[panda-users] New Taint System & Network Tainting
Eike Siewertsen
eikes at student.chalmers.se
Sun Apr 26 12:43:06 EDT 2015
Hi,
first of all, thanks a lot for all the work you put into Panda & co.,
it is an incredible platform.
For my master thesis I am looking to taint bytes received over network
with the new taint system (taint2) and later perform symbolic
execution on the executed instructions and collect constraint on the
network input on branches - but that is for later. Right now I read up
on taint2 and played around with it. I discovered that the buffer
pointed to by handle_packet is actually special IO memory, something
which taint2 apparently doesn't support yet.
Now I am wondering what the best next step would be now:
Do you think it's feasible for me to try to implement that
functionality in taint2 (based on how the old taint plugin does it),
or are there significant difficulties involved? From what I gather the
only difference is that there is a separate IO shadow memory - but at
what point do the received tainted bytes propagate into the RAM of the
receiving application? Is this happening in recv()?
Could I just have a callback on the recv syscall and taint the buffer
directly in memory?
Or would it be best if I just use the old taint plugin for this for now?
Thank you very much for your time and any help,
Eike
More information about the panda-users
mailing list