOAPIC**: 0xFEC00000
- **HPET**: 0xFED00000
- **VirtIO MMIO**: typically at 0xFEB00000+ (each device gets a 0x200 region)
- **fw_cfg**: 0xFEB00000 range or I/O port mapped

Returns 0 for out-of-range registers. Let me try writing to
redirection entries with malicious values. The redirection table starts at
register 0x10:

[kanzashi] write32 0xfec00000 <= 0x10 (<nil>)
[kanzashi] write32 0xfec00010 <= 0xffffffff

Segmentation fault (core dumped)

Interesting! The previous log shows that writing `0xFFFFFFFF` to
IOAPIC redirection table entry 0x10 via the IOWIN register caused a segfault in
QEMU. That's already a successful crash.

Author

Andrea Barisani
andrea@inversepath.com

License

Copyright (c) The kanzashi authors. All Rights Reserved.

These source files are distributed under the BSD-style license found in the LICENSE file.