[panda-users] taint segmentation fault
xiaojuan Li
xiaotan6666 at gmail.com
Sun Apr 12 22:49:57 EDT 2015
oops..sorry for troubling.
Thanks for your patience very much!
2015-04-13 10:37 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
> You need to remove this line:
>
> #./configure --target-list=arm-softmmu \
>
> Right now it is causing bash to ignore all of the configure options that
> come after it.
>
> -Brendan
>
> On Sun, Apr 12, 2015 at 10:35 PM, xiaojuan Li <xiaotan6666 at gmail.com>
> wrote:
>
>> thanks!
>> here is the contents of build.sh:
>> #!/bin/bash
>>
>> set -e
>>
>> # creates api code for plugins
>> python ../scripts/apigen.py
>>
>> # creates pandalog code
>> sh ./pp.sh
>>
>>
>> # only
>> LLVM_BIT=""
>> if [ -e ../llvm/Release ]
>> then
>> echo "Found ../llvm -- LLVM SUPPORT IS ENABLED"
>> llvm=`/bin/readlink -f ../llvm/Release`
>> LLVM_BIT="--enable-llvm --with-llvm=$llvm"
>> else
>> if llvm-config --version >/dev/null 2>/dev/null && [ $(llvm-config
>> --version) == "3.3" ]
>> then
>> echo "Found system llvm -- LLVM SUPPORT IS ENABLED"
>> LLVM_BIT="--enable-llvm --with-llvm=$(llvm-config --prefix)"
>> else
>> if llvm-config-3.3 --version >/dev/null 2>/dev/null
>> then
>> echo "Found system llvm -- LLVM SUPPORT IS ENABLED"
>> LLVM_BIT="--enable-llvm --with-llvm=$(llvm-config-3.3 --prefix)"
>> else
>> echo "No llvm dir found -- LLVM SUPPORT IS DISABLED"
>> fi
>> fi
>> fi
>>
>> echo $LLVM_BIT
>> ./configure --target-list=x86_64-softmmu,i386-softmmu,arm-softmmu \
>> #./configure --target-list=arm-softmmu \
>> --prefix=`pwd`/install \
>> --disable-pie \
>> --disable-xen \
>> --disable-libiscsi \
>> --enable-android \
>> $LLVM_BIT \
>> --extra-cflags="-O2 -I/usr/local/include" \
>> --extra-cxxflags="-O2" \
>> --extra-ldflags="-L/usr/local/lib -L/usr/local/lib64 -L/usr/local/lib
>> -lprotobuf-c -lprotobuf -lpthread"
>>
>> make -j $(nproc)
>>
>>
>> 2015-04-13 10:28 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>>
>>> Could you paste the contents of your build.sh (perhaps using something
>>> like pastebin)? It looks like something has gone wrong with it; the install
>>> prefix is supposed to be set to somewhere under the current directory, not
>>> a system directory.
>>>
>>> -Brendan
>>>
>>> On Sun, Apr 12, 2015 at 10:23 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>> wrote:
>>>
>>>> and the question is:
>>>>
>>>>
>>>> does it contradictory?
>>>> and i am confused about when and how /qemu/insatll be created?
>>>> Thanks!
>>>>
>>>>
>>>> 2015-04-13 9:40 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>
>>>>> Thanks first!
>>>>> yeah,the thing is:when i rebuild panda, i modify configure's
>>>>> option--target=arm_softmmu in build.sh.
>>>>> and now I just restart: make clean run build.sh, it just shows "no
>>>>> /qemu/install" directory.
>>>>> I find that may caused by llvm and android support.(I am now trying to
>>>>> solve it) .
>>>>> my system is 64-bit,here is the info:
>>>>>
>>>>>
>>>>> Thanks again!
>>>>>
>>>>>
>>>>> 2015-04-13 4:04 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>>>>>
>>>>>> A few things:
>>>>>>
>>>>>> 1. Did you make sure to do a make clean and then re-run build.sh
>>>>>> after updating? I got a segfault just after taint was turned on as well
>>>>>> until I did a make clean and re-ran build.sh.
>>>>>> 2. Are you running this on a 64-bit system? What kernel version?
>>>>>>
>>>>>> -Brendan
>>>>>>
>>>>>> On Sun, Apr 12, 2015 at 9:16 AM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> any suggestions? about segmentation fault?
>>>>>>> and after my test,I make sure it is not caused by insufficient
>>>>>>> memory.
>>>>>>> Thanks a lot!
>>>>>>>
>>>>>>> 2015-04-11 11:59 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>
>>>>>>>> excuse me:
>>>>>>>> I try to fix the segmentation error:
>>>>>>>> and find this piece of code:
>>>>>>>>
>>>>>>>> do you mean that it doesn't support so large byte?or it doesn't
>>>>>>>> support for android arm?
>>>>>>>> in the doc I noticed that network tainting is not supported for arm
>>>>>>>> architecture,and the string I tainted was something may go through the
>>>>>>>> network.
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 2015-04-09 21:30 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>
>>>>>>>>> Now that the panda taint.md is not fresh,can you guys give me
>>>>>>>>> some help?
>>>>>>>>> I use the replay plugin,here is my command and the result.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> the content of pk_search_strings.txt is :"sdt"
>>>>>>>>>
>>>>>>>>> I am confused here:in the paper— Repeatable reverse with panda:
>>>>>>>>> :
>>>>>>>>> it is clear that:if I use the stringsearch and taint plugin,when
>>>>>>>>> it matches, the taint label will be put and then taint action will
>>>>>>>>> start.but when I use it, it seems wrong(the picture showed before):no taint
>>>>>>>>> action execute,and i am confused about the tstringsearch's result.
>>>>>>>>> how can i use it to analysis?
>>>>>>>>> Thanks a lot!
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>
>>>>>>>>>> I get the replay file by running runandroid script. and i use
>>>>>>>>>> qemu-system-arm command just to do some replay work.
>>>>>>>>>> I may not understand you at all in this emal.do you mean that i
>>>>>>>>>> should gdb the original program rather than the record file?
>>>>>>>>>> Thansk
>>>>>>>>>>
>>>>>>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>
>>>>>>>>>>> Hmm. gdb should normally stop when you get a segfault.
>>>>>>>>>>>
>>>>>>>>>>> Are you by any chance running PANDA using the runandroid script?
>>>>>>>>>>> If so, you will need to instead invoke PANDA manually, i.e.:
>>>>>>>>>>>
>>>>>>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>>>>>>>>>>>
>>>>>>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a
>>>>>>>>>>> backtrace.
>>>>>>>>>>>
>>>>>>>>>>> -Brendan
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <
>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> when gdb,it shows:
>>>>>>>>>>>> and then i see the log:it shows segfault:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>>>>
>>>>>>>>>>>>> maybe i am wrong.
>>>>>>>>>>>>> i use the command
>>>>>>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I found that
>>>>>>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>>>>>>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> ok.
>>>>>>>>>>>>>> 1.I want to use taint plugin to get information about some
>>>>>>>>>>>>>> functions(of course, it is closed-source),so I think I can stringsearch
>>>>>>>>>>>>>> potential data and then taint them and next I can locate the functions
>>>>>>>>>>>>>> which solves these data.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2.the command line I used is : stringsearch:name=***;
>>>>>>>>>>>>>> taint2:tainted_instructions=1.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> thanks
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Could you provide:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 1. What information you're trying to get
>>>>>>>>>>>>>>> 2. The command line you're using to run PANDA with the
>>>>>>>>>>>>>>> taint2 plugin
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Right now I believe taint2 does not produce very much output
>>>>>>>>>>>>>>> by default. Instead you use the -pandalog <filename> command line option,
>>>>>>>>>>>>>>> and taint2 will write its results there in pandalog format; you can then
>>>>>>>>>>>>>>> read them using pandalog_reader (see panda/pandalog_reader.c for details on
>>>>>>>>>>>>>>> that tool).
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li <
>>>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> when I tried taint2,it showed the same error with taint1,
>>>>>>>>>>>>>>>> the olny difference is that taint2 has no segfault error,just uninit taint
>>>>>>>>>>>>>>>> plugin.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Could you be a little more descriptive about how it
>>>>>>>>>>>>>>>>> failed? Segfault? Error message? Incorrect output?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li <
>>>>>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> i tried taint2 too,it failed.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL <
>>>>>>>>>>>>>>>>>> tleek at ll.mit.edu>:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.
>>>>>>>>>>>>>>>>>>> “taint2” is the one we are actively using and developing.
>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>> Tim Leek
>>>>>>>>>>>>>>>>>>> Technical Staff
>>>>>>>>>>>>>>>>>>> Cyber System Assessments
>>>>>>>>>>>>>>>>>>> MIT Lincoln Laboratory
>>>>>>>>>>>>>>>>>>> 781-981-2975
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>>>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>>>>>>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>>>>>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Could you run that under gdb and provide us with a
>>>>>>>>>>>>>>>>>>> backtrace when it crashes?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li <
>>>>>>>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>> excuse me,i have a question about taint
>>>>>>>>>>>>>>>>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>>>>>>>>>>>>>>>>>>>> when I started it showed success:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint
>>>>>>>>>>>>>>>>>>>> plugin segementation fault"
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> how can I fix it?
>>>>>>>>>>>>>>>>>>>> Thanks a lot!
>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>>>> panda-users mailing list
>>>>>>>>>>>>>>>>>> panda-users at mit.edu
>>>>>>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> wait and hope~~
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> wait and hope~~
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> wait and hope~~
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> wait and hope~~
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> wait and hope~~
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> wait and hope~~
>>>>
>>>
>>>
>>
>>
>> --
>> wait and hope~~
>>
>
>
--
wait and hope~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/d6dc1e33/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint1.png
Type: image/png
Size: 25300 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/d6dc1e33/attachment-0012.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: feedback-1.png
Type: image/png
Size: 7765 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/d6dc1e33/attachment-0013.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted52.png
Type: image/png
Size: 134012 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/d6dc1e33/attachment-0014.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb2.png
Type: image/png
Size: 194887 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/d6dc1e33/attachment-0015.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: feedback.png
Type: image/png
Size: 9580 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/d6dc1e33/attachment-0016.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted4.png
Type: image/png
Size: 90587 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/d6dc1e33/attachment-0017.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tainted1.jpg
Type: image/jpeg
Size: 63070 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/d6dc1e33/attachment-0002.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint2.png
Type: image/png
Size: 12246 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/d6dc1e33/attachment-0018.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb1-2.png
Type: image/png
Size: 13244 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/d6dc1e33/attachment-0019.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: feedback1.png
Type: image/png
Size: 6903 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/d6dc1e33/attachment-0020.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted2.png
Type: image/png
Size: 118621 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/d6dc1e33/attachment-0021.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted3.png
Type: image/png
Size: 106030 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/d6dc1e33/attachment-0022.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted1.png
Type: image/png
Size: 99277 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/d6dc1e33/attachment-0023.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fast_shad.jpg
Type: image/jpeg
Size: 57614 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/d6dc1e33/attachment-0003.jpg
More information about the panda-users
mailing list