[panda-users] taint segmentation fault
Leek, Timothy - 0559 - MITLL
tleek at ll.mit.edu
Mon Apr 13 07:26:46 EDT 2015
Maybe try git pull. Then make distclean in qemu dir. Then make. Then try
the tutorial. Should work.
--
Tim Leek
Technical Staff
Cyber System Assessments
MIT Lincoln Laboratory
781-981-2975
From: xiaojuan Li <xiaotan6666 at gmail.com>
Date: Sunday, April 12, 2015 at 11:41 PM
To: Brendan Dolan-Gavitt <brendandg at gatech.edu>, "panda-users at mit.edu"
<panda-users at mit.edu>
Subject: Re: [panda-users] taint segmentation fault
yeah.i fail to taint both in using sshkeygen and my test snp.
here is the result of following the steps in the tutorial:
Thanks!
2015-04-13 11:34 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
> Are you able to follow the steps in the tutorial (using the sshkeygen
> replay)? Or does that fail as well?
>
> -Brendan
>
> On Sun, Apr 12, 2015 at 11:27 PM, xiaojuan Li <xiaotan6666 at gmail.com> wrote:
>> > thanks first. i cannot either.
>> > just segfault while tainting.
>> >
>> >
>> > 2015-04-13 4:52 GMT+08:00 Leek, Timothy - 0559 - MITLL <tleek at ll.mit.edu>:
>>> >>
>>> >> Also, just a check. Are you able to reproduce the results here?
>>> >>
>>> >> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
>>> >>
>>> >> --
>>> >> Tim Leek
>>> >> Technical Staff
>>> >> Cyber System Assessments
>>> >> MIT Lincoln Laboratory
>>> >> 781-981-2975
>>> >>
>>> >>
>>> >> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>> >> Date: Sunday, April 12, 2015 at 4:04 PM
>>> >>
>>> >> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>> >> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>> >> Subject: Re: [panda-users] taint segmentation fault
>>> >>
>>> >> A few things:
>>> >>
>>> >> 1. Did you make sure to do a make clean and then re-run build.sh after
>>> >> updating? I got a segfault just after taint was turned on as well until I
>>> >> did a make clean and re-ran build.sh.
>>> >> 2. Are you running this on a 64-bit system? What kernel version?
>>> >>
>>> >> -Brendan
>>> >>
>>> >> On Sun, Apr 12, 2015 at 9:16 AM, xiaojuan Li <xiaotan6666 at gmail.com>
>>> >> wrote:
>>>> >>>
>>>> >>> any suggestions? about segmentation fault?
>>>> >>> and after my test,I make sure it is not caused by insufficient memory.
>>>> >>> Thanks a lot!
>>>> >>>
>>>> >>> 2015-04-11 11:59 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>> >>>>
>>>>> >>>> excuse me:
>>>>> >>>> I try to fix the segmentation error:
>>>>> >>>> and find this piece of code:
>>>>> >>>>
>>>>> >>>> do you mean that it doesn't support so large byte?or it doesn't
>>>>> support
>>>>> >>>> for android arm?
>>>>> >>>> in the doc I noticed that network tainting is not supported for arm
>>>>> >>>> architecture,and the string I tainted was something may go through
the
>>>>> >>>> network.
>>>>> >>>>
>>>>> >>>> Thanks!
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>>> >>>> 2015-04-09 21:30 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>> >>>>>
>>>>>> >>>>> Now that the panda taint.md <http://taint.md> is not fresh,can you
>>>>>> guys give me some
>>>>>> >>>>> help?
>>>>>> >>>>> I use the replay plugin,here is my command and the result.
>>>>>> >>>>>
>>>>>> >>>>>
>>>>>> >>>>>
>>>>>> >>>>>
>>>>>> >>>>>
>>>>>> >>>>> the content of pk_search_strings.txt is :"sdt"
>>>>>> >>>>>
>>>>>> >>>>> I am confused here:in the paper— Repeatable reverse with panda:
>>>>>> >>>>> :
>>>>>> >>>>> it is clear that:if I use the stringsearch and taint plugin,when it
>>>>>> >>>>> matches, the taint label will be put and then taint action will
>>>>>> start.but
>>>>>> >>>>> when I use it, it seems wrong(the picture showed before):no taint
>>>>>> action
>>>>>> >>>>> execute,and i am confused about the tstringsearch's result.
>>>>>> >>>>> how can i use it to analysis?
>>>>>> >>>>> Thanks a lot!
>>>>>> >>>>>
>>>>>> >>>>>
>>>>>> >>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>> >>>>>>
>>>>>>> >>>>>> I get the replay file by running runandroid script. and i use
>>>>>>> >>>>>> qemu-system-arm command just to do some replay work.
>>>>>>> >>>>>> I may not understand you at all in this emal.do you mean that i
should
>>>>>>> >>>>>> gdb the original program rather than the record file?
>>>>>>> >>>>>> Thansk
>>>>>>> >>>>>>
>>>>>>> >>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt
>>>>>>> <brendandg at gatech.edu>:
>>>>>>>> >>>>>>>
>>>>>>>> >>>>>>> Hmm. gdb should normally stop when you get a segfault.
>>>>>>>> >>>>>>>
>>>>>>>> >>>>>>> Are you by any chance running PANDA using the runandroid
>>>>>>>> script? If
>>>>>>>> >>>>>>> so, you will need to instead invoke PANDA manually, i.e.:
>>>>>>>> >>>>>>>
>>>>>>>> >>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>>>>>>>> >>>>>>>
>>>>>>>> >>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a
>>>>>>>> >>>>>>> backtrace.
>>>>>>>> >>>>>>>
>>>>>>>> >>>>>>> -Brendan
>>>>>>>> >>>>>>>
>>>>>>>> >>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li
>>>>>>>> <xiaotan6666 at gmail.com>
>>>>>>>> >>>>>>> wrote:
>>>>>>>>> >>>>>>>>
>>>>>>>>> >>>>>>>> when gdb,it shows:
>>>>>>>>> >>>>>>>> and then i see the log:it shows segfault:
>>>>>>>>> >>>>>>>>
>>>>>>>>> >>>>>>>>
>>>>>>>>> >>>>>>>>
>>>>>>>>> >>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li
>>>>>>>>> <xiaotan6666 at gmail.com>:
>>>>>>>>>> >>>>>>>>>
>>>>>>>>>> >>>>>>>>> maybe i am wrong.
>>>>>>>>>> >>>>>>>>> i use the command
>>>>>>>>>> >>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and
>>>>>>>>>> I found that
>>>>>>>>>> >>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>>>>>>>>>> >>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>>>>>>>>>> >>>>>>>>>
>>>>>>>>>> >>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li
>>>>>>>>>> <xiaotan6666 at gmail.com>:
>>>>>>>>>>> >>>>>>>>>>
>>>>>>>>>>> >>>>>>>>>> ok.
>>>>>>>>>>> >>>>>>>>>> 1.I want to use taint plugin to get information about
some
>>>>>>>>>>> >>>>>>>>>> functions(of course, it is closed-source),so I think I
>>>>>>>>>>> can stringsearch
>>>>>>>>>>> >>>>>>>>>> potential data and then taint them and next I can locate
>>>>>>>>>>> the functions which
>>>>>>>>>>> >>>>>>>>>> solves these data.
>>>>>>>>>>> >>>>>>>>>>
>>>>>>>>>>> >>>>>>>>>> 2.the command line I used is :
>>>>>>>>>>> >>>>>>>>>> stringsearch:name=***;taint2:tainted_instructions=1.
>>>>>>>>>>> >>>>>>>>>>
>>>>>>>>>>> >>>>>>>>>> thanks
>>>>>>>>>>> >>>>>>>>>>
>>>>>>>>>>> >>>>>>>>>>
>>>>>>>>>>> >>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt
>>>>>>>>>>> >>>>>>>>>> <brendandg at gatech.edu>:
>>>>>>>>>>>> >>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>> Could you provide:
>>>>>>>>>>>> >>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>> 1. What information you're trying to get
>>>>>>>>>>>> >>>>>>>>>>> 2. The command line you're using to run PANDA with the
taint2
>>>>>>>>>>>> >>>>>>>>>>> plugin
>>>>>>>>>>>> >>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>> ?
>>>>>>>>>>>> >>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>> Right now I believe taint2 does not produce very much
output by
>>>>>>>>>>>> >>>>>>>>>>> default. Instead you use the -pandalog <filename>
>>>>>>>>>>>> command line option, and
>>>>>>>>>>>> >>>>>>>>>>> taint2 will write its results there in pandalog format;
>>>>>>>>>>>> you can then read
>>>>>>>>>>>> >>>>>>>>>>> them using pandalog_reader (see panda/pandalog_reader.c
>>>>>>>>>>>> for details on that
>>>>>>>>>>>> >>>>>>>>>>> tool).
>>>>>>>>>>>> >>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>> -Brendan
>>>>>>>>>>>> >>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li
>>>>>>>>>>>> >>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>> >>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>> when I tried taint2,it showed the same error with
taint1, the
>>>>>>>>>>>> >>>>>>>>>>>> olny difference is that taint2 has no segfault
>>>>>>>>>>>> error,just uninit taint
>>>>>>>>>>>> >>>>>>>>>>>> plugin.
>>>>>>>>>>>> >>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt
>>>>>>>>>>>> >>>>>>>>>>>> <brendandg at gatech.edu>:
>>>>>>>>>>>> >>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>> Could you be a little more descriptive about how it
failed?
>>>>>>>>>>>> >>>>>>>>>>>>> Segfault? Error message? Incorrect output?
>>>>>>>>>>>> >>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>> -Brendan
>>>>>>>>>>>> >>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li
>>>>>>>>>>>> >>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>> >>>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>>> i tried taint2 too,it failed.
>>>>>>>>>>>> >>>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 -
MITLL
>>>>>>>>>>>> >>>>>>>>>>>>>> <tleek at ll.mit.edu>:
>>>>>>>>>>>> >>>>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat
defunct.
>>>>>>>>>>>> >>>>>>>>>>>>>>> “taint2” is the one we are actively using and
developing.
>>>>>>>>>>>> >>>>>>>>>>>>>>> --
>>>>>>>>>>>> >>>>>>>>>>>>>>> Tim Leek
>>>>>>>>>>>> >>>>>>>>>>>>>>> Technical Staff
>>>>>>>>>>>> >>>>>>>>>>>>>>> Cyber System Assessments
>>>>>>>>>>>> >>>>>>>>>>>>>>> MIT Lincoln Laboratory
>>>>>>>>>>>> >>>>>>>>>>>>>>> 781-981-2975
>>>>>>>>>>>> >>>>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>>>>>>>>> >>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>>>>>>>>>>>> >>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>>> >>>>>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>>>>>>>>>>> >>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>>>>>>>>>>>> >>>>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>>>> Could you run that under gdb and provide us with a
backtrace
>>>>>>>>>>>> >>>>>>>>>>>>>>> when it crashes?
>>>>>>>>>>>> >>>>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>> >>>>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li
>>>>>>>>>>>> <xiaotan6666 at gmail.com>
>>>>>>>>>>>> >>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>> >>>>>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>> >>>>>>>>>>>>>>>> excuse me,i have a question about taint
>>>>>>>>>>>> >>>>>>>>>>>>>>>>
>>>>>>>>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>>>>>>>>>>>> >>>>>>>>>>>>>>>> when I started it showed success:
>>>>>>>>>>>> >>>>>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint
plugin
>>>>>>>>>>>> >>>>>>>>>>>>>>>> segementation fault"
>>>>>>>>>>>> >>>>>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>>>>> how can I fix it?
>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks a lot!
>>>>>>>>>>>> >>>>>>>>>>>>>>>> --
>>>>>>>>>>>> >>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>> >>>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>>> --
>>>>>>>>>>>> >>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>> >>>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> >>>>>>>>>>>>>> panda-users mailing list
>>>>>>>>>>>> >>>>>>>>>>>>>> panda-users at mit.edu
>>>>>>>>>>>> >>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>>>>>>>>> >>>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>> --
>>>>>>>>>>>> >>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>> >>>>>>>>>>>
>>>>>>>>>>>> >>>>>>>>>>>
>>>>>>>>>>> >>>>>>>>>>
>>>>>>>>>>> >>>>>>>>>>
>>>>>>>>>>> >>>>>>>>>>
>>>>>>>>>>> >>>>>>>>>> --
>>>>>>>>>>> >>>>>>>>>> wait and hope~~
>>>>>>>>>> >>>>>>>>>
>>>>>>>>>> >>>>>>>>>
>>>>>>>>>> >>>>>>>>>
>>>>>>>>>> >>>>>>>>>
>>>>>>>>>> >>>>>>>>> --
>>>>>>>>>> >>>>>>>>> wait and hope~~
>>>>>>>>> >>>>>>>>
>>>>>>>>> >>>>>>>>
>>>>>>>>> >>>>>>>>
>>>>>>>>> >>>>>>>>
>>>>>>>>> >>>>>>>> --
>>>>>>>>> >>>>>>>> wait and hope~~
>>>>>>>> >>>>>>>
>>>>>>>> >>>>>>>
>>>>>>> >>>>>>
>>>>>>> >>>>>>
>>>>>>> >>>>>>
>>>>>>> >>>>>> --
>>>>>>> >>>>>> wait and hope~~
>>>>>> >>>>>
>>>>>> >>>>>
>>>>>> >>>>>
>>>>>> >>>>>
>>>>>> >>>>> --
>>>>>> >>>>> wait and hope~~
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>>> >>>> --
>>>>> >>>> wait and hope~~
>>>> >>>
>>>> >>>
>>>> >>>
>>>> >>>
>>>> >>> --
>>>> >>> wait and hope~~
>>> >>
>>> >>
>> >
>> >
>> >
>> > --
>> > wait and hope~~
--
wait and hope~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/52aa960c/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: feedback-33.png
Type: image/png
Size: 140879 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/52aa960c/attachment-0001.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3076 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/52aa960c/attachment-0001.bin
More information about the panda-users
mailing list