[panda-users] taint segmentation fault
xiaojuan Li
xiaotan6666 at gmail.com
Mon Apr 13 08:14:07 EDT 2015
Thanks first.
I tried it before and can get the result described in the tutorial,but when
turn to my snp, it still shows "segfault".
2015-04-13 7:26 GMT-04:00 Leek, Timothy - 0559 - MITLL <tleek at ll.mit.edu>:
> Maybe try git pull. Then make distclean in qemu dir. Then make. Then
> try the tutorial. Should work.
> --
> Tim Leek
> Technical Staff
> Cyber System Assessments
> MIT Lincoln Laboratory
> 781-981-2975
>
>
> From: xiaojuan Li <xiaotan6666 at gmail.com>
> Date: Sunday, April 12, 2015 at 11:41 PM
> To: Brendan Dolan-Gavitt <brendandg at gatech.edu>, "panda-users at mit.edu" <
> panda-users at mit.edu>
>
> Subject: Re: [panda-users] taint segmentation fault
>
> yeah.i fail to taint both in using sshkeygen and my test snp.
> here is the result of following the steps in the tutorial:
> Thanks!
>
>
> 2015-04-13 11:34 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>
>> Are you able to follow the steps in the tutorial (using the sshkeygen
>> replay)? Or does that fail as well?
>>
>> -Brendan
>>
>> On Sun, Apr 12, 2015 at 11:27 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>> wrote:
>> > thanks first. i cannot either.
>> > just segfault while tainting.
>> >
>> >
>> > 2015-04-13 4:52 GMT+08:00 Leek, Timothy - 0559 - MITLL <
>> tleek at ll.mit.edu>:
>> >>
>> >> Also, just a check. Are you able to reproduce the results here?
>> >>
>> >>
>> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
>> >>
>> >> --
>> >> Tim Leek
>> >> Technical Staff
>> >> Cyber System Assessments
>> >> MIT Lincoln Laboratory
>> >> 781-981-2975
>> >>
>> >>
>> >> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>> >> Date: Sunday, April 12, 2015 at 4:04 PM
>> >>
>> >> To: xiaojuan Li <xiaotan6666 at gmail.com>
>> >> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>> >> Subject: Re: [panda-users] taint segmentation fault
>> >>
>> >> A few things:
>> >>
>> >> 1. Did you make sure to do a make clean and then re-run build.sh after
>> >> updating? I got a segfault just after taint was turned on as well
>> until I
>> >> did a make clean and re-ran build.sh.
>> >> 2. Are you running this on a 64-bit system? What kernel version?
>> >>
>> >> -Brendan
>> >>
>> >> On Sun, Apr 12, 2015 at 9:16 AM, xiaojuan Li <xiaotan6666 at gmail.com>
>> >> wrote:
>> >>>
>> >>> any suggestions? about segmentation fault?
>> >>> and after my test,I make sure it is not caused by insufficient
>> memory.
>> >>> Thanks a lot!
>> >>>
>> >>> 2015-04-11 11:59 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>> >>>>
>> >>>> excuse me:
>> >>>> I try to fix the segmentation error:
>> >>>> and find this piece of code:
>> >>>>
>> >>>> do you mean that it doesn't support so large byte?or it doesn't
>> support
>> >>>> for android arm?
>> >>>> in the doc I noticed that network tainting is not supported for arm
>> >>>> architecture,and the string I tainted was something may go through
>> the
>> >>>> network.
>> >>>>
>> >>>> Thanks!
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> 2015-04-09 21:30 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>> >>>>>
>> >>>>> Now that the panda taint.md is not fresh,can you guys give me some
>> >>>>> help?
>> >>>>> I use the replay plugin,here is my command and the result.
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> the content of pk_search_strings.txt is :"sdt"
>> >>>>>
>> >>>>> I am confused here:in the paper— Repeatable reverse with panda:
>> >>>>> :
>> >>>>> it is clear that:if I use the stringsearch and taint plugin,when it
>> >>>>> matches, the taint label will be put and then taint action will
>> start.but
>> >>>>> when I use it, it seems wrong(the picture showed before):no taint
>> action
>> >>>>> execute,and i am confused about the tstringsearch's result.
>> >>>>> how can i use it to analysis?
>> >>>>> Thanks a lot!
>> >>>>>
>> >>>>>
>> >>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>> >>>>>>
>> >>>>>> I get the replay file by running runandroid script. and i use
>> >>>>>> qemu-system-arm command just to do some replay work.
>> >>>>>> I may not understand you at all in this emal.do you mean that i
>> should
>> >>>>>> gdb the original program rather than the record file?
>> >>>>>> Thansk
>> >>>>>>
>> >>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <
>> brendandg at gatech.edu>:
>> >>>>>>>
>> >>>>>>> Hmm. gdb should normally stop when you get a segfault.
>> >>>>>>>
>> >>>>>>> Are you by any chance running PANDA using the runandroid script?
>> If
>> >>>>>>> so, you will need to instead invoke PANDA manually, i.e.:
>> >>>>>>>
>> >>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>> >>>>>>>
>> >>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a
>> >>>>>>> backtrace.
>> >>>>>>>
>> >>>>>>> -Brendan
>> >>>>>>>
>> >>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <
>> xiaotan6666 at gmail.com>
>> >>>>>>> wrote:
>> >>>>>>>>
>> >>>>>>>> when gdb,it shows:
>> >>>>>>>> and then i see the log:it shows segfault:
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>> >>>>>>>>>
>> >>>>>>>>> maybe i am wrong.
>> >>>>>>>>> i use the command
>> >>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I
>> found that
>> >>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>> >>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>> >>>>>>>>>
>> >>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>> >>>>>>>>>>
>> >>>>>>>>>> ok.
>> >>>>>>>>>> 1.I want to use taint plugin to get information about some
>> >>>>>>>>>> functions(of course, it is closed-source),so I think I can
>> stringsearch
>> >>>>>>>>>> potential data and then taint them and next I can locate the
>> functions which
>> >>>>>>>>>> solves these data.
>> >>>>>>>>>>
>> >>>>>>>>>> 2.the command line I used is :
>> >>>>>>>>>> stringsearch:name=***;taint2:tainted_instructions=1.
>> >>>>>>>>>>
>> >>>>>>>>>> thanks
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt
>> >>>>>>>>>> <brendandg at gatech.edu>:
>> >>>>>>>>>>>
>> >>>>>>>>>>> Could you provide:
>> >>>>>>>>>>>
>> >>>>>>>>>>> 1. What information you're trying to get
>> >>>>>>>>>>> 2. The command line you're using to run PANDA with the taint2
>> >>>>>>>>>>> plugin
>> >>>>>>>>>>>
>> >>>>>>>>>>> ?
>> >>>>>>>>>>>
>> >>>>>>>>>>> Right now I believe taint2 does not produce very much output
>> by
>> >>>>>>>>>>> default. Instead you use the -pandalog <filename> command
>> line option, and
>> >>>>>>>>>>> taint2 will write its results there in pandalog format; you
>> can then read
>> >>>>>>>>>>> them using pandalog_reader (see panda/pandalog_reader.c for
>> details on that
>> >>>>>>>>>>> tool).
>> >>>>>>>>>>>
>> >>>>>>>>>>> -Brendan
>> >>>>>>>>>>>
>> >>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li
>> >>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> when I tried taint2,it showed the same error with taint1, the
>> >>>>>>>>>>>> olny difference is that taint2 has no segfault error,just
>> uninit taint
>> >>>>>>>>>>>> plugin.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt
>> >>>>>>>>>>>> <brendandg at gatech.edu>:
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>> Could you be a little more descriptive about how it failed?
>> >>>>>>>>>>>>> Segfault? Error message? Incorrect output?
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>> -Brendan
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li
>> >>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>> i tried taint2 too,it failed.
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL
>> >>>>>>>>>>>>>> <tleek at ll.mit.edu>:
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.
>> >>>>>>>>>>>>>>> “taint2” is the one we are actively using and developing.
>> >>>>>>>>>>>>>>> --
>> >>>>>>>>>>>>>>> Tim Leek
>> >>>>>>>>>>>>>>> Technical Staff
>> >>>>>>>>>>>>>>> Cyber System Assessments
>> >>>>>>>>>>>>>>> MIT Lincoln Laboratory
>> >>>>>>>>>>>>>>> 781-981-2975
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>> >>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>> >>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>> >>>>>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>> >>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> Could you run that under gdb and provide us with a
>> backtrace
>> >>>>>>>>>>>>>>> when it crashes?
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> -Brendan
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li <
>> xiaotan6666 at gmail.com>
>> >>>>>>>>>>>>>>> wrote:
>> >>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>> Hi,
>> >>>>>>>>>>>>>>>> excuse me,i have a question about taint
>> >>>>>>>>>>>>>>>>
>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>> >>>>>>>>>>>>>>>> when I started it showed success:
>> >>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint plugin
>> >>>>>>>>>>>>>>>> segementation fault"
>> >>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>> how can I fix it?
>> >>>>>>>>>>>>>>>> Thanks a lot!
>> >>>>>>>>>>>>>>>> --
>> >>>>>>>>>>>>>>>> wait and hope~~
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>> --
>> >>>>>>>>>>>>>> wait and hope~~
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>> _______________________________________________
>> >>>>>>>>>>>>>> panda-users mailing list
>> >>>>>>>>>>>>>> panda-users at mit.edu
>> >>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> --
>> >>>>>>>>>>>> wait and hope~~
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>> --
>> >>>>>>>>>> wait and hope~~
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>> --
>> >>>>>>>>> wait and hope~~
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> --
>> >>>>>>>> wait and hope~~
>> >>>>>>>
>> >>>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> --
>> >>>>>> wait and hope~~
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> --
>> >>>>> wait and hope~~
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> wait and hope~~
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> wait and hope~~
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > wait and hope~~
>>
>
>
>
> --
> wait and hope~~
>
--
wait and hope~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/304fce26/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: feedback-33.png
Type: image/png
Size: 140879 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/304fce26/attachment-0001.png
More information about the panda-users
mailing list