[panda-users] taint segmentation fault
Brendan Dolan-Gavitt
brendandg at gatech.edu
Mon Apr 20 22:53:46 EDT 2015
Ah! I forgot to push the commit I made to stop it from trying to
allocate at a fixed address.
Could you do a git pull, rebuild, and try again?
-Brendan
On Mon, Apr 20, 2015 at 10:51 PM, xiaojuan Li <xiaotan6666 at gmail.com> wrote:
> 1. the command i use is :
> ./qemu-system-arm 0m 512 -replay api414-4-20 -M android_arm -kernel
> /dev/null -android -panda
> "stringsearch:name=test;tstringsearch;tainted_instr"
> 2.the output is:
> Adding PANDA arg stringsearch:name=test.
> adding
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_stringsearch.so
> to panda_plugin_files 0
> adding
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_tstringsearch.so
> to panda_plugin_files 1
> adding
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_tainted_instr.so
> to panda_plugin_files 2
> emulator: registered 'boot-properties' qemud service
> emulator: Adding boot property: 'dalvik.vm.heapsize' = '48m'
> emulator: Adding boot property: 'qemu.sf.fake_camera' = 'both'
> emulator: Adding boot property: 'qemu.hw.mainkeys' = '0'
> loading
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_stringsearch.so
> Initializing plugin stringsearch
> panda_require: callstack_instr
> loading
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_callstack_instr.so
> Initializing plugin callstack_instr
> Success
> stringsearch: added string of length 14 to search set
> Success
> loading
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_tstringsearch.so
> Initializing tstringsearch
> panda_require: stringsearch
> panda_load_plugin:
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_stringsearch.so
> already loaded
> panda_require: taint2
> loading
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_taint2.so
> Initializing taint plugin
> taint2: Instructed not to inline taint ops.
> panda_require: callstack_instr
> panda_load_plugin:
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_callstack_instr.so
> already loaded
> Success
> Success
> loading
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_tainted_instr.so
> panda_require: taint2
> panda_load_plugin:
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_taint2.so
> already loaded
> panda_require: callstack_instr
> panda_load_plugin:
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_callstack_instr.so
> already loaded
> Success
> goldfish_add_device: goldfish_device_bus, base ff001000 1000, irq 1 1
> goldfish_device_bus: ff001000 30
> goldfish_add_device: goldfish_int, base ff000000 1000, irq 0 0
> goldfish_int: ff000000 38
> goldfish_add_device: goldfish_timer, base ff003000 1000, irq 3 1
> goldfish_timer: ff003000 40
> goldfish_add_device: goldfish_rtc, base ff010000 1000, irq 10 1
> goldfish_rtc: ff010000 48
> goldfish_add_device: goldfish_tty, base ff002000 1000, irq 4 1
> goldfish_tty: ff002000 50
> android_arm_init serial 1 0
> android_arm_init serial 2 0
> android_arm_init serial 3 0
> goldfish_add_device: smc91x, base ff011000 1000, irq 11 1
> goldfish_add_device: goldfish_fb, base ff012000 1000, irq 12 1
> goldfish_fb: ff012000 68
> Using tmpfile for SD card: /tmp/android-shentanli/emulator-P6kmpf
> goldfish_add_device: goldfish_mmc, base ff005000 1000, irq 13 1
> goldfish_mmc: ff005000 70
> goldfish_add_device: goldfish_memlog, base ff006000 1000, irq 0 0
> goldfish_memlog: ff006000 78
> goldfish_add_device: goldfish-battery, base ff013000 1000, irq 14 1
> goldfish-battery: ff013000 80
> goldfish_add_device: goldfish_events, base ff014000 1000, irq 15 1
> goldfish_events: ff014000 88
> Using event IRQ
> Invalid system partition size for non-QCOW image: 0emulator: geometry says
> there are 0 blocks
>
> emulator: Dev size of /tmp/android-shentanli/emulator-jxC2Uf is 0
>
> Invalid data partition size for non-QCOW image: 0emulator: Dev size 0x0 came
> from argument
>
> emulator: geometry says there are 0 blocks
>
> emulator: Dev size of /tmp/android-shentanli/emulator-2FZLqg is 0
>
> emulator: Dev size 0x0 came from argument
>
> emulator: geometry says there are 0 blocks
>
> emulator: Dev size of /tmp/android-shentanli/emulator-lyszWg is 0
>
> goldfish_add_device: goldfish_nand, base ff015000 1000, irq 16 1
> goldfish_nand: ff015000 90
> goldfish_add_device: qemu_pipe, base ff016000 2000, irq 17 1
> qemu_pipe: ff016000 98
> emulator: control console listening on port 5554, ADB on port 5555
> emulator: can't connect to ADB server: Connection refused
> emulator: Realistic sensor emulation is not available, since the remote
> controller is not accessible:
> Connection refused
> loading snapshot
> emulator: Adding boot property: 'dalvik.vm.heapsize' = '48m'
> emulator: Adding boot property: 'qemu.sf.fake_camera' = 'both'
> emulator: Adding boot property: 'qemu.hw.mainkeys' = '0'
> Unknown savevm section or instance 'goldfish_tty' 1
> ... done.
>
> Logging all cpu states
> CPU #0:
> R00=00000000 R01=c049bcb8 R02=00000000 R03=00000000
> R04=c0480000 R05=c04b9948 R06=c048fd34 R07=c047b374
> R08=c0a05100 R09=410fc090 R10=00000000 R11=00000000
> R12=c049bcb8 R13=c0481fb0 R14=c000e3f4 R15=c00158c8
> PSR=60000093 -ZC- A svc32
> opening nondet log for read :
> /home/shentanli/pandanew/scripts/api414-4-20-rr-nondet.log
> api414-4-20: 81316759 ( 1.04%) instrs. 7.52 sec. 0.61 GB ram.
> api414-4-20: 156342747 ( 2.00%) instrs. 15.90 sec. 0.69 GB ram.
> api414-4-20: 234368551 ( 3.00%) instrs. 24.93 sec. 0.76 GB ram.
> api414-4-20: 312493247 ( 4.00%) instrs. 35.45 sec. 0.83 GB ram.
> api414-4-20: 390616091 ( 5.00%) instrs. 43.97 sec. 0.87 GB ram.
> api414-4-20: 468738195 ( 6.00%) instrs. 49.32 sec. 0.90 GB ram.
> api414-4-20: 547631582 ( 7.01%) instrs. 54.12 sec. 0.93 GB ram.
> api414-4-20: 624983872 ( 8.00%) instrs. 57.67 sec. 0.94 GB ram.
> api414-4-20: 703122355 ( 9.00%) instrs. 60.94 sec. 0.94 GB ram.
> api414-4-20: 783198179 ( 10.03%) instrs. 64.60 sec. 0.95 GB ram.
> READ Match of str 0 at: instr_count=812336749 : 72a7562e b6cb2e02 0d36c000
> tstringsearch: thestring = [passwordisqemu]
> tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
> tstringsearch: string in memory @ 0xa70d6212
> enabling taint at instr count 812336749
> taint2: __taint_enable_taint
> taint2: Creating byte-level taint processor
> taint2: Allocating large fast_shad (8589934592 bytes) @ 0x10000000000.
> taint2: Hugetlb failed. Trying without.
> taint2: Allocating large fast_shad (8589934592 bytes) @ 0x20000000000.
> taint2: Hugetlb failed. Trying without.
> taint2: Allocating large fast_shad (8589934592 bytes) @ 0x30000000000.
> taint2: Hugetlb failed. Trying without.
> taint2: Allocating large fast_shad (8589934592 bytes) @ 0x40000000000.
> taint2: Hugetlb failed. Trying without.
> taint2: Allocating large fast_shad (8589934592 bytes) @ 0x50000000000.
> taint2: Hugetlb failed. Trying without.
> taint2: Allocating large fast_shad (8589934592 bytes) @ 0x60000000000.
> taint2: Hugetlb failed. Trying without.
> taint2: Allocating large fast_shad (8589934592 bytes) @ 0x70000000000.
> taint2: Hugetlb failed. Trying without.
> taint2: Allocating large fast_shad (8589934592 bytes) @ 0x80000000000.
> taint2: Hugetlb failed. Trying without.
> taint2: Allocating large fast_shad (8589934592 bytes) @ 0x90000000000.
> taint2: Hugetlb failed. Trying without.
> Cannot allocate memory
> taint2: Allocating small fast_shad (12800000 bytes) using malloc @
> 7f8b608d0010.
> taint2: Allocating small fast_shad (256 bytes) using malloc @ 16be2a70.
> taint2: Allocating small fast_shad (1024 bytes) using malloc @ 171c3540.
> taint2: Allocating small fast_shad (867840 bytes) using malloc @ 1720ddd0.
> taint2: Linking taint ops from
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_taint2_ops.bc
> taint2: Done initializing taint transformation.
> taint2: Done processing helper functions for taint.
> taint2: Done verifying module. Running...
>
> ****************************************************************************
> applying taint labels to search string of length 14 @ p=0xa70d6212
> ******************************************************************************
> Segmentation fault
>
>
> 2015-04-20 22:42 GMT-04:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>
>> I am currently running your taint replay, and it is (so far) working
>> fine. Here is the (slightly abbreviated) output I get:
>>
>> api414-4-20: 783198179 ( 10.03%) instrs. 218.26 sec. 0.96 GB ram.
>> READ Match of str 0 at: instr_count=812336749 : 72a7562e b6cb2e02
>> 0d36c000
>> tstringsearch: thestring = [passwordisqemu]
>> tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
>> tstringsearch: string in memory @ 0xa70d6212
>> enabling taint at instr count 812336749
>> taint2: __taint_enable_taint
>> taint2: Creating byte-level taint processor
>> taint2: Allocating large fast_shad (8589934592 bytes).
>> taint2: Hugetlb failed. Trying without.
>> taint2: Allocating small fast_shad (12800000 bytes) using malloc @
>> 7fdd165c6010.
>> taint2: Allocating small fast_shad (256 bytes) using malloc @
>> 7fdd0bec21a0.
>> taint2: Allocating small fast_shad (1024 bytes) using malloc @
>> 7fdcfc49ddc0.
>> taint2: Allocating small fast_shad (867840 bytes) using malloc @
>> 7fdcfc4e7db0.
>> taint2: Linking taint ops from
>> /scratch/git/pandroid/qemu/arm-softmmu/panda_plugins/panda_taint2_ops.bc
>> taint2: Done initializing taint transformation.
>> taint2: Done processing helper functions for taint.
>> taint2: Done verifying module. Running...
>>
>>
>> ****************************************************************************
>> applying taint labels to search string of length 14 @ p=0xa70d6212
>>
>> ******************************************************************************
>> READ Match of str 0 at: instr_count=812336765 : 72a7562e b6cb2a2a
>> 0d36c000
>> tstringsearch: thestring = [passwordisqemu]
>> tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
>> tstringsearch: string in memory @ 0xa70d6212
>>
>>
>> ****************************************************************************
>> applying taint labels to search string of length 14 @ p=0xa70d6212
>>
>> ******************************************************************************
>> READ Match of str 0 at: instr_count=812337316 : 72a7562e b6cb2e4a
>> 0d36c000
>> tstringsearch: thestring = [passwordisqemu]
>> tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
>> tstringsearch: string in memory @ 0xa70d6212
>>
>>
>> ****************************************************************************
>> applying taint labels to search string of length 14 @ p=0xa70d6212
>>
>> ******************************************************************************
>> READ Match of str 0 at: instr_count=812337331 : 72a7562e b6cb2a2a
>> 0d36c000
>> tstringsearch: thestring = [passwordisqemu]
>> tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
>> tstringsearch: string in memory @ 0xa70d6212
>>
>>
>> ****************************************************************************
>> applying taint labels to search string of length 14 @ p=0xa70d6212
>>
>> ******************************************************************************
>> api414-4-20: 859399601 ( 11.00%) instrs. 658.13 sec. 3.27 GB ram.
>> api414-4-20: 937474512 ( 12.00%) instrs. 1017.48 sec. 4.70 GB ram.
>> api414-4-20: 1015597970 ( 13.00%) instrs. 1265.76 sec. 5.58 GB ram.
>>
>> My command line to replay was:
>>
>> arm-softmmu/qemu-system-arm -m 512 -replay api414-4-20 -M android_arm
>> -cpu cortex-a9 -android -kernel /dev/null -pandalog api.log -panda
>> 'stringsearch:name=api;tstringsearch;tainted_instr'
>>
>> From the screenshot you posted earlier, it looks like yours had
>> already failed by this point. If you are still getting a segfault with
>> this replay, could you post:
>>
>> 1. The full command line you are using (as text, not a screenshot)
>> 2. The full output from PANDA up to the point where the segfault
>> happens (as text, not a screenshot)
>>
>> -Brendan
>>
>> On Mon, Apr 20, 2015 at 7:57 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>> wrote:
>> > i know you are busy.
>> > I just get stuck in this taint step but have no idea no fix it...(use
>> > core
>> > dump to find where it segfault )
>> > here is the 512M version:
>> > http://pan.baidu.com/s/1mgopzIg
>> > the content of search string .txt is "passwordisqemu"
>> > thanks!
>> >
>> > 2015-04-20 11:32 GMT-04:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>> >
>> >> I will try to reproduce from those instructions in the next couple
>> >> days.
>> >> Sorry for the delay! Did you post the .rr of the recording with 512M
>> >> somewhere? I only saw the 2G one.
>> >>
>> >> Thanks,
>> >> Brendan
>> >>
>> >> On Mon, Apr 20, 2015 at 8:07 AM, xiaojuan Li <xiaotan6666 at gmail.com>
>> >> wrote:
>> >>>
>> >>> about the taint segfault, if you cannot download that .rr i upload
>> >>> before, you can follow the step to reproduce:
>> >>> 1)use android studio to create avd, choose api21 target android 5.0.1
>> >>> use
>> >>> the default size;you can get the cache-img,sdcard.img,data.img and
>> >>> system.img and then copy kernel-qemu & rmdisk.img from sdk/systemimg;
>> >>> 2)use pandaCovert.py to convert them and get the
>> >>> (cache,data,system)-pandroid.qcow2 as well as kernel and initramfs;
>> >>> 3)use runpandroid.py(-m 512) to boot emulator;telnet and begin_record
>> >>> 4)run an app and input a string : end_record;
>> >>> 5)use qemu-system-arm to replay(-m 512) with the panda
>> >>> plugins:stringsearch,tstringsearch;tainted_instr.(the search string
>> >>> .txt is
>> >>> the string you input)
>> >>>
>> >>> do you guys get the segfault ?
>> >>> how can i fix it?
>> >>> Thanks a lot!
>> >>>
>> >>> 2015-04-20 17:51 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>> >>>>
>> >>>> excuse me, i have noticed that the ida_taint plugin:"win7 only but
>> >>>> othre
>> >>>> os could be easily added".
>> >>>> i have installed ida pro in my system(debian),modified the
>> >>>> ida_taint.bat
>> >>>> with my ida path,when i use it :./ida_taint.bat name.json
>> >>>> qemu-system-arm
>> >>>> it failed. it seems not available in linux, is it?
>> >>>> Thanks a lot!
>> >>>>
>> >>>>
>> >>>> 2015-04-10 21:24 GMT-04:00 Brendan Dolan-Gavitt
>> >>>> <brendandg at gatech.edu>:
>> >>>>
>> >>>>> Once you have used PANDA's taint system to identify the portions of
>> >>>>> the
>> >>>>> code that process the data you're interested in, you will still have
>> >>>>> to
>> >>>>> analyze that code do understand how it works. One way to do that
>> >>>>> might be to
>> >>>>> use the scissors plugin to extract out the portion of the trace that
>> >>>>> contains the code you're interested in, and then replay it with
>> >>>>> QEMU's "-d
>> >>>>> in_asm -D asmlog.txt" options to get the disassembly for that code.
>> >>>>>
>> >>>>> Alternatively, you could take a memory snapshot at some point when
>> >>>>> the
>> >>>>> code you want to analyze is in memory (using something like the
>> >>>>> pmemsave
>> >>>>> plugin in PANDA), then use Volatility to analyze that memory image
>> >>>>> to
>> >>>>> extract out the binary, which you could look at in IDA or something
>> >>>>> similar.
>> >>>>>
>> >>>>> Basically – disassemble the code that handles the data you're
>> >>>>> interested in and find out how it works. Exactly what that means
>> >>>>> will depend
>> >>>>> on what you're hoping to accomplish.
>> >>>>>
>> >>>>> -Brendan
>> >>>>>
>> >>>>> On Fri, Apr 10, 2015 at 9:07 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>> >>>>> wrote:
>> >>>>>>
>> >>>>>> Hi,
>> >>>>>> Thanks for your job first.
>> >>>>>> I am a little confused about the result of the tainted.how can I
>> >>>>>> get
>> >>>>>> enough information about the processing code from the binary? use
>> >>>>>> the gdb?
>> >>>>>> Thanks!
>> >>>>>>
>> >>>>>> 2015-04-10 12:05 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>> >>>>>>>
>> >>>>>>> Thanks for your guys great work!
>> >>>>>>> and I will try.
>> >>>>>>>
>> >>>>>>> 2015-04-10 11:42 GMT+08:00 Brendan Dolan-Gavitt
>> >>>>>>> <brendandg at gatech.edu>:
>> >>>>>>>>
>> >>>>>>>> Hi,
>> >>>>>>>>
>> >>>>>>>> Tim has just updated the tainted_instructions tutorial so that it
>> >>>>>>>> reflects how things work now. Could you look through that
>> >>>>>>>> tutorial and see
>> >>>>>>>> if it helps with your problem?
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
>> >>>>>>>>
>> >>>>>>>> Note that you will probably need to do a "git pull" and rebuild
>> >>>>>>>> (make clean ; ./build.sh) in order to make sure everything works
>> >>>>>>>> as it says
>> >>>>>>>> in the tutorial.
>> >>>>>>>>
>> >>>>>>>> -Brendan
>> >>>>>>>>
>> >>>>>>>> On Thu, Apr 9, 2015 at 9:30 AM, xiaojuan Li
>> >>>>>>>> <xiaotan6666 at gmail.com>
>> >>>>>>>> wrote:
>> >>>>>>>>>
>> >>>>>>>>> Now that the panda taint.md is not fresh,can you guys give me
>> >>>>>>>>> some
>> >>>>>>>>> help?
>> >>>>>>>>> I use the replay plugin,here is my command and the result.
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>> the content of pk_search_strings.txt is :"sdt"
>> >>>>>>>>>
>> >>>>>>>>> I am confused here:in the paper— Repeatable reverse with panda:
>> >>>>>>>>> :
>> >>>>>>>>> it is clear that:if I use the stringsearch and taint plugin,when
>> >>>>>>>>> it
>> >>>>>>>>> matches, the taint label will be put and then taint action will
>> >>>>>>>>> start.but
>> >>>>>>>>> when I use it, it seems wrong(the picture showed before):no
>> >>>>>>>>> taint action
>> >>>>>>>>> execute,and i am confused about the tstringsearch's result.
>> >>>>>>>>> how can i use it to analysis?
>> >>>>>>>>> Thanks a lot!
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>> >>>>>>>>>>
>> >>>>>>>>>> I get the replay file by running runandroid script. and i use
>> >>>>>>>>>> qemu-system-arm command just to do some replay work.
>> >>>>>>>>>> I may not understand you at all in this emal.do you mean that i
>> >>>>>>>>>> should gdb the original program rather than the record file?
>> >>>>>>>>>> Thansk
>> >>>>>>>>>>
>> >>>>>>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt
>> >>>>>>>>>> <brendandg at gatech.edu>:
>> >>>>>>>>>>>
>> >>>>>>>>>>> Hmm. gdb should normally stop when you get a segfault.
>> >>>>>>>>>>>
>> >>>>>>>>>>> Are you by any chance running PANDA using the runandroid
>> >>>>>>>>>>> script?
>> >>>>>>>>>>> If so, you will need to instead invoke PANDA manually, i.e.:
>> >>>>>>>>>>>
>> >>>>>>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>> >>>>>>>>>>>
>> >>>>>>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a
>> >>>>>>>>>>> backtrace.
>> >>>>>>>>>>>
>> >>>>>>>>>>> -Brendan
>> >>>>>>>>>>>
>> >>>>>>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li
>> >>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> when gdb,it shows:
>> >>>>>>>>>>>> and then i see the log:it shows segfault:
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li
>> >>>>>>>>>>>> <xiaotan6666 at gmail.com>:
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>> maybe i am wrong.
>> >>>>>>>>>>>>> i use the command
>> >>>>>>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and
>> >>>>>>>>>>>>> I found that
>> >>>>>>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>> >>>>>>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li
>> >>>>>>>>>>>>> <xiaotan6666 at gmail.com>:
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>> ok.
>> >>>>>>>>>>>>>> 1.I want to use taint plugin to get information about some
>> >>>>>>>>>>>>>> functions(of course, it is closed-source),so I think I can
>> >>>>>>>>>>>>>> stringsearch
>> >>>>>>>>>>>>>> potential data and then taint them and next I can locate
>> >>>>>>>>>>>>>> the functions which
>> >>>>>>>>>>>>>> solves these data.
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>> 2.the command line I used is :
>> >>>>>>>>>>>>>> stringsearch:name=***;taint2:tainted_instructions=1.
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>> thanks
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt
>> >>>>>>>>>>>>>> <brendandg at gatech.edu>:
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> Could you provide:
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> 1. What information you're trying to get
>> >>>>>>>>>>>>>>> 2. The command line you're using to run PANDA with the
>> >>>>>>>>>>>>>>> taint2
>> >>>>>>>>>>>>>>> plugin
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> ?
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> Right now I believe taint2 does not produce very much
>> >>>>>>>>>>>>>>> output
>> >>>>>>>>>>>>>>> by default. Instead you use the -pandalog <filename>
>> >>>>>>>>>>>>>>> command line option,
>> >>>>>>>>>>>>>>> and taint2 will write its results there in pandalog
>> >>>>>>>>>>>>>>> format; you can then
>> >>>>>>>>>>>>>>> read them using pandalog_reader (see
>> >>>>>>>>>>>>>>> panda/pandalog_reader.c for details on
>> >>>>>>>>>>>>>>> that tool).
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> -Brendan
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li
>> >>>>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>> >>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>> when I tried taint2,it showed the same error with taint1,
>> >>>>>>>>>>>>>>>> the olny difference is that taint2 has no segfault
>> >>>>>>>>>>>>>>>> error,just uninit taint
>> >>>>>>>>>>>>>>>> plugin.
>> >>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt
>> >>>>>>>>>>>>>>>> <brendandg at gatech.edu>:
>> >>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>> Could you be a little more descriptive about how it
>> >>>>>>>>>>>>>>>>> failed?
>> >>>>>>>>>>>>>>>>> Segfault? Error message? Incorrect output?
>> >>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>> -Brendan
>> >>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li
>> >>>>>>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>> >>>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>>> i tried taint2 too,it failed.
>> >>>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL
>> >>>>>>>>>>>>>>>>>> <tleek at ll.mit.edu>:
>> >>>>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.
>> >>>>>>>>>>>>>>>>>>> “taint2” is the one we are actively using and
>> >>>>>>>>>>>>>>>>>>> developing.
>> >>>>>>>>>>>>>>>>>>> --
>> >>>>>>>>>>>>>>>>>>> Tim Leek
>> >>>>>>>>>>>>>>>>>>> Technical Staff
>> >>>>>>>>>>>>>>>>>>> Cyber System Assessments
>> >>>>>>>>>>>>>>>>>>> MIT Lincoln Laboratory
>> >>>>>>>>>>>>>>>>>>> 781-981-2975
>> >>>>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>> >>>>>>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>> >>>>>>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>> >>>>>>>>>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>> >>>>>>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>> >>>>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>>>> Could you run that under gdb and provide us with a
>> >>>>>>>>>>>>>>>>>>> backtrace when it crashes?
>> >>>>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>>>> -Brendan
>> >>>>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li
>> >>>>>>>>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>> >>>>>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>>>>> Hi,
>> >>>>>>>>>>>>>>>>>>>> excuse me,i have a question about taint
>> >>>>>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>> >>>>>>>>>>>>>>>>>>>> when I started it showed success:
>> >>>>>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint
>> >>>>>>>>>>>>>>>>>>>> plugin segementation fault"
>> >>>>>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>>>>> how can I fix it?
>> >>>>>>>>>>>>>>>>>>>> Thanks a lot!
>> >>>>>>>>>>>>>>>>>>>> --
>> >>>>>>>>>>>>>>>>>>>> wait and hope~~
>> >>>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>>> --
>> >>>>>>>>>>>>>>>>>> wait and hope~~
>> >>>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>>> _______________________________________________
>> >>>>>>>>>>>>>>>>>> panda-users mailing list
>> >>>>>>>>>>>>>>>>>> panda-users at mit.edu
>> >>>>>>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>> >>>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>> --
>> >>>>>>>>>>>>>>>> wait and hope~~
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>> --
>> >>>>>>>>>>>>>> wait and hope~~
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>> --
>> >>>>>>>>>>>>> wait and hope~~
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> --
>> >>>>>>>>>>>> wait and hope~~
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>> --
>> >>>>>>>>>> wait and hope~~
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>> --
>> >>>>>>>>> wait and hope~~
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> --
>> >>>>>>> wait and hope~~
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> --
>> >>>>>> wait and hope~~
>> >>>>>
>> >>>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> wait and hope~~
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> wait and hope~~
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > wait and hope~~
>
>
>
>
> --
> wait and hope~~
More information about the panda-users
mailing list