[panda-users] taint segmentation fault

Brendan Dolan-Gavitt brendandg at gatech.edu
Sun Apr 12 23:34:48 EDT 2015 

Are you able to follow the steps in the tutorial (using the sshkeygen
replay)? Or does that fail as well?

-Brendan

On Sun, Apr 12, 2015 at 11:27 PM, xiaojuan Li <xiaotan6666 at gmail.com> wrote:
> thanks first. i cannot either.
> just segfault while tainting.
>
>
> 2015-04-13 4:52 GMT+08:00 Leek, Timothy - 0559 - MITLL <tleek at ll.mit.edu>:
>>
>> Also, just a check.  Are you able to reproduce the results here?
>>
>> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
>>
>> --
>> Tim Leek
>> Technical Staff
>> Cyber System Assessments
>> MIT Lincoln Laboratory
>> 781-981-2975
>>
>>
>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>> Date: Sunday, April 12, 2015 at 4:04 PM
>>
>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>> Subject: Re: [panda-users] taint segmentation fault
>>
>> A few things:
>>
>> 1. Did you make sure to do a make clean and then re-run build.sh after
>> updating? I got a segfault just after taint was turned on as well until I
>> did a make clean and re-ran build.sh.
>> 2. Are you running this on a 64-bit system? What kernel version?
>>
>> -Brendan
>>
>> On Sun, Apr 12, 2015 at 9:16 AM, xiaojuan Li <xiaotan6666 at gmail.com>
>> wrote:
>>>
>>> any suggestions? about segmentation fault?
>>>  and after my test,I make sure it is not caused by insufficient memory.
>>> Thanks a lot!
>>>
>>> 2015-04-11 11:59 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>
>>>> excuse me:
>>>> I try to fix the segmentation error:
>>>> and find this piece of code:
>>>>
>>>>  do you mean that it doesn't support so large byte?or it doesn't support
>>>> for android arm?
>>>> in the doc I noticed that network tainting is not supported for arm
>>>> architecture,and the string I tainted was something may go through the
>>>> network.
>>>>
>>>> Thanks!
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 2015-04-09 21:30 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>
>>>>> Now that the panda taint.md is not fresh,can you guys give me some
>>>>> help?
>>>>> I use the replay plugin,here is my command and the result.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> the content of pk_search_strings.txt is :"sdt"
>>>>>
>>>>> I am confused here:in the paper— Repeatable reverse with panda:
>>>>> :
>>>>> it is clear that:if I use the stringsearch and taint plugin,when it
>>>>> matches, the taint label will be put and then taint action will start.but
>>>>> when I use it, it seems wrong(the picture showed before):no taint action
>>>>> execute,and i am confused about the tstringsearch's result.
>>>>> how can i use it to analysis?
>>>>> Thanks a lot!
>>>>>
>>>>>
>>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>
>>>>>> I get the replay file by running runandroid script. and i use
>>>>>> qemu-system-arm command just to do some replay work.
>>>>>> I may not understand you at all in this emal.do you mean that i should
>>>>>> gdb the original program rather than the record file?
>>>>>> Thansk
>>>>>>
>>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>>>>>>>
>>>>>>> Hmm. gdb should normally stop when you get a segfault.
>>>>>>>
>>>>>>> Are you by any chance running PANDA using the runandroid script? If
>>>>>>> so, you will need to instead invoke PANDA manually, i.e.:
>>>>>>>
>>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>>>>>>>
>>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a
>>>>>>> backtrace.
>>>>>>>
>>>>>>> -Brendan
>>>>>>>
>>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> when gdb,it shows:
>>>>>>>> and then i see the log:it shows segfault:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>
>>>>>>>>> maybe  i am wrong.
>>>>>>>>>  i use the command
>>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I found that
>>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>>>>>>>>>
>>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>>
>>>>>>>>>> ok.
>>>>>>>>>> 1.I want to use taint plugin to get information about some
>>>>>>>>>> functions(of course, it is closed-source),so I think I can stringsearch
>>>>>>>>>> potential data and then taint them and next I can locate the functions which
>>>>>>>>>> solves these data.
>>>>>>>>>>
>>>>>>>>>> 2.the command line I used is :
>>>>>>>>>> stringsearch:name=***;taint2:tainted_instructions=1.
>>>>>>>>>>
>>>>>>>>>> thanks
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt
>>>>>>>>>> <brendandg at gatech.edu>:
>>>>>>>>>>>
>>>>>>>>>>> Could you provide:
>>>>>>>>>>>
>>>>>>>>>>> 1. What information you're trying to get
>>>>>>>>>>> 2. The command line you're using to run PANDA with the taint2
>>>>>>>>>>> plugin
>>>>>>>>>>>
>>>>>>>>>>> ?
>>>>>>>>>>>
>>>>>>>>>>> Right now I believe taint2 does not produce very much output by
>>>>>>>>>>> default. Instead you use the -pandalog <filename> command line option, and
>>>>>>>>>>> taint2 will write its results there in pandalog format; you can then read
>>>>>>>>>>> them using pandalog_reader (see panda/pandalog_reader.c for details on that
>>>>>>>>>>> tool).
>>>>>>>>>>>
>>>>>>>>>>> -Brendan
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li
>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> when I tried taint2,it showed the same error with taint1, the
>>>>>>>>>>>> olny difference is that taint2 has no segfault error,just uninit taint
>>>>>>>>>>>> plugin.
>>>>>>>>>>>>
>>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt
>>>>>>>>>>>> <brendandg at gatech.edu>:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Could you be a little more descriptive about how it failed?
>>>>>>>>>>>>> Segfault? Error message? Incorrect output?
>>>>>>>>>>>>>
>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li
>>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> i tried taint2 too,it failed.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL
>>>>>>>>>>>>>> <tleek at ll.mit.edu>:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.
>>>>>>>>>>>>>>> “taint2” is the one we are actively using and developing.
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Tim Leek
>>>>>>>>>>>>>>> Technical Staff
>>>>>>>>>>>>>>> Cyber System Assessments
>>>>>>>>>>>>>>> MIT Lincoln Laboratory
>>>>>>>>>>>>>>> 781-981-2975
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Could you run that under gdb and provide us with a backtrace
>>>>>>>>>>>>>>> when it crashes?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>> excuse me,i have a question about taint
>>>>>>>>>>>>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>>>>>>>>>>>>>>>> when I started it showed success:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint plugin
>>>>>>>>>>>>>>>> segementation fault"
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> how can I fix it?
>>>>>>>>>>>>>>>> Thanks a lot!
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> panda-users mailing list
>>>>>>>>>>>>>> panda-users at mit.edu
>>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> wait and hope~~
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> wait and hope~~
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> wait and hope~~
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> wait and hope~~
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> wait and hope~~
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> wait and hope~~
>>>
>>>
>>>
>>>
>>> --
>>> wait and hope~~
>>
>>
>
>
>
> --
> wait and hope~~

More information about the panda-users mailing list