[panda-users] taint segmentation fault
xiaojuan Li
xiaotan6666 at gmail.com
Sun Apr 12 23:27:10 EDT 2015
thanks first. i cannot either.
just segfault while tainting.
2015-04-13 4:52 GMT+08:00 Leek, Timothy - 0559 - MITLL <tleek at ll.mit.edu>:
> Also, just a check. Are you able to reproduce the results here?
>
> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
>
> --
> Tim Leek
> Technical Staff
> Cyber System Assessments
> MIT Lincoln Laboratory
> 781-981-2975
>
>
> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
> Date: Sunday, April 12, 2015 at 4:04 PM
>
> To: xiaojuan Li <xiaotan6666 at gmail.com>
> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
> Subject: Re: [panda-users] taint segmentation fault
>
> A few things:
>
> 1. Did you make sure to do a make clean and then re-run build.sh after
> updating? I got a segfault just after taint was turned on as well until I
> did a make clean and re-ran build.sh.
> 2. Are you running this on a 64-bit system? What kernel version?
>
> -Brendan
>
> On Sun, Apr 12, 2015 at 9:16 AM, xiaojuan Li <xiaotan6666 at gmail.com>
> wrote:
>
>> any suggestions? about segmentation fault?
>> and after my test,I make sure it is not caused by insufficient memory.
>> Thanks a lot!
>>
>> 2015-04-11 11:59 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>
>>> excuse me:
>>> I try to fix the segmentation error:
>>> and find this piece of code:
>>>
>>> do you mean that it doesn't support so large byte?or it doesn't support
>>> for android arm?
>>> in the doc I noticed that network tainting is not supported for arm
>>> architecture,and the string I tainted was something may go through the
>>> network.
>>>
>>> Thanks!
>>>
>>>
>>>
>>>
>>>
>>> 2015-04-09 21:30 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>
>>>> Now that the panda taint.md is not fresh,can you guys give me some
>>>> help?
>>>> I use the replay plugin,here is my command and the result.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> the content of pk_search_strings.txt is :"sdt"
>>>>
>>>> I am confused here:in the paper— Repeatable reverse with panda:
>>>> :
>>>> it is clear that:if I use the stringsearch and taint plugin,when it
>>>> matches, the taint label will be put and then taint action will start.but
>>>> when I use it, it seems wrong(the picture showed before):no taint action
>>>> execute,and i am confused about the tstringsearch's result.
>>>> how can i use it to analysis?
>>>> Thanks a lot!
>>>>
>>>>
>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>
>>>>> I get the replay file by running runandroid script. and i use
>>>>> qemu-system-arm command just to do some replay work.
>>>>> I may not understand you at all in this emal.do you mean that i should
>>>>> gdb the original program rather than the record file?
>>>>> Thansk
>>>>>
>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>>>>>
>>>>>> Hmm. gdb should normally stop when you get a segfault.
>>>>>>
>>>>>> Are you by any chance running PANDA using the runandroid script? If
>>>>>> so, you will need to instead invoke PANDA manually, i.e.:
>>>>>>
>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>>>>>>
>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a
>>>>>> backtrace.
>>>>>>
>>>>>> -Brendan
>>>>>>
>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> when gdb,it shows:
>>>>>>> and then i see the log:it shows segfault:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>
>>>>>>>> maybe i am wrong.
>>>>>>>> i use the command
>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I found that
>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>>>>>>>>
>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>
>>>>>>>>> ok.
>>>>>>>>> 1.I want to use taint plugin to get information about some
>>>>>>>>> functions(of course, it is closed-source),so I think I can stringsearch
>>>>>>>>> potential data and then taint them and next I can locate the functions
>>>>>>>>> which solves these data.
>>>>>>>>>
>>>>>>>>> 2.the command line I used is : stringsearch:name=***;
>>>>>>>>> taint2:tainted_instructions=1.
>>>>>>>>>
>>>>>>>>> thanks
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>
>>>>>>>>>> Could you provide:
>>>>>>>>>>
>>>>>>>>>> 1. What information you're trying to get
>>>>>>>>>> 2. The command line you're using to run PANDA with the taint2
>>>>>>>>>> plugin
>>>>>>>>>>
>>>>>>>>>> ?
>>>>>>>>>>
>>>>>>>>>> Right now I believe taint2 does not produce very much output by
>>>>>>>>>> default. Instead you use the -pandalog <filename> command line option, and
>>>>>>>>>> taint2 will write its results there in pandalog format; you can then read
>>>>>>>>>> them using pandalog_reader (see panda/pandalog_reader.c for details on that
>>>>>>>>>> tool).
>>>>>>>>>>
>>>>>>>>>> -Brendan
>>>>>>>>>>
>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li <
>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> when I tried taint2,it showed the same error with taint1, the
>>>>>>>>>>> olny difference is that taint2 has no segfault error,just uninit taint
>>>>>>>>>>> plugin.
>>>>>>>>>>>
>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>>
>>>>>>>>>>>> Could you be a little more descriptive about how it failed?
>>>>>>>>>>>> Segfault? Error message? Incorrect output?
>>>>>>>>>>>>
>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li <
>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> i tried taint2 too,it failed.
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL <
>>>>>>>>>>>>> tleek at ll.mit.edu>:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.
>>>>>>>>>>>>>> “taint2” is the one we are actively using and developing.
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Tim Leek
>>>>>>>>>>>>>> Technical Staff
>>>>>>>>>>>>>> Cyber System Assessments
>>>>>>>>>>>>>> MIT Lincoln Laboratory
>>>>>>>>>>>>>> 781-981-2975
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Could you run that under gdb and provide us with a backtrace
>>>>>>>>>>>>>> when it crashes?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>> excuse me,i have a question about taint
>>>>>>>>>>>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>>>>>>>>>>>>>>> when I started it showed success:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint plugin
>>>>>>>>>>>>>>> segementation fault"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> how can I fix it?
>>>>>>>>>>>>>>> Thanks a lot!
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> panda-users mailing list
>>>>>>>>>>>>> panda-users at mit.edu
>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> wait and hope~~
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> wait and hope~~
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> wait and hope~~
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> wait and hope~~
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> wait and hope~~
>>>>
>>>
>>>
>>>
>>> --
>>> wait and hope~~
>>>
>>
>>
>>
>> --
>> wait and hope~~
>>
>
>
--
wait and hope~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/1f7ca928/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint1.png
Type: image/png
Size: 25300 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/1f7ca928/attachment-0009.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted4.png
Type: image/png
Size: 90587 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/1f7ca928/attachment-0010.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb2.png
Type: image/png
Size: 194887 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/1f7ca928/attachment-0011.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted2.png
Type: image/png
Size: 118621 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/1f7ca928/attachment-0012.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb1-2.png
Type: image/png
Size: 13244 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/1f7ca928/attachment-0013.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted1.png
Type: image/png
Size: 99277 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/1f7ca928/attachment-0014.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted52.png
Type: image/png
Size: 134012 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/1f7ca928/attachment-0015.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint2.png
Type: image/png
Size: 12246 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/1f7ca928/attachment-0016.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tainted1.jpg
Type: image/jpeg
Size: 63070 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/1f7ca928/attachment-0002.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted3.png
Type: image/png
Size: 106030 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/1f7ca928/attachment-0017.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fast_shad.jpg
Type: image/jpeg
Size: 57614 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/1f7ca928/attachment-0003.jpg
More information about the panda-users
mailing list