[panda-users] taint segmentation fault
xiaojuan Li
xiaotan6666 at gmail.com
Sun Apr 12 23:41:51 EDT 2015
yeah.i fail to taint both in using sshkeygen and my test snp.
here is the result of following the steps in the tutorial:
Thanks!
2015-04-13 11:34 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
> Are you able to follow the steps in the tutorial (using the sshkeygen
> replay)? Or does that fail as well?
>
> -Brendan
>
> On Sun, Apr 12, 2015 at 11:27 PM, xiaojuan Li <xiaotan6666 at gmail.com>
> wrote:
> > thanks first. i cannot either.
> > just segfault while tainting.
> >
> >
> > 2015-04-13 4:52 GMT+08:00 Leek, Timothy - 0559 - MITLL <tleek at ll.mit.edu
> >:
> >>
> >> Also, just a check. Are you able to reproduce the results here?
> >>
> >> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
> >>
> >> --
> >> Tim Leek
> >> Technical Staff
> >> Cyber System Assessments
> >> MIT Lincoln Laboratory
> >> 781-981-2975
> >>
> >>
> >> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
> >> Date: Sunday, April 12, 2015 at 4:04 PM
> >>
> >> To: xiaojuan Li <xiaotan6666 at gmail.com>
> >> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
> >> Subject: Re: [panda-users] taint segmentation fault
> >>
> >> A few things:
> >>
> >> 1. Did you make sure to do a make clean and then re-run build.sh after
> >> updating? I got a segfault just after taint was turned on as well until
> I
> >> did a make clean and re-ran build.sh.
> >> 2. Are you running this on a 64-bit system? What kernel version?
> >>
> >> -Brendan
> >>
> >> On Sun, Apr 12, 2015 at 9:16 AM, xiaojuan Li <xiaotan6666 at gmail.com>
> >> wrote:
> >>>
> >>> any suggestions? about segmentation fault?
> >>> and after my test,I make sure it is not caused by insufficient memory.
> >>> Thanks a lot!
> >>>
> >>> 2015-04-11 11:59 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
> >>>>
> >>>> excuse me:
> >>>> I try to fix the segmentation error:
> >>>> and find this piece of code:
> >>>>
> >>>> do you mean that it doesn't support so large byte?or it doesn't
> support
> >>>> for android arm?
> >>>> in the doc I noticed that network tainting is not supported for arm
> >>>> architecture,and the string I tainted was something may go through the
> >>>> network.
> >>>>
> >>>> Thanks!
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> 2015-04-09 21:30 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
> >>>>>
> >>>>> Now that the panda taint.md is not fresh,can you guys give me some
> >>>>> help?
> >>>>> I use the replay plugin,here is my command and the result.
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> the content of pk_search_strings.txt is :"sdt"
> >>>>>
> >>>>> I am confused here:in the paper— Repeatable reverse with panda:
> >>>>> :
> >>>>> it is clear that:if I use the stringsearch and taint plugin,when it
> >>>>> matches, the taint label will be put and then taint action will
> start.but
> >>>>> when I use it, it seems wrong(the picture showed before):no taint
> action
> >>>>> execute,and i am confused about the tstringsearch's result.
> >>>>> how can i use it to analysis?
> >>>>> Thanks a lot!
> >>>>>
> >>>>>
> >>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
> >>>>>>
> >>>>>> I get the replay file by running runandroid script. and i use
> >>>>>> qemu-system-arm command just to do some replay work.
> >>>>>> I may not understand you at all in this emal.do you mean that i
> should
> >>>>>> gdb the original program rather than the record file?
> >>>>>> Thansk
> >>>>>>
> >>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <
> brendandg at gatech.edu>:
> >>>>>>>
> >>>>>>> Hmm. gdb should normally stop when you get a segfault.
> >>>>>>>
> >>>>>>> Are you by any chance running PANDA using the runandroid script? If
> >>>>>>> so, you will need to instead invoke PANDA manually, i.e.:
> >>>>>>>
> >>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
> >>>>>>>
> >>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a
> >>>>>>> backtrace.
> >>>>>>>
> >>>>>>> -Brendan
> >>>>>>>
> >>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <xiaotan6666 at gmail.com
> >
> >>>>>>> wrote:
> >>>>>>>>
> >>>>>>>> when gdb,it shows:
> >>>>>>>> and then i see the log:it shows segfault:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
> >>>>>>>>>
> >>>>>>>>> maybe i am wrong.
> >>>>>>>>> i use the command
> >>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I
> found that
> >>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
> >>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
> >>>>>>>>>
> >>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
> >>>>>>>>>>
> >>>>>>>>>> ok.
> >>>>>>>>>> 1.I want to use taint plugin to get information about some
> >>>>>>>>>> functions(of course, it is closed-source),so I think I can
> stringsearch
> >>>>>>>>>> potential data and then taint them and next I can locate the
> functions which
> >>>>>>>>>> solves these data.
> >>>>>>>>>>
> >>>>>>>>>> 2.the command line I used is :
> >>>>>>>>>> stringsearch:name=***;taint2:tainted_instructions=1.
> >>>>>>>>>>
> >>>>>>>>>> thanks
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt
> >>>>>>>>>> <brendandg at gatech.edu>:
> >>>>>>>>>>>
> >>>>>>>>>>> Could you provide:
> >>>>>>>>>>>
> >>>>>>>>>>> 1. What information you're trying to get
> >>>>>>>>>>> 2. The command line you're using to run PANDA with the taint2
> >>>>>>>>>>> plugin
> >>>>>>>>>>>
> >>>>>>>>>>> ?
> >>>>>>>>>>>
> >>>>>>>>>>> Right now I believe taint2 does not produce very much output by
> >>>>>>>>>>> default. Instead you use the -pandalog <filename> command line
> option, and
> >>>>>>>>>>> taint2 will write its results there in pandalog format; you
> can then read
> >>>>>>>>>>> them using pandalog_reader (see panda/pandalog_reader.c for
> details on that
> >>>>>>>>>>> tool).
> >>>>>>>>>>>
> >>>>>>>>>>> -Brendan
> >>>>>>>>>>>
> >>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li
> >>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>> when I tried taint2,it showed the same error with taint1, the
> >>>>>>>>>>>> olny difference is that taint2 has no segfault error,just
> uninit taint
> >>>>>>>>>>>> plugin.
> >>>>>>>>>>>>
> >>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt
> >>>>>>>>>>>> <brendandg at gatech.edu>:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Could you be a little more descriptive about how it failed?
> >>>>>>>>>>>>> Segfault? Error message? Incorrect output?
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> -Brendan
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li
> >>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> i tried taint2 too,it failed.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL
> >>>>>>>>>>>>>> <tleek at ll.mit.edu>:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.
> >>>>>>>>>>>>>>> “taint2” is the one we are actively using and developing.
> >>>>>>>>>>>>>>> --
> >>>>>>>>>>>>>>> Tim Leek
> >>>>>>>>>>>>>>> Technical Staff
> >>>>>>>>>>>>>>> Cyber System Assessments
> >>>>>>>>>>>>>>> MIT Lincoln Laboratory
> >>>>>>>>>>>>>>> 781-981-2975
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
> >>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
> >>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
> >>>>>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
> >>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Could you run that under gdb and provide us with a
> backtrace
> >>>>>>>>>>>>>>> when it crashes?
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> -Brendan
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li <
> xiaotan6666 at gmail.com>
> >>>>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Hi,
> >>>>>>>>>>>>>>>> excuse me,i have a question about taint
> >>>>>>>>>>>>>>>>
> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
> >>>>>>>>>>>>>>>> when I started it showed success:
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint plugin
> >>>>>>>>>>>>>>>> segementation fault"
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> how can I fix it?
> >>>>>>>>>>>>>>>> Thanks a lot!
> >>>>>>>>>>>>>>>> --
> >>>>>>>>>>>>>>>> wait and hope~~
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> --
> >>>>>>>>>>>>>> wait and hope~~
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> _______________________________________________
> >>>>>>>>>>>>>> panda-users mailing list
> >>>>>>>>>>>>>> panda-users at mit.edu
> >>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> --
> >>>>>>>>>>>> wait and hope~~
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> --
> >>>>>>>>>> wait and hope~~
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> wait and hope~~
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> wait and hope~~
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> wait and hope~~
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> wait and hope~~
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> wait and hope~~
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> wait and hope~~
> >>
> >>
> >
> >
> >
> > --
> > wait and hope~~
>
--
wait and hope~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/f38a4b76/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: feedback-33.png
Type: image/png
Size: 140879 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/f38a4b76/attachment-0001.png
More information about the panda-users
mailing list