[panda-users] taint segmentation fault
Brendan Dolan-Gavitt
brendandg at gatech.edu
Mon Apr 20 22:42:39 EDT 2015
I am currently running your taint replay, and it is (so far) working
fine. Here is the (slightly abbreviated) output I get:
api414-4-20: 783198179 ( 10.03%) instrs. 218.26 sec. 0.96 GB ram.
READ Match of str 0 at: instr_count=812336749 : 72a7562e b6cb2e02 0d36c000
tstringsearch: thestring = [passwordisqemu]
tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
tstringsearch: string in memory @ 0xa70d6212
enabling taint at instr count 812336749
taint2: __taint_enable_taint
taint2: Creating byte-level taint processor
taint2: Allocating large fast_shad (8589934592 bytes).
taint2: Hugetlb failed. Trying without.
taint2: Allocating small fast_shad (12800000 bytes) using malloc @ 7fdd165c6010.
taint2: Allocating small fast_shad (256 bytes) using malloc @ 7fdd0bec21a0.
taint2: Allocating small fast_shad (1024 bytes) using malloc @ 7fdcfc49ddc0.
taint2: Allocating small fast_shad (867840 bytes) using malloc @ 7fdcfc4e7db0.
taint2: Linking taint ops from
/scratch/git/pandroid/qemu/arm-softmmu/panda_plugins/panda_taint2_ops.bc
taint2: Done initializing taint transformation.
taint2: Done processing helper functions for taint.
taint2: Done verifying module. Running...
****************************************************************************
applying taint labels to search string of length 14 @ p=0xa70d6212
******************************************************************************
READ Match of str 0 at: instr_count=812336765 : 72a7562e b6cb2a2a 0d36c000
tstringsearch: thestring = [passwordisqemu]
tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
tstringsearch: string in memory @ 0xa70d6212
****************************************************************************
applying taint labels to search string of length 14 @ p=0xa70d6212
******************************************************************************
READ Match of str 0 at: instr_count=812337316 : 72a7562e b6cb2e4a 0d36c000
tstringsearch: thestring = [passwordisqemu]
tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
tstringsearch: string in memory @ 0xa70d6212
****************************************************************************
applying taint labels to search string of length 14 @ p=0xa70d6212
******************************************************************************
READ Match of str 0 at: instr_count=812337331 : 72a7562e b6cb2a2a 0d36c000
tstringsearch: thestring = [passwordisqemu]
tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
tstringsearch: string in memory @ 0xa70d6212
****************************************************************************
applying taint labels to search string of length 14 @ p=0xa70d6212
******************************************************************************
api414-4-20: 859399601 ( 11.00%) instrs. 658.13 sec. 3.27 GB ram.
api414-4-20: 937474512 ( 12.00%) instrs. 1017.48 sec. 4.70 GB ram.
api414-4-20: 1015597970 ( 13.00%) instrs. 1265.76 sec. 5.58 GB ram.
My command line to replay was:
arm-softmmu/qemu-system-arm -m 512 -replay api414-4-20 -M android_arm
-cpu cortex-a9 -android -kernel /dev/null -pandalog api.log -panda
'stringsearch:name=api;tstringsearch;tainted_instr'
>From the screenshot you posted earlier, it looks like yours had
already failed by this point. If you are still getting a segfault with
this replay, could you post:
1. The full command line you are using (as text, not a screenshot)
2. The full output from PANDA up to the point where the segfault
happens (as text, not a screenshot)
-Brendan
On Mon, Apr 20, 2015 at 7:57 PM, xiaojuan Li <xiaotan6666 at gmail.com> wrote:
> i know you are busy.
> I just get stuck in this taint step but have no idea no fix it...(use core
> dump to find where it segfault )
> here is the 512M version:
> http://pan.baidu.com/s/1mgopzIg
> the content of search string .txt is "passwordisqemu"
> thanks!
>
> 2015-04-20 11:32 GMT-04:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>
>> I will try to reproduce from those instructions in the next couple days.
>> Sorry for the delay! Did you post the .rr of the recording with 512M
>> somewhere? I only saw the 2G one.
>>
>> Thanks,
>> Brendan
>>
>> On Mon, Apr 20, 2015 at 8:07 AM, xiaojuan Li <xiaotan6666 at gmail.com>
>> wrote:
>>>
>>> about the taint segfault, if you cannot download that .rr i upload
>>> before, you can follow the step to reproduce:
>>> 1)use android studio to create avd, choose api21 target android 5.0.1 use
>>> the default size;you can get the cache-img,sdcard.img,data.img and
>>> system.img and then copy kernel-qemu & rmdisk.img from sdk/systemimg;
>>> 2)use pandaCovert.py to convert them and get the
>>> (cache,data,system)-pandroid.qcow2 as well as kernel and initramfs;
>>> 3)use runpandroid.py(-m 512) to boot emulator;telnet and begin_record
>>> 4)run an app and input a string : end_record;
>>> 5)use qemu-system-arm to replay(-m 512) with the panda
>>> plugins:stringsearch,tstringsearch;tainted_instr.(the search string .txt is
>>> the string you input)
>>>
>>> do you guys get the segfault ?
>>> how can i fix it?
>>> Thanks a lot!
>>>
>>> 2015-04-20 17:51 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>
>>>> excuse me, i have noticed that the ida_taint plugin:"win7 only but othre
>>>> os could be easily added".
>>>> i have installed ida pro in my system(debian),modified the ida_taint.bat
>>>> with my ida path,when i use it :./ida_taint.bat name.json qemu-system-arm
>>>> it failed. it seems not available in linux, is it?
>>>> Thanks a lot!
>>>>
>>>>
>>>> 2015-04-10 21:24 GMT-04:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>>>>
>>>>> Once you have used PANDA's taint system to identify the portions of the
>>>>> code that process the data you're interested in, you will still have to
>>>>> analyze that code do understand how it works. One way to do that might be to
>>>>> use the scissors plugin to extract out the portion of the trace that
>>>>> contains the code you're interested in, and then replay it with QEMU's "-d
>>>>> in_asm -D asmlog.txt" options to get the disassembly for that code.
>>>>>
>>>>> Alternatively, you could take a memory snapshot at some point when the
>>>>> code you want to analyze is in memory (using something like the pmemsave
>>>>> plugin in PANDA), then use Volatility to analyze that memory image to
>>>>> extract out the binary, which you could look at in IDA or something similar.
>>>>>
>>>>> Basically – disassemble the code that handles the data you're
>>>>> interested in and find out how it works. Exactly what that means will depend
>>>>> on what you're hoping to accomplish.
>>>>>
>>>>> -Brendan
>>>>>
>>>>> On Fri, Apr 10, 2015 at 9:07 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>> wrote:
>>>>>>
>>>>>> Hi,
>>>>>> Thanks for your job first.
>>>>>> I am a little confused about the result of the tainted.how can I get
>>>>>> enough information about the processing code from the binary? use the gdb?
>>>>>> Thanks!
>>>>>>
>>>>>> 2015-04-10 12:05 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>
>>>>>>> Thanks for your guys great work!
>>>>>>> and I will try.
>>>>>>>
>>>>>>> 2015-04-10 11:42 GMT+08:00 Brendan Dolan-Gavitt
>>>>>>> <brendandg at gatech.edu>:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Tim has just updated the tainted_instructions tutorial so that it
>>>>>>>> reflects how things work now. Could you look through that tutorial and see
>>>>>>>> if it helps with your problem?
>>>>>>>>
>>>>>>>>
>>>>>>>> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
>>>>>>>>
>>>>>>>> Note that you will probably need to do a "git pull" and rebuild
>>>>>>>> (make clean ; ./build.sh) in order to make sure everything works as it says
>>>>>>>> in the tutorial.
>>>>>>>>
>>>>>>>> -Brendan
>>>>>>>>
>>>>>>>> On Thu, Apr 9, 2015 at 9:30 AM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Now that the panda taint.md is not fresh,can you guys give me some
>>>>>>>>> help?
>>>>>>>>> I use the replay plugin,here is my command and the result.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> the content of pk_search_strings.txt is :"sdt"
>>>>>>>>>
>>>>>>>>> I am confused here:in the paper— Repeatable reverse with panda:
>>>>>>>>> :
>>>>>>>>> it is clear that:if I use the stringsearch and taint plugin,when it
>>>>>>>>> matches, the taint label will be put and then taint action will start.but
>>>>>>>>> when I use it, it seems wrong(the picture showed before):no taint action
>>>>>>>>> execute,and i am confused about the tstringsearch's result.
>>>>>>>>> how can i use it to analysis?
>>>>>>>>> Thanks a lot!
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>>
>>>>>>>>>> I get the replay file by running runandroid script. and i use
>>>>>>>>>> qemu-system-arm command just to do some replay work.
>>>>>>>>>> I may not understand you at all in this emal.do you mean that i
>>>>>>>>>> should gdb the original program rather than the record file?
>>>>>>>>>> Thansk
>>>>>>>>>>
>>>>>>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt
>>>>>>>>>> <brendandg at gatech.edu>:
>>>>>>>>>>>
>>>>>>>>>>> Hmm. gdb should normally stop when you get a segfault.
>>>>>>>>>>>
>>>>>>>>>>> Are you by any chance running PANDA using the runandroid script?
>>>>>>>>>>> If so, you will need to instead invoke PANDA manually, i.e.:
>>>>>>>>>>>
>>>>>>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>>>>>>>>>>>
>>>>>>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a
>>>>>>>>>>> backtrace.
>>>>>>>>>>>
>>>>>>>>>>> -Brendan
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li
>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> when gdb,it shows:
>>>>>>>>>>>> and then i see the log:it shows segfault:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>>>>>
>>>>>>>>>>>>> maybe i am wrong.
>>>>>>>>>>>>> i use the command
>>>>>>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I found that
>>>>>>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>>>>>>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ok.
>>>>>>>>>>>>>> 1.I want to use taint plugin to get information about some
>>>>>>>>>>>>>> functions(of course, it is closed-source),so I think I can stringsearch
>>>>>>>>>>>>>> potential data and then taint them and next I can locate the functions which
>>>>>>>>>>>>>> solves these data.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2.the command line I used is :
>>>>>>>>>>>>>> stringsearch:name=***;taint2:tainted_instructions=1.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> thanks
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt
>>>>>>>>>>>>>> <brendandg at gatech.edu>:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Could you provide:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 1. What information you're trying to get
>>>>>>>>>>>>>>> 2. The command line you're using to run PANDA with the taint2
>>>>>>>>>>>>>>> plugin
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Right now I believe taint2 does not produce very much output
>>>>>>>>>>>>>>> by default. Instead you use the -pandalog <filename> command line option,
>>>>>>>>>>>>>>> and taint2 will write its results there in pandalog format; you can then
>>>>>>>>>>>>>>> read them using pandalog_reader (see panda/pandalog_reader.c for details on
>>>>>>>>>>>>>>> that tool).
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li
>>>>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> when I tried taint2,it showed the same error with taint1,
>>>>>>>>>>>>>>>> the olny difference is that taint2 has no segfault error,just uninit taint
>>>>>>>>>>>>>>>> plugin.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt
>>>>>>>>>>>>>>>> <brendandg at gatech.edu>:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Could you be a little more descriptive about how it failed?
>>>>>>>>>>>>>>>>> Segfault? Error message? Incorrect output?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li
>>>>>>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> i tried taint2 too,it failed.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL
>>>>>>>>>>>>>>>>>> <tleek at ll.mit.edu>:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.
>>>>>>>>>>>>>>>>>>> “taint2” is the one we are actively using and developing.
>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>> Tim Leek
>>>>>>>>>>>>>>>>>>> Technical Staff
>>>>>>>>>>>>>>>>>>> Cyber System Assessments
>>>>>>>>>>>>>>>>>>> MIT Lincoln Laboratory
>>>>>>>>>>>>>>>>>>> 781-981-2975
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>>>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>>>>>>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>>>>>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Could you run that under gdb and provide us with a
>>>>>>>>>>>>>>>>>>> backtrace when it crashes?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li
>>>>>>>>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>> excuse me,i have a question about taint
>>>>>>>>>>>>>>>>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>>>>>>>>>>>>>>>>>>>> when I started it showed success:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint
>>>>>>>>>>>>>>>>>>>> plugin segementation fault"
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> how can I fix it?
>>>>>>>>>>>>>>>>>>>> Thanks a lot!
>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>>>> panda-users mailing list
>>>>>>>>>>>>>>>>>> panda-users at mit.edu
>>>>>>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> wait and hope~~
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> wait and hope~~
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> wait and hope~~
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> wait and hope~~
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> wait and hope~~
>>>
>>>
>>>
>>>
>>> --
>>> wait and hope~~
>>
>>
>
>
>
> --
> wait and hope~~
More information about the panda-users
mailing list