[panda-users] taint segmentation fault
xiaojuan Li
xiaotan6666 at gmail.com
Mon Apr 20 19:35:40 EDT 2015
sorry, i take the wrong version of my test file...
i am going to upload the right one.
2015-04-13 10:05 GMT-04:00 xiaojuan Li <xiaotan6666 at gmail.com>:
> yeah,i did not get seg fault when i reproduce the tainted instructions
> tutorial.
> Thanks for your patience very much!
> your guys' work is great! do not say sorry.
>
> my command line is:(in /qemu/arm-softmmu directory)./qemu-system-arm -m 2G
> -replay ime4-13 -M android_arm -kernel /dev/null -android -panda
> "stringsearch:name=1;tstringsearch;tainted_instr";
> the content of 1_search_strings.txt is: "cipher";
> here is my .rr file:
> http://pan.baidu.com/s/1gdCfTSn
> (sorry for taking so long time to upload .rr)
>
> Thanks again!
>
>
> 2015-04-13 8:58 GMT-04:00 Leek, Timothy - 0559 - MITLL <tleek at ll.mit.edu>:
>
> Uninit taint plugin *should* display at the end of the run. That is not
>> an error. It is just a message. You aren't getting a seg fault when you
>> reproduce the tainted instructions tutorial, though. Right?
>>
>> I don't know what's wrong with your android run. We could try to
>> reproduce and debug. Can you give us your replay? Package it up with
>> scripts/rrpack.py. Stick the .rr file somewhere we can get it. And give
>> us your complete command line. And the string search file.
>>
>> That said -- we are fairly swamped right now. So might take a bit.
>> Sorry!
>>
>> Cheers.
>>
>> Tim
>>
>> ------------------------------
>> *From:* xiaojuan Li [xiaotan6666 at gmail.com]
>> *Sent:* Monday, April 13, 2015 8:27 AM
>> *To:* Leek, Timothy - 0559 - MITLL; panda-users at mit.edu; Brendan
>> Dolan-Gavitt
>>
>> *Subject:* Re: [panda-users] taint segmentation fault
>>
>> let me describe how can i get my test snp:
>> first i boot android emulator,begin_record, do some operations in
>> emulator,end_record. then i use it to replay to taint the data i input
>> before.
>> (by the way, though i can get the result of the tutorial,it shows
>> "uninit taint plugin" end of the result).
>> Thanks!
>>
>> 2015-04-13 8:14 GMT-04:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>
>>> Thanks first.
>>> I tried it before and can get the result described in the tutorial,but
>>> when turn to my snp, it still shows "segfault".
>>>
>>>
>>> 2015-04-13 7:26 GMT-04:00 Leek, Timothy - 0559 - MITLL <tleek at ll.mit.edu
>>> >:
>>>
>>> Maybe try git pull. Then make distclean in qemu dir. Then make.
>>>> Then try the tutorial. Should work.
>>>> --
>>>> Tim Leek
>>>> Technical Staff
>>>> Cyber System Assessments
>>>> MIT Lincoln Laboratory
>>>> 781-981-2975
>>>>
>>>>
>>>> From: xiaojuan Li <xiaotan6666 at gmail.com>
>>>> Date: Sunday, April 12, 2015 at 11:41 PM
>>>> To: Brendan Dolan-Gavitt <brendandg at gatech.edu>, "panda-users at mit.edu"
>>>> <panda-users at mit.edu>
>>>>
>>>> Subject: Re: [panda-users] taint segmentation fault
>>>>
>>>> yeah.i fail to taint both in using sshkeygen and my test snp.
>>>> here is the result of following the steps in the tutorial:
>>>> Thanks!
>>>>
>>>>
>>>> 2015-04-13 11:34 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>>>>
>>>>> Are you able to follow the steps in the tutorial (using the sshkeygen
>>>>> replay)? Or does that fail as well?
>>>>>
>>>>> -Brendan
>>>>>
>>>>> On Sun, Apr 12, 2015 at 11:27 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>> wrote:
>>>>> > thanks first. i cannot either.
>>>>> > just segfault while tainting.
>>>>> >
>>>>> >
>>>>> > 2015-04-13 4:52 GMT+08:00 Leek, Timothy - 0559 - MITLL <
>>>>> tleek at ll.mit.edu>:
>>>>> >>
>>>>> >> Also, just a check. Are you able to reproduce the results here?
>>>>> >>
>>>>> >>
>>>>> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
>>>>> >>
>>>>> >> --
>>>>> >> Tim Leek
>>>>> >> Technical Staff
>>>>> >> Cyber System Assessments
>>>>> >> MIT Lincoln Laboratory
>>>>> >> 781-981-2975
>>>>> >>
>>>>> >>
>>>>> >> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>> >> Date: Sunday, April 12, 2015 at 4:04 PM
>>>>> >>
>>>>> >> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>>>> >> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>>>> >> Subject: Re: [panda-users] taint segmentation fault
>>>>> >>
>>>>> >> A few things:
>>>>> >>
>>>>> >> 1. Did you make sure to do a make clean and then re-run build.sh
>>>>> after
>>>>> >> updating? I got a segfault just after taint was turned on as well
>>>>> until I
>>>>> >> did a make clean and re-ran build.sh.
>>>>> >> 2. Are you running this on a 64-bit system? What kernel version?
>>>>> >>
>>>>> >> -Brendan
>>>>> >>
>>>>> >> On Sun, Apr 12, 2015 at 9:16 AM, xiaojuan Li <xiaotan6666 at gmail.com
>>>>> >
>>>>> >> wrote:
>>>>> >>>
>>>>> >>> any suggestions? about segmentation fault?
>>>>> >>> and after my test,I make sure it is not caused by insufficient
>>>>> memory.
>>>>> >>> Thanks a lot!
>>>>> >>>
>>>>> >>> 2015-04-11 11:59 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>> >>>>
>>>>> >>>> excuse me:
>>>>> >>>> I try to fix the segmentation error:
>>>>> >>>> and find this piece of code:
>>>>> >>>>
>>>>> >>>> do you mean that it doesn't support so large byte?or it doesn't
>>>>> support
>>>>> >>>> for android arm?
>>>>> >>>> in the doc I noticed that network tainting is not supported for
>>>>> arm
>>>>> >>>> architecture,and the string I tainted was something may go
>>>>> through the
>>>>> >>>> network.
>>>>> >>>>
>>>>> >>>> Thanks!
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>>> >>>> 2015-04-09 21:30 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>> >>>>>
>>>>> >>>>> Now that the panda taint.md is not fresh,can you guys give me
>>>>> some
>>>>> >>>>> help?
>>>>> >>>>> I use the replay plugin,here is my command and the result.
>>>>> >>>>>
>>>>> >>>>>
>>>>> >>>>>
>>>>> >>>>>
>>>>> >>>>>
>>>>> >>>>> the content of pk_search_strings.txt is :"sdt"
>>>>> >>>>>
>>>>> >>>>> I am confused here:in the paper— Repeatable reverse with panda:
>>>>> >>>>> :
>>>>> >>>>> it is clear that:if I use the stringsearch and taint plugin,when
>>>>> it
>>>>> >>>>> matches, the taint label will be put and then taint action will
>>>>> start.but
>>>>> >>>>> when I use it, it seems wrong(the picture showed before):no
>>>>> taint action
>>>>> >>>>> execute,and i am confused about the tstringsearch's result.
>>>>> >>>>> how can i use it to analysis?
>>>>> >>>>> Thanks a lot!
>>>>> >>>>>
>>>>> >>>>>
>>>>> >>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>> >>>>>>
>>>>> >>>>>> I get the replay file by running runandroid script. and i use
>>>>> >>>>>> qemu-system-arm command just to do some replay work.
>>>>> >>>>>> I may not understand you at all in this emal.do you mean that i
>>>>> should
>>>>> >>>>>> gdb the original program rather than the record file?
>>>>> >>>>>> Thansk
>>>>> >>>>>>
>>>>> >>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <
>>>>> brendandg at gatech.edu>:
>>>>> >>>>>>>
>>>>> >>>>>>> Hmm. gdb should normally stop when you get a segfault.
>>>>> >>>>>>>
>>>>> >>>>>>> Are you by any chance running PANDA using the runandroid
>>>>> script? If
>>>>> >>>>>>> so, you will need to instead invoke PANDA manually, i.e.:
>>>>> >>>>>>>
>>>>> >>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>>>>> >>>>>>>
>>>>> >>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a
>>>>> >>>>>>> backtrace.
>>>>> >>>>>>>
>>>>> >>>>>>> -Brendan
>>>>> >>>>>>>
>>>>> >>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <
>>>>> xiaotan6666 at gmail.com>
>>>>> >>>>>>> wrote:
>>>>> >>>>>>>>
>>>>> >>>>>>>> when gdb,it shows:
>>>>> >>>>>>>> and then i see the log:it shows segfault:
>>>>> >>>>>>>>
>>>>> >>>>>>>>
>>>>> >>>>>>>>
>>>>> >>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com
>>>>> >:
>>>>> >>>>>>>>>
>>>>> >>>>>>>>> maybe i am wrong.
>>>>> >>>>>>>>> i use the command
>>>>> >>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and
>>>>> I found that
>>>>> >>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>>>>> >>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>>>>> >>>>>>>>>
>>>>> >>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com
>>>>> >:
>>>>> >>>>>>>>>>
>>>>> >>>>>>>>>> ok.
>>>>> >>>>>>>>>> 1.I want to use taint plugin to get information about some
>>>>> >>>>>>>>>> functions(of course, it is closed-source),so I think I can
>>>>> stringsearch
>>>>> >>>>>>>>>> potential data and then taint them and next I can locate
>>>>> the functions which
>>>>> >>>>>>>>>> solves these data.
>>>>> >>>>>>>>>>
>>>>> >>>>>>>>>> 2.the command line I used is :
>>>>> >>>>>>>>>> stringsearch:name=***;taint2:tainted_instructions=1.
>>>>> >>>>>>>>>>
>>>>> >>>>>>>>>> thanks
>>>>> >>>>>>>>>>
>>>>> >>>>>>>>>>
>>>>> >>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt
>>>>> >>>>>>>>>> <brendandg at gatech.edu>:
>>>>> >>>>>>>>>>>
>>>>> >>>>>>>>>>> Could you provide:
>>>>> >>>>>>>>>>>
>>>>> >>>>>>>>>>> 1. What information you're trying to get
>>>>> >>>>>>>>>>> 2. The command line you're using to run PANDA with the
>>>>> taint2
>>>>> >>>>>>>>>>> plugin
>>>>> >>>>>>>>>>>
>>>>> >>>>>>>>>>> ?
>>>>> >>>>>>>>>>>
>>>>> >>>>>>>>>>> Right now I believe taint2 does not produce very much
>>>>> output by
>>>>> >>>>>>>>>>> default. Instead you use the -pandalog <filename> command
>>>>> line option, and
>>>>> >>>>>>>>>>> taint2 will write its results there in pandalog format;
>>>>> you can then read
>>>>> >>>>>>>>>>> them using pandalog_reader (see panda/pandalog_reader.c
>>>>> for details on that
>>>>> >>>>>>>>>>> tool).
>>>>> >>>>>>>>>>>
>>>>> >>>>>>>>>>> -Brendan
>>>>> >>>>>>>>>>>
>>>>> >>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li
>>>>> >>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>>>>> >>>>>>>>>>>>
>>>>> >>>>>>>>>>>> when I tried taint2,it showed the same error with taint1,
>>>>> the
>>>>> >>>>>>>>>>>> olny difference is that taint2 has no segfault error,just
>>>>> uninit taint
>>>>> >>>>>>>>>>>> plugin.
>>>>> >>>>>>>>>>>>
>>>>> >>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt
>>>>> >>>>>>>>>>>> <brendandg at gatech.edu>:
>>>>> >>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>> Could you be a little more descriptive about how it
>>>>> failed?
>>>>> >>>>>>>>>>>>> Segfault? Error message? Incorrect output?
>>>>> >>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>> -Brendan
>>>>> >>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li
>>>>> >>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>>>>> >>>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>>> i tried taint2 too,it failed.
>>>>> >>>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL
>>>>> >>>>>>>>>>>>>> <tleek at ll.mit.edu>:
>>>>> >>>>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.
>>>>> >>>>>>>>>>>>>>> “taint2” is the one we are actively using and
>>>>> developing.
>>>>> >>>>>>>>>>>>>>> --
>>>>> >>>>>>>>>>>>>>> Tim Leek
>>>>> >>>>>>>>>>>>>>> Technical Staff
>>>>> >>>>>>>>>>>>>>> Cyber System Assessments
>>>>> >>>>>>>>>>>>>>> MIT Lincoln Laboratory
>>>>> >>>>>>>>>>>>>>> 781-981-2975
>>>>> >>>>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>> >>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>>>>> >>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>>>> >>>>>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>>>> >>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>>>>> >>>>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>>>> Could you run that under gdb and provide us with a
>>>>> backtrace
>>>>> >>>>>>>>>>>>>>> when it crashes?
>>>>> >>>>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>>>> -Brendan
>>>>> >>>>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li <
>>>>> xiaotan6666 at gmail.com>
>>>>> >>>>>>>>>>>>>>> wrote:
>>>>> >>>>>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>>>>> Hi,
>>>>> >>>>>>>>>>>>>>>> excuse me,i have a question about taint
>>>>> >>>>>>>>>>>>>>>>
>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>>>>> >>>>>>>>>>>>>>>> when I started it showed success:
>>>>> >>>>>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint
>>>>> plugin
>>>>> >>>>>>>>>>>>>>>> segementation fault"
>>>>> >>>>>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>>>>> how can I fix it?
>>>>> >>>>>>>>>>>>>>>> Thanks a lot!
>>>>> >>>>>>>>>>>>>>>> --
>>>>> >>>>>>>>>>>>>>>> wait and hope~~
>>>>> >>>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>>> --
>>>>> >>>>>>>>>>>>>> wait and hope~~
>>>>> >>>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>>> _______________________________________________
>>>>> >>>>>>>>>>>>>> panda-users mailing list
>>>>> >>>>>>>>>>>>>> panda-users at mit.edu
>>>>> >>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>> >>>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>>
>>>>> >>>>>>>>>>>>
>>>>> >>>>>>>>>>>>
>>>>> >>>>>>>>>>>>
>>>>> >>>>>>>>>>>> --
>>>>> >>>>>>>>>>>> wait and hope~~
>>>>> >>>>>>>>>>>
>>>>> >>>>>>>>>>>
>>>>> >>>>>>>>>>
>>>>> >>>>>>>>>>
>>>>> >>>>>>>>>>
>>>>> >>>>>>>>>> --
>>>>> >>>>>>>>>> wait and hope~~
>>>>> >>>>>>>>>
>>>>> >>>>>>>>>
>>>>> >>>>>>>>>
>>>>> >>>>>>>>>
>>>>> >>>>>>>>> --
>>>>> >>>>>>>>> wait and hope~~
>>>>> >>>>>>>>
>>>>> >>>>>>>>
>>>>> >>>>>>>>
>>>>> >>>>>>>>
>>>>> >>>>>>>> --
>>>>> >>>>>>>> wait and hope~~
>>>>> >>>>>>>
>>>>> >>>>>>>
>>>>> >>>>>>
>>>>> >>>>>>
>>>>> >>>>>>
>>>>> >>>>>> --
>>>>> >>>>>> wait and hope~~
>>>>> >>>>>
>>>>> >>>>>
>>>>> >>>>>
>>>>> >>>>>
>>>>> >>>>> --
>>>>> >>>>> wait and hope~~
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>>> >>>> --
>>>>> >>>> wait and hope~~
>>>>> >>>
>>>>> >>>
>>>>> >>>
>>>>> >>>
>>>>> >>> --
>>>>> >>> wait and hope~~
>>>>> >>
>>>>> >>
>>>>> >
>>>>> >
>>>>> >
>>>>> > --
>>>>> > wait and hope~~
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> wait and hope~~
>>>>
>>>
>>>
>>>
>>> --
>>> wait and hope~~
>>>
>>
>>
>>
>> --
>> wait and hope~~
>>
>
>
>
> --
> wait and hope~~
>
--
wait and hope~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20150421/f8a36fe2/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: feedback-33.png
Type: image/png
Size: 140879 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150421/f8a36fe2/attachment-0001.png
More information about the panda-users
mailing list