[panda-users] taint segmentation fault
Brendan Dolan-Gavitt
brendandg at gatech.edu
Sun Apr 12 23:24:35 EDT 2015
I don't think we've tested it on ARM but I don't see any reason why it
won't work – the taint code doesn't have anything architecture-specific in
it as far as I'm aware.
Tainted data going out on the network should not affect the
tainted_instructions analysis. It is true that taint2 doesn't support
network taint, but that just means that it doesn't have the ability to add
taint labels to incoming network data or query taint outgoing network
packets.
-Brendan
On Sun, Apr 12, 2015 at 11:17 PM, xiaojuan Li <xiaotan6666 at gmail.com> wrote:
> just another seconds.
> you said that when you make clean and rebuild,the segfault is gone.I want
> to know that if you do replay in qemu-arm? and the taint data is something
> none business with network?
> Thanks!
>
>
> 2015-04-13 4:04 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>
>> A few things:
>>
>> 1. Did you make sure to do a make clean and then re-run build.sh after
>> updating? I got a segfault just after taint was turned on as well until I
>> did a make clean and re-ran build.sh.
>> 2. Are you running this on a 64-bit system? What kernel version?
>>
>> -Brendan
>>
>> On Sun, Apr 12, 2015 at 9:16 AM, xiaojuan Li <xiaotan6666 at gmail.com>
>> wrote:
>>
>>> any suggestions? about segmentation fault?
>>> and after my test,I make sure it is not caused by insufficient memory.
>>> Thanks a lot!
>>>
>>> 2015-04-11 11:59 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>
>>>> excuse me:
>>>> I try to fix the segmentation error:
>>>> and find this piece of code:
>>>>
>>>> do you mean that it doesn't support so large byte?or it doesn't
>>>> support for android arm?
>>>> in the doc I noticed that network tainting is not supported for arm
>>>> architecture,and the string I tainted was something may go through the
>>>> network.
>>>>
>>>> Thanks!
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 2015-04-09 21:30 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>
>>>>> Now that the panda taint.md is not fresh,can you guys give me some
>>>>> help?
>>>>> I use the replay plugin,here is my command and the result.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> the content of pk_search_strings.txt is :"sdt"
>>>>>
>>>>> I am confused here:in the paper— Repeatable reverse with panda:
>>>>> :
>>>>> it is clear that:if I use the stringsearch and taint plugin,when it
>>>>> matches, the taint label will be put and then taint action will start.but
>>>>> when I use it, it seems wrong(the picture showed before):no taint action
>>>>> execute,and i am confused about the tstringsearch's result.
>>>>> how can i use it to analysis?
>>>>> Thanks a lot!
>>>>>
>>>>>
>>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>
>>>>>> I get the replay file by running runandroid script. and i use
>>>>>> qemu-system-arm command just to do some replay work.
>>>>>> I may not understand you at all in this emal.do you mean that i
>>>>>> should gdb the original program rather than the record file?
>>>>>> Thansk
>>>>>>
>>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>>> :
>>>>>>
>>>>>>> Hmm. gdb should normally stop when you get a segfault.
>>>>>>>
>>>>>>> Are you by any chance running PANDA using the runandroid script? If
>>>>>>> so, you will need to instead invoke PANDA manually, i.e.:
>>>>>>>
>>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>>>>>>>
>>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a
>>>>>>> backtrace.
>>>>>>>
>>>>>>> -Brendan
>>>>>>>
>>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> when gdb,it shows:
>>>>>>>> and then i see the log:it shows segfault:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>
>>>>>>>>> maybe i am wrong.
>>>>>>>>> i use the command
>>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I found that
>>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>>>>>>>>>
>>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>
>>>>>>>>>> ok.
>>>>>>>>>> 1.I want to use taint plugin to get information about some
>>>>>>>>>> functions(of course, it is closed-source),so I think I can stringsearch
>>>>>>>>>> potential data and then taint them and next I can locate the functions
>>>>>>>>>> which solves these data.
>>>>>>>>>>
>>>>>>>>>> 2.the command line I used is : stringsearch:name=***;
>>>>>>>>>> taint2:tainted_instructions=1.
>>>>>>>>>>
>>>>>>>>>> thanks
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>
>>>>>>>>>>> Could you provide:
>>>>>>>>>>>
>>>>>>>>>>> 1. What information you're trying to get
>>>>>>>>>>> 2. The command line you're using to run PANDA with the taint2
>>>>>>>>>>> plugin
>>>>>>>>>>>
>>>>>>>>>>> ?
>>>>>>>>>>>
>>>>>>>>>>> Right now I believe taint2 does not produce very much output by
>>>>>>>>>>> default. Instead you use the -pandalog <filename> command line option, and
>>>>>>>>>>> taint2 will write its results there in pandalog format; you can then read
>>>>>>>>>>> them using pandalog_reader (see panda/pandalog_reader.c for details on that
>>>>>>>>>>> tool).
>>>>>>>>>>>
>>>>>>>>>>> -Brendan
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li <
>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> when I tried taint2,it showed the same error with taint1, the
>>>>>>>>>>>> olny difference is that taint2 has no segfault error,just uninit taint
>>>>>>>>>>>> plugin.
>>>>>>>>>>>>
>>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>>>
>>>>>>>>>>>>> Could you be a little more descriptive about how it failed?
>>>>>>>>>>>>> Segfault? Error message? Incorrect output?
>>>>>>>>>>>>>
>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li <
>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> i tried taint2 too,it failed.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL <
>>>>>>>>>>>>>> tleek at ll.mit.edu>:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.
>>>>>>>>>>>>>>> “taint2” is the one we are actively using and developing.
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Tim Leek
>>>>>>>>>>>>>>> Technical Staff
>>>>>>>>>>>>>>> Cyber System Assessments
>>>>>>>>>>>>>>> MIT Lincoln Laboratory
>>>>>>>>>>>>>>> 781-981-2975
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Could you run that under gdb and provide us with a backtrace
>>>>>>>>>>>>>>> when it crashes?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>> excuse me,i have a question about taint
>>>>>>>>>>>>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>>>>>>>>>>>>>>>> when I started it showed success:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint plugin
>>>>>>>>>>>>>>>> segementation fault"
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> how can I fix it?
>>>>>>>>>>>>>>>> Thanks a lot!
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> panda-users mailing list
>>>>>>>>>>>>>> panda-users at mit.edu
>>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> wait and hope~~
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> wait and hope~~
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> wait and hope~~
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> wait and hope~~
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> wait and hope~~
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> wait and hope~~
>>>>
>>>
>>>
>>>
>>> --
>>> wait and hope~~
>>>
>>
>>
>
>
> --
> wait and hope~~
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/1db193e0/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb1-2.png
Type: image/png
Size: 13244 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/1db193e0/attachment-0009.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted52.png
Type: image/png
Size: 134012 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/1db193e0/attachment-0010.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb2.png
Type: image/png
Size: 194887 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/1db193e0/attachment-0011.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tainted1.jpg
Type: image/jpeg
Size: 63070 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/1db193e0/attachment-0002.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted4.png
Type: image/png
Size: 90587 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/1db193e0/attachment-0012.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted2.png
Type: image/png
Size: 118621 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/1db193e0/attachment-0013.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted1.png
Type: image/png
Size: 99277 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/1db193e0/attachment-0014.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint1.png
Type: image/png
Size: 25300 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/1db193e0/attachment-0015.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fast_shad.jpg
Type: image/jpeg
Size: 57614 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/1db193e0/attachment-0003.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted3.png
Type: image/png
Size: 106030 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/1db193e0/attachment-0016.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint2.png
Type: image/png
Size: 12246 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/1db193e0/attachment-0017.png
More information about the panda-users
mailing list