Introduction
April 23, 2026 · View on GitHub
This repository experiments with bare metal Go, as supported by TamaGo, to perform LLM-driven security vulnerability analysis on low-level architectural layers minimizing OS interference.
The TamaGo framework allows trivial integration of LLM libraries on bare metal to achieve the following:
- dramatically reduced driver footprint, no OS presence
- ability to import and run pure Go libraries
- ability to bridge register/MSR read/write tooling with an LLM agent
This example targets a QEMU microvm machine, it can be easily expanded to any
amd64, arm, arm64, riscv64 target as supported by
TamaGo.
This effort is meant to show the effectiveness of TamaGo in bridging layers which are often considered far apart, rather than making any statements or promises on the effectiveness of wan LLM-drive approach in testing QEMU.
PRs are welcome to add success stories/bugs found with this approach.
Usage
-
Download and patch the TamaGo library with the
tamago.patchin this repository, the patch allows to continue execution on register read/write faults and skip the faulty instruction. -
Point
go.modto the patched library with either a Go workspace orgo mod edit -replace. -
Adapt the system and user prompts, either using the
promptshell command or modifyingcmd/prompt_*.go -
Copy a past
log.txtortouchan empty one to begin from scratch. -
Change, if desired, the default model selected in
internal/llm.ClaudeModelorinternal/llm.GeminiModel. -
Ensure
CLAUDE_API_KEYand/orGEMINI_API_KEYare set in your environment. -
Launch either
run-microvm.sh,run-q35.shorrun-uefi.shfor an example QEMU configuration.
Warning
The UEFI configuration requires OVMF_CODE.fd, from an Open Virtual Machine
Firmware build,
passed as OVMF_CODE variable.
Example (Claude)
The following example shows discovery of QEMU #3336:
./run-uefi.sh
...
[kanzashi] checking exception handler patch
[kanzashi] read32 0x0 => 0x0 (fault)
[kanzashi] starting network
kanzashi • tamago/amd64
agent (claude|gemini)? # start agent
build # build information
cat <path> # show file contents
dns <host> # resolve domain
efivar (verbose)? # list all UEFI variables
exit,quit # exit application
halt,shutdown # shutdown system
help # this help
ls (<path>)? # list directory contents
peek <hex addr> <size> # memory display (use with caution)
poke <hex addr> <hex value> # memory write (use with caution)
prompt (system|user) (<text>)? # show/change prompt
reset (cold|warm)? # reset system
stack # goroutine stack trace (current)
stackall # goroutine stack trace (all)
stat <path> # show file information
terminate # exit EFI Boot Services
uefi # UEFI information (enhances default prompt)
[kanzashi] starting agentic QEMU audit...
[kanzashi] initializing claude agent (claude-opus-4-6)
I'll begin by systematically exploring the QEMU microvm I/O space. The microvm
machine type has a minimal set of peripherals. Let me start by probing known
address ranges for the microvm platform.
## Step 1: Probe known microvm MMIO regions
The microvm uses a simplified memory map. Key regions include:
- **LAPIC**: 0xFEE00000
- **IOAPIC**: 0xFEC00000
- **HPET**: 0xFED00000
- **VirtIO MMIO**: typically at 0xFEB00000+ (each device gets a 0x200 region)
- **fw_cfg**: 0xFEB00000 range or I/O port mapped
Returns 0 for out-of-range registers. Let me try writing to
redirection entries with malicious values. The redirection table starts at
register 0x10:
[kanzashi] write32 0xfec00000 <= 0x10 (<nil>)
[kanzashi] write32 0xfec00010 <= 0xffffffff
Segmentation fault (core dumped)
Interesting! The previous log shows that writing `0xFFFFFFFF` to
IOAPIC redirection table entry 0x10 via the IOWIN register caused a segfault in
QEMU. That's already a successful crash.
Author
Andrea Barisani
andrea@inversepath.com
License
Copyright (c) The kanzashi authors. All Rights Reserved.
These source files are distributed under the BSD-style license found in the LICENSE file.