[panda-users] taint segmentation fault
xiaojuan Li
xiaotan6666 at gmail.com
Mon Apr 13 08:27:34 EDT 2015
let me describe how can i get my test snp:
first i boot android emulator,begin_record, do some operations in
emulator,end_record. then i use it to replay to taint the data i input
before.
(by the way, though i can get the result of the tutorial,it shows "uninit
taint plugin" end of the result).
Thanks!
2015-04-13 8:14 GMT-04:00 xiaojuan Li <xiaotan6666 at gmail.com>:
> Thanks first.
> I tried it before and can get the result described in the tutorial,but
> when turn to my snp, it still shows "segfault".
>
>
> 2015-04-13 7:26 GMT-04:00 Leek, Timothy - 0559 - MITLL <tleek at ll.mit.edu>:
>
> Maybe try git pull. Then make distclean in qemu dir. Then make. Then
>> try the tutorial. Should work.
>> --
>> Tim Leek
>> Technical Staff
>> Cyber System Assessments
>> MIT Lincoln Laboratory
>> 781-981-2975
>>
>>
>> From: xiaojuan Li <xiaotan6666 at gmail.com>
>> Date: Sunday, April 12, 2015 at 11:41 PM
>> To: Brendan Dolan-Gavitt <brendandg at gatech.edu>, "panda-users at mit.edu" <
>> panda-users at mit.edu>
>>
>> Subject: Re: [panda-users] taint segmentation fault
>>
>> yeah.i fail to taint both in using sshkeygen and my test snp.
>> here is the result of following the steps in the tutorial:
>> Thanks!
>>
>>
>> 2015-04-13 11:34 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>>
>>> Are you able to follow the steps in the tutorial (using the sshkeygen
>>> replay)? Or does that fail as well?
>>>
>>> -Brendan
>>>
>>> On Sun, Apr 12, 2015 at 11:27 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>> wrote:
>>> > thanks first. i cannot either.
>>> > just segfault while tainting.
>>> >
>>> >
>>> > 2015-04-13 4:52 GMT+08:00 Leek, Timothy - 0559 - MITLL <
>>> tleek at ll.mit.edu>:
>>> >>
>>> >> Also, just a check. Are you able to reproduce the results here?
>>> >>
>>> >>
>>> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
>>> >>
>>> >> --
>>> >> Tim Leek
>>> >> Technical Staff
>>> >> Cyber System Assessments
>>> >> MIT Lincoln Laboratory
>>> >> 781-981-2975
>>> >>
>>> >>
>>> >> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>> >> Date: Sunday, April 12, 2015 at 4:04 PM
>>> >>
>>> >> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>> >> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>> >> Subject: Re: [panda-users] taint segmentation fault
>>> >>
>>> >> A few things:
>>> >>
>>> >> 1. Did you make sure to do a make clean and then re-run build.sh after
>>> >> updating? I got a segfault just after taint was turned on as well
>>> until I
>>> >> did a make clean and re-ran build.sh.
>>> >> 2. Are you running this on a 64-bit system? What kernel version?
>>> >>
>>> >> -Brendan
>>> >>
>>> >> On Sun, Apr 12, 2015 at 9:16 AM, xiaojuan Li <xiaotan6666 at gmail.com>
>>> >> wrote:
>>> >>>
>>> >>> any suggestions? about segmentation fault?
>>> >>> and after my test,I make sure it is not caused by insufficient
>>> memory.
>>> >>> Thanks a lot!
>>> >>>
>>> >>> 2015-04-11 11:59 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>> >>>>
>>> >>>> excuse me:
>>> >>>> I try to fix the segmentation error:
>>> >>>> and find this piece of code:
>>> >>>>
>>> >>>> do you mean that it doesn't support so large byte?or it doesn't
>>> support
>>> >>>> for android arm?
>>> >>>> in the doc I noticed that network tainting is not supported for arm
>>> >>>> architecture,and the string I tainted was something may go through
>>> the
>>> >>>> network.
>>> >>>>
>>> >>>> Thanks!
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>> 2015-04-09 21:30 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>> >>>>>
>>> >>>>> Now that the panda taint.md is not fresh,can you guys give me some
>>> >>>>> help?
>>> >>>>> I use the replay plugin,here is my command and the result.
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> the content of pk_search_strings.txt is :"sdt"
>>> >>>>>
>>> >>>>> I am confused here:in the paper— Repeatable reverse with panda:
>>> >>>>> :
>>> >>>>> it is clear that:if I use the stringsearch and taint plugin,when it
>>> >>>>> matches, the taint label will be put and then taint action will
>>> start.but
>>> >>>>> when I use it, it seems wrong(the picture showed before):no taint
>>> action
>>> >>>>> execute,and i am confused about the tstringsearch's result.
>>> >>>>> how can i use it to analysis?
>>> >>>>> Thanks a lot!
>>> >>>>>
>>> >>>>>
>>> >>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>> >>>>>>
>>> >>>>>> I get the replay file by running runandroid script. and i use
>>> >>>>>> qemu-system-arm command just to do some replay work.
>>> >>>>>> I may not understand you at all in this emal.do you mean that i
>>> should
>>> >>>>>> gdb the original program rather than the record file?
>>> >>>>>> Thansk
>>> >>>>>>
>>> >>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <
>>> brendandg at gatech.edu>:
>>> >>>>>>>
>>> >>>>>>> Hmm. gdb should normally stop when you get a segfault.
>>> >>>>>>>
>>> >>>>>>> Are you by any chance running PANDA using the runandroid script?
>>> If
>>> >>>>>>> so, you will need to instead invoke PANDA manually, i.e.:
>>> >>>>>>>
>>> >>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>>> >>>>>>>
>>> >>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a
>>> >>>>>>> backtrace.
>>> >>>>>>>
>>> >>>>>>> -Brendan
>>> >>>>>>>
>>> >>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <
>>> xiaotan6666 at gmail.com>
>>> >>>>>>> wrote:
>>> >>>>>>>>
>>> >>>>>>>> when gdb,it shows:
>>> >>>>>>>> and then i see the log:it shows segfault:
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>> >>>>>>>>>
>>> >>>>>>>>> maybe i am wrong.
>>> >>>>>>>>> i use the command
>>> >>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I
>>> found that
>>> >>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>>> >>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>>> >>>>>>>>>
>>> >>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>> >>>>>>>>>>
>>> >>>>>>>>>> ok.
>>> >>>>>>>>>> 1.I want to use taint plugin to get information about some
>>> >>>>>>>>>> functions(of course, it is closed-source),so I think I can
>>> stringsearch
>>> >>>>>>>>>> potential data and then taint them and next I can locate the
>>> functions which
>>> >>>>>>>>>> solves these data.
>>> >>>>>>>>>>
>>> >>>>>>>>>> 2.the command line I used is :
>>> >>>>>>>>>> stringsearch:name=***;taint2:tainted_instructions=1.
>>> >>>>>>>>>>
>>> >>>>>>>>>> thanks
>>> >>>>>>>>>>
>>> >>>>>>>>>>
>>> >>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt
>>> >>>>>>>>>> <brendandg at gatech.edu>:
>>> >>>>>>>>>>>
>>> >>>>>>>>>>> Could you provide:
>>> >>>>>>>>>>>
>>> >>>>>>>>>>> 1. What information you're trying to get
>>> >>>>>>>>>>> 2. The command line you're using to run PANDA with the taint2
>>> >>>>>>>>>>> plugin
>>> >>>>>>>>>>>
>>> >>>>>>>>>>> ?
>>> >>>>>>>>>>>
>>> >>>>>>>>>>> Right now I believe taint2 does not produce very much output
>>> by
>>> >>>>>>>>>>> default. Instead you use the -pandalog <filename> command
>>> line option, and
>>> >>>>>>>>>>> taint2 will write its results there in pandalog format; you
>>> can then read
>>> >>>>>>>>>>> them using pandalog_reader (see panda/pandalog_reader.c for
>>> details on that
>>> >>>>>>>>>>> tool).
>>> >>>>>>>>>>>
>>> >>>>>>>>>>> -Brendan
>>> >>>>>>>>>>>
>>> >>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li
>>> >>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>> when I tried taint2,it showed the same error with taint1,
>>> the
>>> >>>>>>>>>>>> olny difference is that taint2 has no segfault error,just
>>> uninit taint
>>> >>>>>>>>>>>> plugin.
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt
>>> >>>>>>>>>>>> <brendandg at gatech.edu>:
>>> >>>>>>>>>>>>>
>>> >>>>>>>>>>>>> Could you be a little more descriptive about how it failed?
>>> >>>>>>>>>>>>> Segfault? Error message? Incorrect output?
>>> >>>>>>>>>>>>>
>>> >>>>>>>>>>>>> -Brendan
>>> >>>>>>>>>>>>>
>>> >>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li
>>> >>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>>> >>>>>>>>>>>>>>
>>> >>>>>>>>>>>>>> i tried taint2 too,it failed.
>>> >>>>>>>>>>>>>>
>>> >>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL
>>> >>>>>>>>>>>>>> <tleek at ll.mit.edu>:
>>> >>>>>>>>>>>>>>>
>>> >>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.
>>> >>>>>>>>>>>>>>> “taint2” is the one we are actively using and developing.
>>> >>>>>>>>>>>>>>> --
>>> >>>>>>>>>>>>>>> Tim Leek
>>> >>>>>>>>>>>>>>> Technical Staff
>>> >>>>>>>>>>>>>>> Cyber System Assessments
>>> >>>>>>>>>>>>>>> MIT Lincoln Laboratory
>>> >>>>>>>>>>>>>>> 781-981-2975
>>> >>>>>>>>>>>>>>>
>>> >>>>>>>>>>>>>>>
>>> >>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>> >>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>>> >>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>> >>>>>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>> >>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>>> >>>>>>>>>>>>>>>
>>> >>>>>>>>>>>>>>> Could you run that under gdb and provide us with a
>>> backtrace
>>> >>>>>>>>>>>>>>> when it crashes?
>>> >>>>>>>>>>>>>>>
>>> >>>>>>>>>>>>>>> -Brendan
>>> >>>>>>>>>>>>>>>
>>> >>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li <
>>> xiaotan6666 at gmail.com>
>>> >>>>>>>>>>>>>>> wrote:
>>> >>>>>>>>>>>>>>>>
>>> >>>>>>>>>>>>>>>> Hi,
>>> >>>>>>>>>>>>>>>> excuse me,i have a question about taint
>>> >>>>>>>>>>>>>>>>
>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>>> >>>>>>>>>>>>>>>> when I started it showed success:
>>> >>>>>>>>>>>>>>>>
>>> >>>>>>>>>>>>>>>>
>>> >>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint
>>> plugin
>>> >>>>>>>>>>>>>>>> segementation fault"
>>> >>>>>>>>>>>>>>>>
>>> >>>>>>>>>>>>>>>>
>>> >>>>>>>>>>>>>>>> how can I fix it?
>>> >>>>>>>>>>>>>>>> Thanks a lot!
>>> >>>>>>>>>>>>>>>> --
>>> >>>>>>>>>>>>>>>> wait and hope~~
>>> >>>>>>>>>>>>>>
>>> >>>>>>>>>>>>>>
>>> >>>>>>>>>>>>>>
>>> >>>>>>>>>>>>>>
>>> >>>>>>>>>>>>>> --
>>> >>>>>>>>>>>>>> wait and hope~~
>>> >>>>>>>>>>>>>>
>>> >>>>>>>>>>>>>> _______________________________________________
>>> >>>>>>>>>>>>>> panda-users mailing list
>>> >>>>>>>>>>>>>> panda-users at mit.edu
>>> >>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>> >>>>>>>>>>>>>>
>>> >>>>>>>>>>>>>
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>> --
>>> >>>>>>>>>>>> wait and hope~~
>>> >>>>>>>>>>>
>>> >>>>>>>>>>>
>>> >>>>>>>>>>
>>> >>>>>>>>>>
>>> >>>>>>>>>>
>>> >>>>>>>>>> --
>>> >>>>>>>>>> wait and hope~~
>>> >>>>>>>>>
>>> >>>>>>>>>
>>> >>>>>>>>>
>>> >>>>>>>>>
>>> >>>>>>>>> --
>>> >>>>>>>>> wait and hope~~
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>> --
>>> >>>>>>>> wait and hope~~
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>> --
>>> >>>>>> wait and hope~~
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> --
>>> >>>>> wait and hope~~
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>> --
>>> >>>> wait and hope~~
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>> --
>>> >>> wait and hope~~
>>> >>
>>> >>
>>> >
>>> >
>>> >
>>> > --
>>> > wait and hope~~
>>>
>>
>>
>>
>> --
>> wait and hope~~
>>
>
>
>
> --
> wait and hope~~
>
--
wait and hope~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/c8ac8a14/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: feedback-33.png
Type: image/png
Size: 140879 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/c8ac8a14/attachment-0001.png
More information about the panda-users
mailing list