<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;"><div><div><div>Weighing in. Yes, I found data structures to be unreliable for a few 10s of basic blocks after ASID change so I monitor until they seem sane. I’m sure there is a better and less computationally intensive way to achieve same. For taint, however, this sort of compute burden is dwarfed by the taint processing itself.</div><div><br></div><div>Cheers.</div><div><br></div><div>Tim</div><div><br></div><div><div><font class="Apple-style-span" color="#000000"><font class="Apple-style-span" face="Calibri">Tim Leek</font></font></div><div>Technical Staff</div><div>Cyber System Assessments</div><div>MIT Lincoln Laboratory</div></div></div></div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> <<a href="mailto:panda-users-bounces@mit.edu">panda-users-bounces@mit.edu</a>> on behalf of Manolis Stamatogiannakis <<a href="mailto:mstamat@gmail.com">mstamat@gmail.com</a>><br><span style="font-weight:bold">Date: </span> Sunday, July 17, 2016 at 2:45 PM<br><span style="font-weight:bold">To: </span> Brendan Dolan-Gavitt <<a href="mailto:brendandg@nyu.edu">brendandg@nyu.edu</a>><br><span style="font-weight:bold">Cc: </span> "<a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a>" <<a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a>><br><span style="font-weight:bold">Subject: </span> Re: [panda-users] file_taint question<br></div><div><br></div><div><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div><div dir="ltr">Ah, yes. This sounds right.
<div><br></div><div>I had also observed the delayed update of kernel data structures. This happens when a new process starts. Most of the OsiProc fields were correct at the callback time, but the process name was still that of the parent process.</div><div><br></div><div>For my plugin, I opted to mark the new process as "fresh" and update the name next time I see the process.</div><div><br></div><div>Thanks!</div><div><br></div><div>M.</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-07-17 19:34 GMT+02:00 Brendan Dolan-Gavitt <span dir="ltr">
<<a href="mailto:brendandg@nyu.edu" target="_blank">brendandg@nyu.edu</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I *think* the reasoning was that right when PGD_CHANGED happens the<br>
data structures that track the current process may be in transition,<br>
and so it might not be reliable to get the current process. But I<br>
don't know if this was actually tested. According to git-blame, Tim is<br>
the one to ask, so hopefully he'll weigh in.<br><br>
It should also be easy enough to test this hypothesis by switching it<br>
to PGD_CHANGED on a few test cases an seeing if the results match up.<br>
If we can get away with only invoking on PGD change that would<br>
definitely be an improvement.<br><br>
-Brendan<br><div><div class="h5"><br>
On Sun, Jul 17, 2016 at 1:20 PM, Manolis Stamatogiannakis<br>
<<a href="mailto:mstamat@gmail.com">mstamat@gmail.com</a>> wrote:<br>
> Hello,<br>
><br>
> I was going through the file_taint plugin code and was wondering about the<br>
> osi_foo() callback.<br>
> <a href="https://github.com/moyix/panda/blob/master/qemu/panda_plugins/file_taint/file_taint.cpp#L386" rel="noreferrer" target="_blank">
https://github.com/moyix/panda/blob/master/qemu/panda_plugins/file_taint/file_taint.cpp#L386</a><br>
><br>
> Is there any reason that the function is hooked as a<br>
> PANDA_CB_BEFORE_BLOCK_EXEC callback rather than PANDA_CB_VMI_PGD_CHANGED<br>
> callback?<br>
><br>
> For linux it seems to me that PANDA_CB_VMI_PGD_CHANGED would yield<br>
> equivalent results at only a tiny fraction of the invocations.<br>
><br>
> Same should be true for windows as far as I can tell.<br>
><br>
> Thanks,<br>
> M.<br>
><br></div></div>
> _______________________________________________<br>
> panda-users mailing list<br>
> <a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a><br>
> <a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">
http://mailman.mit.edu/mailman/listinfo/panda-users</a><br>
><br><span class="HOEnZb"><font color="#888888"><br><br><br>
--<br>
Brendan Dolan-Gavitt<br>
Assistant Professor, Department of Computer Science and Engineering<br>
NYU Tandon School of Engineering<br></font></span></blockquote></div><br></div></div></div></span></body></html>