[panda-users] taint segmentation fault
xiaojuan Li
xiaotan6666 at gmail.com
Sun Apr 12 22:35:04 EDT 2015
thanks!
here is the contents of build.sh:
#!/bin/bash
set -e
# creates api code for plugins
python ../scripts/apigen.py
# creates pandalog code
sh ./pp.sh
# only
LLVM_BIT=""
if [ -e ../llvm/Release ]
then
echo "Found ../llvm -- LLVM SUPPORT IS ENABLED"
llvm=`/bin/readlink -f ../llvm/Release`
LLVM_BIT="--enable-llvm --with-llvm=$llvm"
else
if llvm-config --version >/dev/null 2>/dev/null && [ $(llvm-config
--version) == "3.3" ]
then
echo "Found system llvm -- LLVM SUPPORT IS ENABLED"
LLVM_BIT="--enable-llvm --with-llvm=$(llvm-config --prefix)"
else
if llvm-config-3.3 --version >/dev/null 2>/dev/null
then
echo "Found system llvm -- LLVM SUPPORT IS ENABLED"
LLVM_BIT="--enable-llvm --with-llvm=$(llvm-config-3.3 --prefix)"
else
echo "No llvm dir found -- LLVM SUPPORT IS DISABLED"
fi
fi
fi
echo $LLVM_BIT
./configure --target-list=x86_64-softmmu,i386-softmmu,arm-softmmu \
#./configure --target-list=arm-softmmu \
--prefix=`pwd`/install \
--disable-pie \
--disable-xen \
--disable-libiscsi \
--enable-android \
$LLVM_BIT \
--extra-cflags="-O2 -I/usr/local/include" \
--extra-cxxflags="-O2" \
--extra-ldflags="-L/usr/local/lib -L/usr/local/lib64 -L/usr/local/lib
-lprotobuf-c -lprotobuf -lpthread"
make -j $(nproc)
2015-04-13 10:28 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
> Could you paste the contents of your build.sh (perhaps using something
> like pastebin)? It looks like something has gone wrong with it; the install
> prefix is supposed to be set to somewhere under the current directory, not
> a system directory.
>
> -Brendan
>
> On Sun, Apr 12, 2015 at 10:23 PM, xiaojuan Li <xiaotan6666 at gmail.com>
> wrote:
>
>> and the question is:
>>
>>
>> does it contradictory?
>> and i am confused about when and how /qemu/insatll be created?
>> Thanks!
>>
>>
>> 2015-04-13 9:40 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>
>>> Thanks first!
>>> yeah,the thing is:when i rebuild panda, i modify configure's
>>> option--target=arm_softmmu in build.sh.
>>> and now I just restart: make clean run build.sh, it just shows "no
>>> /qemu/install" directory.
>>> I find that may caused by llvm and android support.(I am now trying to
>>> solve it) .
>>> my system is 64-bit,here is the info:
>>>
>>>
>>> Thanks again!
>>>
>>>
>>> 2015-04-13 4:04 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>>>
>>>> A few things:
>>>>
>>>> 1. Did you make sure to do a make clean and then re-run build.sh after
>>>> updating? I got a segfault just after taint was turned on as well until I
>>>> did a make clean and re-ran build.sh.
>>>> 2. Are you running this on a 64-bit system? What kernel version?
>>>>
>>>> -Brendan
>>>>
>>>> On Sun, Apr 12, 2015 at 9:16 AM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>> wrote:
>>>>
>>>>> any suggestions? about segmentation fault?
>>>>> and after my test,I make sure it is not caused by insufficient memory.
>>>>> Thanks a lot!
>>>>>
>>>>> 2015-04-11 11:59 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>
>>>>>> excuse me:
>>>>>> I try to fix the segmentation error:
>>>>>> and find this piece of code:
>>>>>>
>>>>>> do you mean that it doesn't support so large byte?or it doesn't
>>>>>> support for android arm?
>>>>>> in the doc I noticed that network tainting is not supported for arm
>>>>>> architecture,and the string I tainted was something may go through the
>>>>>> network.
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2015-04-09 21:30 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>
>>>>>>> Now that the panda taint.md is not fresh,can you guys give me some
>>>>>>> help?
>>>>>>> I use the replay plugin,here is my command and the result.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> the content of pk_search_strings.txt is :"sdt"
>>>>>>>
>>>>>>> I am confused here:in the paper— Repeatable reverse with panda:
>>>>>>> :
>>>>>>> it is clear that:if I use the stringsearch and taint plugin,when it
>>>>>>> matches, the taint label will be put and then taint action will start.but
>>>>>>> when I use it, it seems wrong(the picture showed before):no taint action
>>>>>>> execute,and i am confused about the tstringsearch's result.
>>>>>>> how can i use it to analysis?
>>>>>>> Thanks a lot!
>>>>>>>
>>>>>>>
>>>>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>
>>>>>>>> I get the replay file by running runandroid script. and i use
>>>>>>>> qemu-system-arm command just to do some replay work.
>>>>>>>> I may not understand you at all in this emal.do you mean that i
>>>>>>>> should gdb the original program rather than the record file?
>>>>>>>> Thansk
>>>>>>>>
>>>>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>
>>>>>>>>> Hmm. gdb should normally stop when you get a segfault.
>>>>>>>>>
>>>>>>>>> Are you by any chance running PANDA using the runandroid script?
>>>>>>>>> If so, you will need to instead invoke PANDA manually, i.e.:
>>>>>>>>>
>>>>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>>>>>>>>>
>>>>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a
>>>>>>>>> backtrace.
>>>>>>>>>
>>>>>>>>> -Brendan
>>>>>>>>>
>>>>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <xiaotan6666 at gmail.com
>>>>>>>>> > wrote:
>>>>>>>>>
>>>>>>>>>> when gdb,it shows:
>>>>>>>>>> and then i see the log:it shows segfault:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>>
>>>>>>>>>>> maybe i am wrong.
>>>>>>>>>>> i use the command
>>>>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I found that
>>>>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>>>>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>>>>>>>>>>>
>>>>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>>>
>>>>>>>>>>>> ok.
>>>>>>>>>>>> 1.I want to use taint plugin to get information about some
>>>>>>>>>>>> functions(of course, it is closed-source),so I think I can stringsearch
>>>>>>>>>>>> potential data and then taint them and next I can locate the functions
>>>>>>>>>>>> which solves these data.
>>>>>>>>>>>>
>>>>>>>>>>>> 2.the command line I used is : stringsearch:name=***;
>>>>>>>>>>>> taint2:tainted_instructions=1.
>>>>>>>>>>>>
>>>>>>>>>>>> thanks
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>>>
>>>>>>>>>>>>> Could you provide:
>>>>>>>>>>>>>
>>>>>>>>>>>>> 1. What information you're trying to get
>>>>>>>>>>>>> 2. The command line you're using to run PANDA with the taint2
>>>>>>>>>>>>> plugin
>>>>>>>>>>>>>
>>>>>>>>>>>>> ?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Right now I believe taint2 does not produce very much output
>>>>>>>>>>>>> by default. Instead you use the -pandalog <filename> command line option,
>>>>>>>>>>>>> and taint2 will write its results there in pandalog format; you can then
>>>>>>>>>>>>> read them using pandalog_reader (see panda/pandalog_reader.c for details on
>>>>>>>>>>>>> that tool).
>>>>>>>>>>>>>
>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li <
>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> when I tried taint2,it showed the same error with taint1, the
>>>>>>>>>>>>>> olny difference is that taint2 has no segfault error,just uninit taint
>>>>>>>>>>>>>> plugin.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Could you be a little more descriptive about how it failed?
>>>>>>>>>>>>>>> Segfault? Error message? Incorrect output?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li <
>>>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> i tried taint2 too,it failed.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL <
>>>>>>>>>>>>>>>> tleek at ll.mit.edu>:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.
>>>>>>>>>>>>>>>>> “taint2” is the one we are actively using and developing.
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Tim Leek
>>>>>>>>>>>>>>>>> Technical Staff
>>>>>>>>>>>>>>>>> Cyber System Assessments
>>>>>>>>>>>>>>>>> MIT Lincoln Laboratory
>>>>>>>>>>>>>>>>> 781-981-2975
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>>>>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>>>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Could you run that under gdb and provide us with a
>>>>>>>>>>>>>>>>> backtrace when it crashes?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li <
>>>>>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>> excuse me,i have a question about taint
>>>>>>>>>>>>>>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>>>>>>>>>>>>>>>>>> when I started it showed success:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint plugin
>>>>>>>>>>>>>>>>>> segementation fault"
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> how can I fix it?
>>>>>>>>>>>>>>>>>> Thanks a lot!
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>> panda-users mailing list
>>>>>>>>>>>>>>>> panda-users at mit.edu
>>>>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> wait and hope~~
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> wait and hope~~
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> wait and hope~~
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> wait and hope~~
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> wait and hope~~
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> wait and hope~~
>>>
>>
>>
>>
>> --
>> wait and hope~~
>>
>
>
--
wait and hope~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/2384de51/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted2.png
Type: image/png
Size: 118621 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/2384de51/attachment-0012.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb2.png
Type: image/png
Size: 194887 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/2384de51/attachment-0013.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: feedback.png
Type: image/png
Size: 9580 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/2384de51/attachment-0014.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint1.png
Type: image/png
Size: 25300 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/2384de51/attachment-0015.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted52.png
Type: image/png
Size: 134012 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/2384de51/attachment-0016.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted4.png
Type: image/png
Size: 90587 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/2384de51/attachment-0017.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint2.png
Type: image/png
Size: 12246 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/2384de51/attachment-0018.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted1.png
Type: image/png
Size: 99277 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/2384de51/attachment-0019.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted3.png
Type: image/png
Size: 106030 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/2384de51/attachment-0020.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tainted1.jpg
Type: image/jpeg
Size: 63070 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/2384de51/attachment-0002.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fast_shad.jpg
Type: image/jpeg
Size: 57614 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/2384de51/attachment-0003.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb1-2.png
Type: image/png
Size: 13244 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/2384de51/attachment-0021.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: feedback-1.png
Type: image/png
Size: 7765 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/2384de51/attachment-0022.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: feedback1.png
Type: image/png
Size: 6903 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/2384de51/attachment-0023.png
More information about the panda-users
mailing list