[panda-users] taint segmentation fault
xiaojuan Li
xiaotan6666 at gmail.com
Mon Apr 13 10:05:13 EDT 2015
yeah,i did not get seg fault when i reproduce the tainted instructions
tutorial.
Thanks for your patience very much!
your guys' work is great! do not say sorry.
my command line is:(in /qemu/arm-softmmu directory)./qemu-system-arm -m 2G
-replay ime4-13 -M android_arm -kernel /dev/null -android -panda
"stringsearch:name=1;tstringsearch;tainted_instr";
the content of 1_search_strings.txt is: "cipher";
here is my .rr file:
http://pan.baidu.com/s/1gdCfTSn
(sorry for taking so long time to upload .rr)
Thanks again!
2015-04-13 8:58 GMT-04:00 Leek, Timothy - 0559 - MITLL <tleek at ll.mit.edu>:
> Uninit taint plugin *should* display at the end of the run. That is not
> an error. It is just a message. You aren't getting a seg fault when you
> reproduce the tainted instructions tutorial, though. Right?
>
> I don't know what's wrong with your android run. We could try to
> reproduce and debug. Can you give us your replay? Package it up with
> scripts/rrpack.py. Stick the .rr file somewhere we can get it. And give
> us your complete command line. And the string search file.
>
> That said -- we are fairly swamped right now. So might take a bit. Sorry!
>
> Cheers.
>
> Tim
>
> ------------------------------
> *From:* xiaojuan Li [xiaotan6666 at gmail.com]
> *Sent:* Monday, April 13, 2015 8:27 AM
> *To:* Leek, Timothy - 0559 - MITLL; panda-users at mit.edu; Brendan
> Dolan-Gavitt
>
> *Subject:* Re: [panda-users] taint segmentation fault
>
> let me describe how can i get my test snp:
> first i boot android emulator,begin_record, do some operations in
> emulator,end_record. then i use it to replay to taint the data i input
> before.
> (by the way, though i can get the result of the tutorial,it shows "uninit
> taint plugin" end of the result).
> Thanks!
>
> 2015-04-13 8:14 GMT-04:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>
>> Thanks first.
>> I tried it before and can get the result described in the tutorial,but
>> when turn to my snp, it still shows "segfault".
>>
>>
>> 2015-04-13 7:26 GMT-04:00 Leek, Timothy - 0559 - MITLL <tleek at ll.mit.edu>:
>>
>>
>> Maybe try git pull. Then make distclean in qemu dir. Then make.
>>> Then try the tutorial. Should work.
>>> --
>>> Tim Leek
>>> Technical Staff
>>> Cyber System Assessments
>>> MIT Lincoln Laboratory
>>> 781-981-2975
>>>
>>>
>>> From: xiaojuan Li <xiaotan6666 at gmail.com>
>>> Date: Sunday, April 12, 2015 at 11:41 PM
>>> To: Brendan Dolan-Gavitt <brendandg at gatech.edu>, "panda-users at mit.edu" <
>>> panda-users at mit.edu>
>>>
>>> Subject: Re: [panda-users] taint segmentation fault
>>>
>>> yeah.i fail to taint both in using sshkeygen and my test snp.
>>> here is the result of following the steps in the tutorial:
>>> Thanks!
>>>
>>>
>>> 2015-04-13 11:34 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>>>
>>>> Are you able to follow the steps in the tutorial (using the sshkeygen
>>>> replay)? Or does that fail as well?
>>>>
>>>> -Brendan
>>>>
>>>> On Sun, Apr 12, 2015 at 11:27 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>> wrote:
>>>> > thanks first. i cannot either.
>>>> > just segfault while tainting.
>>>> >
>>>> >
>>>> > 2015-04-13 4:52 GMT+08:00 Leek, Timothy - 0559 - MITLL <
>>>> tleek at ll.mit.edu>:
>>>> >>
>>>> >> Also, just a check. Are you able to reproduce the results here?
>>>> >>
>>>> >>
>>>> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
>>>> >>
>>>> >> --
>>>> >> Tim Leek
>>>> >> Technical Staff
>>>> >> Cyber System Assessments
>>>> >> MIT Lincoln Laboratory
>>>> >> 781-981-2975
>>>> >>
>>>> >>
>>>> >> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>> >> Date: Sunday, April 12, 2015 at 4:04 PM
>>>> >>
>>>> >> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>>> >> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>>> >> Subject: Re: [panda-users] taint segmentation fault
>>>> >>
>>>> >> A few things:
>>>> >>
>>>> >> 1. Did you make sure to do a make clean and then re-run build.sh
>>>> after
>>>> >> updating? I got a segfault just after taint was turned on as well
>>>> until I
>>>> >> did a make clean and re-ran build.sh.
>>>> >> 2. Are you running this on a 64-bit system? What kernel version?
>>>> >>
>>>> >> -Brendan
>>>> >>
>>>> >> On Sun, Apr 12, 2015 at 9:16 AM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>> >> wrote:
>>>> >>>
>>>> >>> any suggestions? about segmentation fault?
>>>> >>> and after my test,I make sure it is not caused by insufficient
>>>> memory.
>>>> >>> Thanks a lot!
>>>> >>>
>>>> >>> 2015-04-11 11:59 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>> >>>>
>>>> >>>> excuse me:
>>>> >>>> I try to fix the segmentation error:
>>>> >>>> and find this piece of code:
>>>> >>>>
>>>> >>>> do you mean that it doesn't support so large byte?or it doesn't
>>>> support
>>>> >>>> for android arm?
>>>> >>>> in the doc I noticed that network tainting is not supported for arm
>>>> >>>> architecture,and the string I tainted was something may go through
>>>> the
>>>> >>>> network.
>>>> >>>>
>>>> >>>> Thanks!
>>>> >>>>
>>>> >>>>
>>>> >>>>
>>>> >>>>
>>>> >>>>
>>>> >>>> 2015-04-09 21:30 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>> >>>>>
>>>> >>>>> Now that the panda taint.md is not fresh,can you guys give me
>>>> some
>>>> >>>>> help?
>>>> >>>>> I use the replay plugin,here is my command and the result.
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>> the content of pk_search_strings.txt is :"sdt"
>>>> >>>>>
>>>> >>>>> I am confused here:in the paper— Repeatable reverse with panda:
>>>> >>>>> :
>>>> >>>>> it is clear that:if I use the stringsearch and taint plugin,when
>>>> it
>>>> >>>>> matches, the taint label will be put and then taint action will
>>>> start.but
>>>> >>>>> when I use it, it seems wrong(the picture showed before):no taint
>>>> action
>>>> >>>>> execute,and i am confused about the tstringsearch's result.
>>>> >>>>> how can i use it to analysis?
>>>> >>>>> Thanks a lot!
>>>> >>>>>
>>>> >>>>>
>>>> >>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>> >>>>>>
>>>> >>>>>> I get the replay file by running runandroid script. and i use
>>>> >>>>>> qemu-system-arm command just to do some replay work.
>>>> >>>>>> I may not understand you at all in this emal.do you mean that i
>>>> should
>>>> >>>>>> gdb the original program rather than the record file?
>>>> >>>>>> Thansk
>>>> >>>>>>
>>>> >>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <
>>>> brendandg at gatech.edu>:
>>>> >>>>>>>
>>>> >>>>>>> Hmm. gdb should normally stop when you get a segfault.
>>>> >>>>>>>
>>>> >>>>>>> Are you by any chance running PANDA using the runandroid
>>>> script? If
>>>> >>>>>>> so, you will need to instead invoke PANDA manually, i.e.:
>>>> >>>>>>>
>>>> >>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>>>> >>>>>>>
>>>> >>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a
>>>> >>>>>>> backtrace.
>>>> >>>>>>>
>>>> >>>>>>> -Brendan
>>>> >>>>>>>
>>>> >>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <
>>>> xiaotan6666 at gmail.com>
>>>> >>>>>>> wrote:
>>>> >>>>>>>>
>>>> >>>>>>>> when gdb,it shows:
>>>> >>>>>>>> and then i see the log:it shows segfault:
>>>> >>>>>>>>
>>>> >>>>>>>>
>>>> >>>>>>>>
>>>> >>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com
>>>> >:
>>>> >>>>>>>>>
>>>> >>>>>>>>> maybe i am wrong.
>>>> >>>>>>>>> i use the command
>>>> >>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I
>>>> found that
>>>> >>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>>>> >>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>>>> >>>>>>>>>
>>>> >>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com
>>>> >:
>>>> >>>>>>>>>>
>>>> >>>>>>>>>> ok.
>>>> >>>>>>>>>> 1.I want to use taint plugin to get information about some
>>>> >>>>>>>>>> functions(of course, it is closed-source),so I think I can
>>>> stringsearch
>>>> >>>>>>>>>> potential data and then taint them and next I can locate the
>>>> functions which
>>>> >>>>>>>>>> solves these data.
>>>> >>>>>>>>>>
>>>> >>>>>>>>>> 2.the command line I used is :
>>>> >>>>>>>>>> stringsearch:name=***;taint2:tainted_instructions=1.
>>>> >>>>>>>>>>
>>>> >>>>>>>>>> thanks
>>>> >>>>>>>>>>
>>>> >>>>>>>>>>
>>>> >>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt
>>>> >>>>>>>>>> <brendandg at gatech.edu>:
>>>> >>>>>>>>>>>
>>>> >>>>>>>>>>> Could you provide:
>>>> >>>>>>>>>>>
>>>> >>>>>>>>>>> 1. What information you're trying to get
>>>> >>>>>>>>>>> 2. The command line you're using to run PANDA with the
>>>> taint2
>>>> >>>>>>>>>>> plugin
>>>> >>>>>>>>>>>
>>>> >>>>>>>>>>> ?
>>>> >>>>>>>>>>>
>>>> >>>>>>>>>>> Right now I believe taint2 does not produce very much
>>>> output by
>>>> >>>>>>>>>>> default. Instead you use the -pandalog <filename> command
>>>> line option, and
>>>> >>>>>>>>>>> taint2 will write its results there in pandalog format; you
>>>> can then read
>>>> >>>>>>>>>>> them using pandalog_reader (see panda/pandalog_reader.c for
>>>> details on that
>>>> >>>>>>>>>>> tool).
>>>> >>>>>>>>>>>
>>>> >>>>>>>>>>> -Brendan
>>>> >>>>>>>>>>>
>>>> >>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li
>>>> >>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>>>> >>>>>>>>>>>>
>>>> >>>>>>>>>>>> when I tried taint2,it showed the same error with taint1,
>>>> the
>>>> >>>>>>>>>>>> olny difference is that taint2 has no segfault error,just
>>>> uninit taint
>>>> >>>>>>>>>>>> plugin.
>>>> >>>>>>>>>>>>
>>>> >>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt
>>>> >>>>>>>>>>>> <brendandg at gatech.edu>:
>>>> >>>>>>>>>>>>>
>>>> >>>>>>>>>>>>> Could you be a little more descriptive about how it
>>>> failed?
>>>> >>>>>>>>>>>>> Segfault? Error message? Incorrect output?
>>>> >>>>>>>>>>>>>
>>>> >>>>>>>>>>>>> -Brendan
>>>> >>>>>>>>>>>>>
>>>> >>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li
>>>> >>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>>>> >>>>>>>>>>>>>>
>>>> >>>>>>>>>>>>>> i tried taint2 too,it failed.
>>>> >>>>>>>>>>>>>>
>>>> >>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL
>>>> >>>>>>>>>>>>>> <tleek at ll.mit.edu>:
>>>> >>>>>>>>>>>>>>>
>>>> >>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.
>>>> >>>>>>>>>>>>>>> “taint2” is the one we are actively using and
>>>> developing.
>>>> >>>>>>>>>>>>>>> --
>>>> >>>>>>>>>>>>>>> Tim Leek
>>>> >>>>>>>>>>>>>>> Technical Staff
>>>> >>>>>>>>>>>>>>> Cyber System Assessments
>>>> >>>>>>>>>>>>>>> MIT Lincoln Laboratory
>>>> >>>>>>>>>>>>>>> 781-981-2975
>>>> >>>>>>>>>>>>>>>
>>>> >>>>>>>>>>>>>>>
>>>> >>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>> >>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>>>> >>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>>> >>>>>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>>> >>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>>>> >>>>>>>>>>>>>>>
>>>> >>>>>>>>>>>>>>> Could you run that under gdb and provide us with a
>>>> backtrace
>>>> >>>>>>>>>>>>>>> when it crashes?
>>>> >>>>>>>>>>>>>>>
>>>> >>>>>>>>>>>>>>> -Brendan
>>>> >>>>>>>>>>>>>>>
>>>> >>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li <
>>>> xiaotan6666 at gmail.com>
>>>> >>>>>>>>>>>>>>> wrote:
>>>> >>>>>>>>>>>>>>>>
>>>> >>>>>>>>>>>>>>>> Hi,
>>>> >>>>>>>>>>>>>>>> excuse me,i have a question about taint
>>>> >>>>>>>>>>>>>>>>
>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>>>> >>>>>>>>>>>>>>>> when I started it showed success:
>>>> >>>>>>>>>>>>>>>>
>>>> >>>>>>>>>>>>>>>>
>>>> >>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint
>>>> plugin
>>>> >>>>>>>>>>>>>>>> segementation fault"
>>>> >>>>>>>>>>>>>>>>
>>>> >>>>>>>>>>>>>>>>
>>>> >>>>>>>>>>>>>>>> how can I fix it?
>>>> >>>>>>>>>>>>>>>> Thanks a lot!
>>>> >>>>>>>>>>>>>>>> --
>>>> >>>>>>>>>>>>>>>> wait and hope~~
>>>> >>>>>>>>>>>>>>
>>>> >>>>>>>>>>>>>>
>>>> >>>>>>>>>>>>>>
>>>> >>>>>>>>>>>>>>
>>>> >>>>>>>>>>>>>> --
>>>> >>>>>>>>>>>>>> wait and hope~~
>>>> >>>>>>>>>>>>>>
>>>> >>>>>>>>>>>>>> _______________________________________________
>>>> >>>>>>>>>>>>>> panda-users mailing list
>>>> >>>>>>>>>>>>>> panda-users at mit.edu
>>>> >>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>> >>>>>>>>>>>>>>
>>>> >>>>>>>>>>>>>
>>>> >>>>>>>>>>>>
>>>> >>>>>>>>>>>>
>>>> >>>>>>>>>>>>
>>>> >>>>>>>>>>>> --
>>>> >>>>>>>>>>>> wait and hope~~
>>>> >>>>>>>>>>>
>>>> >>>>>>>>>>>
>>>> >>>>>>>>>>
>>>> >>>>>>>>>>
>>>> >>>>>>>>>>
>>>> >>>>>>>>>> --
>>>> >>>>>>>>>> wait and hope~~
>>>> >>>>>>>>>
>>>> >>>>>>>>>
>>>> >>>>>>>>>
>>>> >>>>>>>>>
>>>> >>>>>>>>> --
>>>> >>>>>>>>> wait and hope~~
>>>> >>>>>>>>
>>>> >>>>>>>>
>>>> >>>>>>>>
>>>> >>>>>>>>
>>>> >>>>>>>> --
>>>> >>>>>>>> wait and hope~~
>>>> >>>>>>>
>>>> >>>>>>>
>>>> >>>>>>
>>>> >>>>>>
>>>> >>>>>>
>>>> >>>>>> --
>>>> >>>>>> wait and hope~~
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>> --
>>>> >>>>> wait and hope~~
>>>> >>>>
>>>> >>>>
>>>> >>>>
>>>> >>>>
>>>> >>>> --
>>>> >>>> wait and hope~~
>>>> >>>
>>>> >>>
>>>> >>>
>>>> >>>
>>>> >>> --
>>>> >>> wait and hope~~
>>>> >>
>>>> >>
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > wait and hope~~
>>>>
>>>
>>>
>>>
>>> --
>>> wait and hope~~
>>>
>>
>>
>>
>> --
>> wait and hope~~
>>
>
>
>
> --
> wait and hope~~
>
--
wait and hope~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/6634968d/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: feedback-33.png
Type: image/png
Size: 140879 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150413/6634968d/attachment-0001.png
More information about the panda-users
mailing list