[panda-users] taint segmentation fault
Leek, Timothy - 0559 - MITLL
tleek at ll.mit.edu
Mon Apr 13 08:58:37 EDT 2015
Uninit taint plugin *should* display at the end of the run. That is not an error. It is just a message. You aren't getting a seg fault when you reproduce the tainted instructions tutorial, though. Right?
I don't know what's wrong with your android run. We could try to reproduce and debug. Can you give us your replay? Package it up with scripts/rrpack.py. Stick the .rr file somewhere we can get it. And give us your complete command line. And the string search file.
That said -- we are fairly swamped right now. So might take a bit. Sorry!
Cheers.
Tim
________________________________
From: xiaojuan Li [xiaotan6666 at gmail.com]
Sent: Monday, April 13, 2015 8:27 AM
To: Leek, Timothy - 0559 - MITLL; panda-users at mit.edu; Brendan Dolan-Gavitt
Subject: Re: [panda-users] taint segmentation fault
let me describe how can i get my test snp:
first i boot android emulator,begin_record, do some operations in emulator,end_record. then i use it to replay to taint the data i input before.
(by the way, though i can get the result of the tutorial,it shows "uninit taint plugin" end of the result).
Thanks!
2015-04-13 8:14 GMT-04:00 xiaojuan Li <xiaotan6666 at gmail.com<mailto:xiaotan6666 at gmail.com>>:
Thanks first.
I tried it before and can get the result described in the tutorial,but when turn to my snp, it still shows "segfault".
2015-04-13 7:26 GMT-04:00 Leek, Timothy - 0559 - MITLL <tleek at ll.mit.edu<mailto:tleek at ll.mit.edu>>:
Maybe try git pull. Then make distclean in qemu dir. Then make. Then try the tutorial. Should work.
--
Tim Leek
Technical Staff
Cyber System Assessments
MIT Lincoln Laboratory
781-981-2975<tel:781-981-2975>
From: xiaojuan Li <xiaotan6666 at gmail.com<mailto:xiaotan6666 at gmail.com>>
Date: Sunday, April 12, 2015 at 11:41 PM
To: Brendan Dolan-Gavitt <brendandg at gatech.edu<mailto:brendandg at gatech.edu>>, "panda-users at mit.edu<mailto:panda-users at mit.edu>" <panda-users at mit.edu<mailto:panda-users at mit.edu>>
Subject: Re: [panda-users] taint segmentation fault
yeah.i fail to taint both in using sshkeygen and my test snp.
here is the result of following the steps in the tutorial:
[cid:ii_i8fbyz2t0_14cb0dd5dd523760]
Thanks!
2015-04-13 11:34 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu<mailto:brendandg at gatech.edu>>:
Are you able to follow the steps in the tutorial (using the sshkeygen
replay)? Or does that fail as well?
-Brendan
On Sun, Apr 12, 2015 at 11:27 PM, xiaojuan Li <xiaotan6666 at gmail.com<mailto:xiaotan6666 at gmail.com>> wrote:
> thanks first. i cannot either.
> just segfault while tainting.
>
>
> 2015-04-13 4:52 GMT+08:00 Leek, Timothy - 0559 - MITLL <tleek at ll.mit.edu<mailto:tleek at ll.mit.edu>>:
>>
>> Also, just a check. Are you able to reproduce the results here?
>>
>> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
>>
>> --
>> Tim Leek
>> Technical Staff
>> Cyber System Assessments
>> MIT Lincoln Laboratory
>> 781-981-2975<tel:781-981-2975>
>>
>>
>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu<mailto:brendandg at gatech.edu>>
>> Date: Sunday, April 12, 2015 at 4:04 PM
>>
>> To: xiaojuan Li <xiaotan6666 at gmail.com<mailto:xiaotan6666 at gmail.com>>
>> Cc: "panda-users at mit.edu<mailto:panda-users at mit.edu>" <panda-users at mit.edu<mailto:panda-users at mit.edu>>
>> Subject: Re: [panda-users] taint segmentation fault
>>
>> A few things:
>>
>> 1. Did you make sure to do a make clean and then re-run build.sh after
>> updating? I got a segfault just after taint was turned on as well until I
>> did a make clean and re-ran build.sh.
>> 2. Are you running this on a 64-bit system? What kernel version?
>>
>> -Brendan
>>
>> On Sun, Apr 12, 2015 at 9:16 AM, xiaojuan Li <xiaotan6666 at gmail.com<mailto:xiaotan6666 at gmail.com>>
>> wrote:
>>>
>>> any suggestions? about segmentation fault?
>>> and after my test,I make sure it is not caused by insufficient memory.
>>> Thanks a lot!
>>>
>>> 2015-04-11 11:59 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com<mailto:xiaotan6666 at gmail.com>>:
>>>>
>>>> excuse me:
>>>> I try to fix the segmentation error:
>>>> and find this piece of code:
>>>>
>>>> do you mean that it doesn't support so large byte?or it doesn't support
>>>> for android arm?
>>>> in the doc I noticed that network tainting is not supported for arm
>>>> architecture,and the string I tainted was something may go through the
>>>> network.
>>>>
>>>> Thanks!
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 2015-04-09 21:30 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com<mailto:xiaotan6666 at gmail.com>>:
>>>>>
>>>>> Now that the panda taint.md<http://taint.md> is not fresh,can you guys give me some
>>>>> help?
>>>>> I use the replay plugin,here is my command and the result.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> the content of pk_search_strings.txt is :"sdt"
>>>>>
>>>>> I am confused here:in the paper— Repeatable reverse with panda:
>>>>> :
>>>>> it is clear that:if I use the stringsearch and taint plugin,when it
>>>>> matches, the taint label will be put and then taint action will start.but
>>>>> when I use it, it seems wrong(the picture showed before):no taint action
>>>>> execute,and i am confused about the tstringsearch's result.
>>>>> how can i use it to analysis?
>>>>> Thanks a lot!
>>>>>
>>>>>
>>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com<mailto:xiaotan6666 at gmail.com>>:
>>>>>>
>>>>>> I get the replay file by running runandroid script. and i use
>>>>>> qemu-system-arm command just to do some replay work.
>>>>>> I may not understand you at all in this emal.do you mean that i should
>>>>>> gdb the original program rather than the record file?
>>>>>> Thansk
>>>>>>
>>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu<mailto:brendandg at gatech.edu>>:
>>>>>>>
>>>>>>> Hmm. gdb should normally stop when you get a segfault.
>>>>>>>
>>>>>>> Are you by any chance running PANDA using the runandroid script? If
>>>>>>> so, you will need to instead invoke PANDA manually, i.e.:
>>>>>>>
>>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>>>>>>>
>>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a
>>>>>>> backtrace.
>>>>>>>
>>>>>>> -Brendan
>>>>>>>
>>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <xiaotan6666 at gmail.com<mailto:xiaotan6666 at gmail.com>>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> when gdb,it shows:
>>>>>>>> and then i see the log:it shows segfault:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com<mailto:xiaotan6666 at gmail.com>>:
>>>>>>>>>
>>>>>>>>> maybe i am wrong.
>>>>>>>>> i use the command
>>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I found that
>>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>>>>>>>>>
>>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com<mailto:xiaotan6666 at gmail.com>>:
>>>>>>>>>>
>>>>>>>>>> ok.
>>>>>>>>>> 1.I want to use taint plugin to get information about some
>>>>>>>>>> functions(of course, it is closed-source),so I think I can stringsearch
>>>>>>>>>> potential data and then taint them and next I can locate the functions which
>>>>>>>>>> solves these data.
>>>>>>>>>>
>>>>>>>>>> 2.the command line I used is :
>>>>>>>>>> stringsearch:name=***;taint2:tainted_instructions=1.
>>>>>>>>>>
>>>>>>>>>> thanks
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt
>>>>>>>>>> <brendandg at gatech.edu<mailto:brendandg at gatech.edu>>:
>>>>>>>>>>>
>>>>>>>>>>> Could you provide:
>>>>>>>>>>>
>>>>>>>>>>> 1. What information you're trying to get
>>>>>>>>>>> 2. The command line you're using to run PANDA with the taint2
>>>>>>>>>>> plugin
>>>>>>>>>>>
>>>>>>>>>>> ?
>>>>>>>>>>>
>>>>>>>>>>> Right now I believe taint2 does not produce very much output by
>>>>>>>>>>> default. Instead you use the -pandalog <filename> command line option, and
>>>>>>>>>>> taint2 will write its results there in pandalog format; you can then read
>>>>>>>>>>> them using pandalog_reader (see panda/pandalog_reader.c for details on that
>>>>>>>>>>> tool).
>>>>>>>>>>>
>>>>>>>>>>> -Brendan
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li
>>>>>>>>>>> <xiaotan6666 at gmail.com<mailto:xiaotan6666 at gmail.com>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> when I tried taint2,it showed the same error with taint1, the
>>>>>>>>>>>> olny difference is that taint2 has no segfault error,just uninit taint
>>>>>>>>>>>> plugin.
>>>>>>>>>>>>
>>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt
>>>>>>>>>>>> <brendandg at gatech.edu<mailto:brendandg at gatech.edu>>:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Could you be a little more descriptive about how it failed?
>>>>>>>>>>>>> Segfault? Error message? Incorrect output?
>>>>>>>>>>>>>
>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li
>>>>>>>>>>>>> <xiaotan6666 at gmail.com<mailto:xiaotan6666 at gmail.com>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> i tried taint2 too,it failed.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL
>>>>>>>>>>>>>> <tleek at ll.mit.edu<mailto:tleek at ll.mit.edu>>:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.
>>>>>>>>>>>>>>> “taint2” is the one we are actively using and developing.
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Tim Leek
>>>>>>>>>>>>>>> Technical Staff
>>>>>>>>>>>>>>> Cyber System Assessments
>>>>>>>>>>>>>>> MIT Lincoln Laboratory
>>>>>>>>>>>>>>> 781-981-2975<tel:781-981-2975>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu<mailto:brendandg at gatech.edu>>
>>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com<mailto:xiaotan6666 at gmail.com>>
>>>>>>>>>>>>>>> Cc: "panda-users at mit.edu<mailto:panda-users at mit.edu>" <panda-users at mit.edu<mailto:panda-users at mit.edu>>
>>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Could you run that under gdb and provide us with a backtrace
>>>>>>>>>>>>>>> when it crashes?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li <xiaotan6666 at gmail.com<mailto:xiaotan6666 at gmail.com>>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>> excuse me,i have a question about taint
>>>>>>>>>>>>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>>>>>>>>>>>>>>>> when I started it showed success:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint plugin
>>>>>>>>>>>>>>>> segementation fault"
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> how can I fix it?
>>>>>>>>>>>>>>>> Thanks a lot!
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> panda-users mailing list
>>>>>>>>>>>>>> panda-users at mit.edu<mailto:panda-users at mit.edu>
>>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> wait and hope~~
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> wait and hope~~
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> wait and hope~~
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> wait and hope~~
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> wait and hope~~
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> wait and hope~~
>>>
>>>
>>>
>>>
>>> --
>>> wait and hope~~
>>
>>
>
>
>
> --
> wait and hope~~
--
wait and hope~~
--
wait and hope~~
--
wait and hope~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/a22175e2/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: feedback-33.png
Type: image/png
Size: 140879 bytes
Desc: feedback-33.png
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/a22175e2/attachment-0001.png
More information about the panda-users
mailing list