[panda-users] taint segmentation fault
Brendan Dolan-Gavitt
brendandg at gatech.edu
Sun Apr 12 22:28:36 EDT 2015
Could you paste the contents of your build.sh (perhaps using something like
pastebin)? It looks like something has gone wrong with it; the install
prefix is supposed to be set to somewhere under the current directory, not
a system directory.
-Brendan
On Sun, Apr 12, 2015 at 10:23 PM, xiaojuan Li <xiaotan6666 at gmail.com> wrote:
> and the question is:
>
>
> does it contradictory?
> and i am confused about when and how /qemu/insatll be created?
> Thanks!
>
>
> 2015-04-13 9:40 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>
>> Thanks first!
>> yeah,the thing is:when i rebuild panda, i modify configure's
>> option--target=arm_softmmu in build.sh.
>> and now I just restart: make clean run build.sh, it just shows "no
>> /qemu/install" directory.
>> I find that may caused by llvm and android support.(I am now trying to
>> solve it) .
>> my system is 64-bit,here is the info:
>>
>>
>> Thanks again!
>>
>>
>> 2015-04-13 4:04 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>>
>>> A few things:
>>>
>>> 1. Did you make sure to do a make clean and then re-run build.sh after
>>> updating? I got a segfault just after taint was turned on as well until I
>>> did a make clean and re-ran build.sh.
>>> 2. Are you running this on a 64-bit system? What kernel version?
>>>
>>> -Brendan
>>>
>>> On Sun, Apr 12, 2015 at 9:16 AM, xiaojuan Li <xiaotan6666 at gmail.com>
>>> wrote:
>>>
>>>> any suggestions? about segmentation fault?
>>>> and after my test,I make sure it is not caused by insufficient memory.
>>>> Thanks a lot!
>>>>
>>>> 2015-04-11 11:59 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>
>>>>> excuse me:
>>>>> I try to fix the segmentation error:
>>>>> and find this piece of code:
>>>>>
>>>>> do you mean that it doesn't support so large byte?or it doesn't
>>>>> support for android arm?
>>>>> in the doc I noticed that network tainting is not supported for arm
>>>>> architecture,and the string I tainted was something may go through the
>>>>> network.
>>>>>
>>>>> Thanks!
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 2015-04-09 21:30 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>
>>>>>> Now that the panda taint.md is not fresh,can you guys give me some
>>>>>> help?
>>>>>> I use the replay plugin,here is my command and the result.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> the content of pk_search_strings.txt is :"sdt"
>>>>>>
>>>>>> I am confused here:in the paper— Repeatable reverse with panda:
>>>>>> :
>>>>>> it is clear that:if I use the stringsearch and taint plugin,when it
>>>>>> matches, the taint label will be put and then taint action will start.but
>>>>>> when I use it, it seems wrong(the picture showed before):no taint action
>>>>>> execute,and i am confused about the tstringsearch's result.
>>>>>> how can i use it to analysis?
>>>>>> Thanks a lot!
>>>>>>
>>>>>>
>>>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>
>>>>>>> I get the replay file by running runandroid script. and i use
>>>>>>> qemu-system-arm command just to do some replay work.
>>>>>>> I may not understand you at all in this emal.do you mean that i
>>>>>>> should gdb the original program rather than the record file?
>>>>>>> Thansk
>>>>>>>
>>>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu
>>>>>>> >:
>>>>>>>
>>>>>>>> Hmm. gdb should normally stop when you get a segfault.
>>>>>>>>
>>>>>>>> Are you by any chance running PANDA using the runandroid script? If
>>>>>>>> so, you will need to instead invoke PANDA manually, i.e.:
>>>>>>>>
>>>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>>>>>>>>
>>>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a
>>>>>>>> backtrace.
>>>>>>>>
>>>>>>>> -Brendan
>>>>>>>>
>>>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> when gdb,it shows:
>>>>>>>>> and then i see the log:it shows segfault:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>
>>>>>>>>>> maybe i am wrong.
>>>>>>>>>> i use the command
>>>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I found that
>>>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>>>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>>>>>>>>>>
>>>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>>
>>>>>>>>>>> ok.
>>>>>>>>>>> 1.I want to use taint plugin to get information about some
>>>>>>>>>>> functions(of course, it is closed-source),so I think I can stringsearch
>>>>>>>>>>> potential data and then taint them and next I can locate the functions
>>>>>>>>>>> which solves these data.
>>>>>>>>>>>
>>>>>>>>>>> 2.the command line I used is : stringsearch:name=***;
>>>>>>>>>>> taint2:tainted_instructions=1.
>>>>>>>>>>>
>>>>>>>>>>> thanks
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>>
>>>>>>>>>>>> Could you provide:
>>>>>>>>>>>>
>>>>>>>>>>>> 1. What information you're trying to get
>>>>>>>>>>>> 2. The command line you're using to run PANDA with the taint2
>>>>>>>>>>>> plugin
>>>>>>>>>>>>
>>>>>>>>>>>> ?
>>>>>>>>>>>>
>>>>>>>>>>>> Right now I believe taint2 does not produce very much output by
>>>>>>>>>>>> default. Instead you use the -pandalog <filename> command line option, and
>>>>>>>>>>>> taint2 will write its results there in pandalog format; you can then read
>>>>>>>>>>>> them using pandalog_reader (see panda/pandalog_reader.c for details on that
>>>>>>>>>>>> tool).
>>>>>>>>>>>>
>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li <
>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> when I tried taint2,it showed the same error with taint1, the
>>>>>>>>>>>>> olny difference is that taint2 has no segfault error,just uninit taint
>>>>>>>>>>>>> plugin.
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Could you be a little more descriptive about how it failed?
>>>>>>>>>>>>>> Segfault? Error message? Incorrect output?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li <
>>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> i tried taint2 too,it failed.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL <
>>>>>>>>>>>>>>> tleek at ll.mit.edu>:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.
>>>>>>>>>>>>>>>> “taint2” is the one we are actively using and developing.
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Tim Leek
>>>>>>>>>>>>>>>> Technical Staff
>>>>>>>>>>>>>>>> Cyber System Assessments
>>>>>>>>>>>>>>>> MIT Lincoln Laboratory
>>>>>>>>>>>>>>>> 781-981-2975
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>>>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Could you run that under gdb and provide us with a
>>>>>>>>>>>>>>>> backtrace when it crashes?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li <
>>>>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>> excuse me,i have a question about taint
>>>>>>>>>>>>>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>>>>>>>>>>>>>>>>> when I started it showed success:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint plugin
>>>>>>>>>>>>>>>>> segementation fault"
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> how can I fix it?
>>>>>>>>>>>>>>>>> Thanks a lot!
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>> panda-users mailing list
>>>>>>>>>>>>>>> panda-users at mit.edu
>>>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> wait and hope~~
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> wait and hope~~
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> wait and hope~~
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> wait and hope~~
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> wait and hope~~
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> wait and hope~~
>>>>
>>>
>>>
>>
>>
>> --
>> wait and hope~~
>>
>
>
>
> --
> wait and hope~~
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/658afd18/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted1.png
Type: image/png
Size: 99277 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/658afd18/attachment-0012.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted3.png
Type: image/png
Size: 106030 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/658afd18/attachment-0013.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted52.png
Type: image/png
Size: 134012 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/658afd18/attachment-0014.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tainted1.jpg
Type: image/jpeg
Size: 63070 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/658afd18/attachment-0002.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb2.png
Type: image/png
Size: 194887 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/658afd18/attachment-0015.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: feedback-1.png
Type: image/png
Size: 7765 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/658afd18/attachment-0016.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted4.png
Type: image/png
Size: 90587 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/658afd18/attachment-0017.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint2.png
Type: image/png
Size: 12246 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/658afd18/attachment-0018.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint1.png
Type: image/png
Size: 25300 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/658afd18/attachment-0019.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fast_shad.jpg
Type: image/jpeg
Size: 57614 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/658afd18/attachment-0003.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted2.png
Type: image/png
Size: 118621 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/658afd18/attachment-0020.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb1-2.png
Type: image/png
Size: 13244 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/658afd18/attachment-0021.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: feedback1.png
Type: image/png
Size: 6903 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/658afd18/attachment-0022.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: feedback.png
Type: image/png
Size: 9580 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/658afd18/attachment-0023.png
More information about the panda-users
mailing list