[panda-users] taint segmentation fault
xiaojuan Li
xiaotan6666 at gmail.com
Sun Apr 12 22:23:10 EDT 2015
and the question is:
does it contradictory?
and i am confused about when and how /qemu/insatll be created?
Thanks!
2015-04-13 9:40 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
> Thanks first!
> yeah,the thing is:when i rebuild panda, i modify configure's
> option--target=arm_softmmu in build.sh.
> and now I just restart: make clean run build.sh, it just shows "no
> /qemu/install" directory.
> I find that may caused by llvm and android support.(I am now trying to
> solve it) .
> my system is 64-bit,here is the info:
>
>
> Thanks again!
>
>
> 2015-04-13 4:04 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>
>> A few things:
>>
>> 1. Did you make sure to do a make clean and then re-run build.sh after
>> updating? I got a segfault just after taint was turned on as well until I
>> did a make clean and re-ran build.sh.
>> 2. Are you running this on a 64-bit system? What kernel version?
>>
>> -Brendan
>>
>> On Sun, Apr 12, 2015 at 9:16 AM, xiaojuan Li <xiaotan6666 at gmail.com>
>> wrote:
>>
>>> any suggestions? about segmentation fault?
>>> and after my test,I make sure it is not caused by insufficient memory.
>>> Thanks a lot!
>>>
>>> 2015-04-11 11:59 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>
>>>> excuse me:
>>>> I try to fix the segmentation error:
>>>> and find this piece of code:
>>>>
>>>> do you mean that it doesn't support so large byte?or it doesn't
>>>> support for android arm?
>>>> in the doc I noticed that network tainting is not supported for arm
>>>> architecture,and the string I tainted was something may go through the
>>>> network.
>>>>
>>>> Thanks!
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 2015-04-09 21:30 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>
>>>>> Now that the panda taint.md is not fresh,can you guys give me some
>>>>> help?
>>>>> I use the replay plugin,here is my command and the result.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> the content of pk_search_strings.txt is :"sdt"
>>>>>
>>>>> I am confused here:in the paper— Repeatable reverse with panda:
>>>>> :
>>>>> it is clear that:if I use the stringsearch and taint plugin,when it
>>>>> matches, the taint label will be put and then taint action will start.but
>>>>> when I use it, it seems wrong(the picture showed before):no taint action
>>>>> execute,and i am confused about the tstringsearch's result.
>>>>> how can i use it to analysis?
>>>>> Thanks a lot!
>>>>>
>>>>>
>>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>
>>>>>> I get the replay file by running runandroid script. and i use
>>>>>> qemu-system-arm command just to do some replay work.
>>>>>> I may not understand you at all in this emal.do you mean that i
>>>>>> should gdb the original program rather than the record file?
>>>>>> Thansk
>>>>>>
>>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>>> :
>>>>>>
>>>>>>> Hmm. gdb should normally stop when you get a segfault.
>>>>>>>
>>>>>>> Are you by any chance running PANDA using the runandroid script? If
>>>>>>> so, you will need to instead invoke PANDA manually, i.e.:
>>>>>>>
>>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>>>>>>>
>>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a
>>>>>>> backtrace.
>>>>>>>
>>>>>>> -Brendan
>>>>>>>
>>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> when gdb,it shows:
>>>>>>>> and then i see the log:it shows segfault:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>
>>>>>>>>> maybe i am wrong.
>>>>>>>>> i use the command
>>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I found that
>>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>>>>>>>>>
>>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>
>>>>>>>>>> ok.
>>>>>>>>>> 1.I want to use taint plugin to get information about some
>>>>>>>>>> functions(of course, it is closed-source),so I think I can stringsearch
>>>>>>>>>> potential data and then taint them and next I can locate the functions
>>>>>>>>>> which solves these data.
>>>>>>>>>>
>>>>>>>>>> 2.the command line I used is : stringsearch:name=***;
>>>>>>>>>> taint2:tainted_instructions=1.
>>>>>>>>>>
>>>>>>>>>> thanks
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>
>>>>>>>>>>> Could you provide:
>>>>>>>>>>>
>>>>>>>>>>> 1. What information you're trying to get
>>>>>>>>>>> 2. The command line you're using to run PANDA with the taint2
>>>>>>>>>>> plugin
>>>>>>>>>>>
>>>>>>>>>>> ?
>>>>>>>>>>>
>>>>>>>>>>> Right now I believe taint2 does not produce very much output by
>>>>>>>>>>> default. Instead you use the -pandalog <filename> command line option, and
>>>>>>>>>>> taint2 will write its results there in pandalog format; you can then read
>>>>>>>>>>> them using pandalog_reader (see panda/pandalog_reader.c for details on that
>>>>>>>>>>> tool).
>>>>>>>>>>>
>>>>>>>>>>> -Brendan
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li <
>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> when I tried taint2,it showed the same error with taint1, the
>>>>>>>>>>>> olny difference is that taint2 has no segfault error,just uninit taint
>>>>>>>>>>>> plugin.
>>>>>>>>>>>>
>>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>>>
>>>>>>>>>>>>> Could you be a little more descriptive about how it failed?
>>>>>>>>>>>>> Segfault? Error message? Incorrect output?
>>>>>>>>>>>>>
>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li <
>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> i tried taint2 too,it failed.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL <
>>>>>>>>>>>>>> tleek at ll.mit.edu>:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.
>>>>>>>>>>>>>>> “taint2” is the one we are actively using and developing.
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Tim Leek
>>>>>>>>>>>>>>> Technical Staff
>>>>>>>>>>>>>>> Cyber System Assessments
>>>>>>>>>>>>>>> MIT Lincoln Laboratory
>>>>>>>>>>>>>>> 781-981-2975
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Could you run that under gdb and provide us with a backtrace
>>>>>>>>>>>>>>> when it crashes?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>> excuse me,i have a question about taint
>>>>>>>>>>>>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>>>>>>>>>>>>>>>> when I started it showed success:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint plugin
>>>>>>>>>>>>>>>> segementation fault"
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> how can I fix it?
>>>>>>>>>>>>>>>> Thanks a lot!
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> panda-users mailing list
>>>>>>>>>>>>>> panda-users at mit.edu
>>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> wait and hope~~
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> wait and hope~~
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> wait and hope~~
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> wait and hope~~
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> wait and hope~~
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> wait and hope~~
>>>>
>>>
>>>
>>>
>>> --
>>> wait and hope~~
>>>
>>
>>
>
>
> --
> wait and hope~~
>
--
wait and hope~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/873378a2/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb2.png
Type: image/png
Size: 194887 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/873378a2/attachment-0012.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted1.png
Type: image/png
Size: 99277 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/873378a2/attachment-0013.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: feedback1.png
Type: image/png
Size: 6903 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/873378a2/attachment-0014.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: feedback.png
Type: image/png
Size: 9580 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/873378a2/attachment-0015.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: feedback-1.png
Type: image/png
Size: 7765 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/873378a2/attachment-0016.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint1.png
Type: image/png
Size: 25300 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/873378a2/attachment-0017.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted3.png
Type: image/png
Size: 106030 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/873378a2/attachment-0018.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fast_shad.jpg
Type: image/jpeg
Size: 57614 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/873378a2/attachment-0002.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted2.png
Type: image/png
Size: 118621 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/873378a2/attachment-0019.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tainted1.jpg
Type: image/jpeg
Size: 63070 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/873378a2/attachment-0003.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted4.png
Type: image/png
Size: 90587 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/873378a2/attachment-0020.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted52.png
Type: image/png
Size: 134012 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/873378a2/attachment-0021.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint2.png
Type: image/png
Size: 12246 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/873378a2/attachment-0022.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb1-2.png
Type: image/png
Size: 13244 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/873378a2/attachment-0023.png
More information about the panda-users
mailing list