[panda-users] taint segmentation fault

Brendan Dolan-Gavitt brendandg at gatech.edu
Thu Apr 9 23:42:49 EDT 2015 

Hi,

Tim has just updated the tainted_instructions tutorial so that it reflects
how things work now. Could you look through that tutorial and see if it
helps with your problem?

https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md

Note that you will probably need to do a "git pull" and rebuild (make clean
; ./build.sh) in order to make sure everything works as it says in the
tutorial.

-Brendan

On Thu, Apr 9, 2015 at 9:30 AM, xiaojuan Li <xiaotan6666 at gmail.com> wrote:

> Now that the panda taint.md is not fresh,can you guys give me some help?
> I use the replay plugin,here is my command and the result.
>
>
>
>
>> the content of pk_search_strings.txt is :"sdt"
>
> I am confused here:in the paper— Repeatable reverse with panda:
> :
> it is clear that:if I use the stringsearch and taint plugin,when it
> matches, the taint label will be put and then taint action will start.but
> when I use it, it seems wrong(the picture showed before):no taint action
> execute,and i am confused about the tstringsearch's result.
> how can i use it to analysis?
> Thanks a lot!
>>
> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>
>> I get the replay file by running runandroid script. and i use
>> qemu-system-arm command just to do some replay work.
>> I may not understand you at all in this emal.do you mean that i should
>> gdb the original program rather than the record file?
>> Thansk
>>
>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>>
>>> Hmm. gdb should normally stop when you get a segfault.
>>>
>>> Are you by any chance running PANDA using the runandroid script? If so,
>>> you will need to instead invoke PANDA manually, i.e.:
>>>
>>> gdb --args arm-softmmu/qemu-system-arm [...]
>>>
>>> And then once it crashes, type "bt" at the gdb prompt to get a backtrace.
>>>
>>> -Brendan
>>>
>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>> wrote:
>>>
>>>> when gdb,it shows:
>>>> and then i see the log:it shows segfault:
>>>>
>>>>>>>>
>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>
>>>>> maybe  i am wrong.
>>>>>  i use the command
>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I found that
>>>>> when i use taint2, after it loads panda_taint2.so,it
>>>>> shows:"taint2:instructed not to inline taint ops .success".
>>>>>
>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>
>>>>>> ok.
>>>>>> 1.I want to use taint plugin to get information about some
>>>>>> functions(of course, it is closed-source),so I think I can stringsearch
>>>>>> potential data and then taint them and next I can locate the functions
>>>>>> which solves these data.
>>>>>>
>>>>>> 2.the command line I used is : stringsearch:name=***;
>>>>>> taint2:tainted_instructions=1.
>>>>>>
>>>>>> thanks
>>>>>>
>>>>>>
>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>>> :
>>>>>>
>>>>>>> Could you provide:
>>>>>>>
>>>>>>> 1. What information you're trying to get
>>>>>>> 2. The command line you're using to run PANDA with the taint2 plugin
>>>>>>>
>>>>>>> ?
>>>>>>>
>>>>>>> Right now I believe taint2 does not produce very much output by
>>>>>>> default. Instead you use the -pandalog <filename> command line option, and
>>>>>>> taint2 will write its results there in pandalog format; you can then read
>>>>>>> them using pandalog_reader (see panda/pandalog_reader.c for details on that
>>>>>>> tool).
>>>>>>>
>>>>>>> -Brendan
>>>>>>>
>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> when I tried taint2,it showed the same error with taint1, the olny
>>>>>>>> difference is that taint2 has no segfault error,just uninit taint plugin.
>>>>>>>>
>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>
>>>>>>>>> Could you be a little more descriptive about how it failed?
>>>>>>>>> Segfault? Error message? Incorrect output?
>>>>>>>>>
>>>>>>>>> -Brendan
>>>>>>>>>
>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li <xiaotan6666 at gmail.com
>>>>>>>>> > wrote:
>>>>>>>>>
>>>>>>>>>> i tried taint2 too,it failed.
>>>>>>>>>>
>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL <
>>>>>>>>>> tleek at ll.mit.edu>:
>>>>>>>>>>
>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.  “taint2”
>>>>>>>>>>> is the one we are actively using and developing.
>>>>>>>>>>> --
>>>>>>>>>>> Tim Leek
>>>>>>>>>>> Technical Staff
>>>>>>>>>>> Cyber System Assessments
>>>>>>>>>>> MIT Lincoln Laboratory
>>>>>>>>>>> 781-981-2975
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>>>>>>>>>>>
>>>>>>>>>>> Could you run that under gdb and provide us with a backtrace
>>>>>>>>>>> when it crashes?
>>>>>>>>>>>
>>>>>>>>>>> -Brendan
>>>>>>>>>>>
>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi,
>>>>>>>>>>>> excuse me,i have a question about taint
>>>>>>>>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>>>>>>>>>>>> when I started it showed success:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> but when it finished search,it showd "uninit taint plugin
>>>>>>>>>>>> segementation fault"
>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> how can I fix it?
>>>>>>>>>>>> Thanks a lot!
>>>>>>>>>>>> --
>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> wait and hope~~
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> panda-users mailing list
>>>>>>>>>> panda-users at mit.edu
>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> wait and hope~~
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> wait and hope~~
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> wait and hope~~
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> wait and hope~~
>>>>
>>>
>>>
>>
>>
>> --
>> wait and hope~~
>>
>
>
>
> --
> wait and hope~~
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150409/e01cbd8d/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted3.png
Type: image/png
Size: 106030 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150409/e01cbd8d/attachment-0008.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb1-2.png
Type: image/png
Size: 13244 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150409/e01cbd8d/attachment-0009.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tainted1.jpg
Type: image/jpeg
Size: 63070 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150409/e01cbd8d/attachment-0001.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted1.png
Type: image/png
Size: 99277 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150409/e01cbd8d/attachment-0010.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint1.png
Type: image/png
Size: 25300 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150409/e01cbd8d/attachment-0011.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted2.png
Type: image/png
Size: 118621 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150409/e01cbd8d/attachment-0012.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint2.png
Type: image/png
Size: 12246 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150409/e01cbd8d/attachment-0013.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted4.png
Type: image/png
Size: 90587 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150409/e01cbd8d/attachment-0014.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb2.png
Type: image/png
Size: 194887 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150409/e01cbd8d/attachment-0015.png

More information about the panda-users mailing list