<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Title content=""><meta name=Keywords content=""><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Arial;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body bgcolor=white lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Sure, it’s possible. I assume you want to do this so slowdown due to taint is only incurred for a little while or something? That is, you want to label something as tainted, have labels propagate around, query something, and then disable taint, run a little longer at faster execution (non-llvm) and then repeat?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>enable-> label -> query -> disable -> emulate -> enable-> label -> query -> …<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>You would have to clear the translation block cache as well as dumping the taint shadow memory to disable the taint stuff right. I’d be a little concerned about orchestrating everything properly. If you are going to this many times it might make things slower than just leaving taint on. Certainly if you use the existing routines which would free memory and reconstruct. You’d have to clear the shadow memory instead. Also might be tricks you could play with translation caches. Like keeping them around instead of flushing them.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>-Tim<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'>-- <o:p></o:p></span></p><div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'>Tim Leek<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'>Technical Staff<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'>Cyber System Assessments<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'>MIT Lincoln Laboratory<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'>781-981-2975<o:p></o:p></span></p></div></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:12.0pt;color:black'>From: </span></b><span style='font-size:12.0pt;color:black'><panda-users-bounces@mit.edu> on behalf of Manolis Stamatogiannakis <mstamat@gmail.com><br><b>Date: </b>Thursday, February 1, 2018 at 10:49 AMEST<br><b>To: </b>"panda-users@mit.edu" <panda-users@mit.edu><br><b>Subject: </b>[panda-users] a bunch of questions for taint2<o:p></o:p></span></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Would it be technically possible to temporarily disable taint propagation for the taint2 plugin? What would it take to do so? <o:p></o:p></p><div><p class=MsoNormal>For other plugins unregistering the callbacks would be enough to temporarily disable the plugin. But I'm not sure if this is the case for taint2, which also uses the LLVM backend.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>What would clearing all the taint shadow memory involve? Is "delete shadow; shadow = new ShadowState();" enough?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>If directly disabling taint propagation is not directly possible, would it be an option to emulate this by dumping the shadow state and loading it later?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Is there a way to give access to the CPUState object to the on_branch2() callback? Currently, I only need this to determine if user or kernel code is executed. As a workaround to get this information, I use global which is set by <span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:#222222;background:white'>a PANDA_CB_BEFORE_BLOCK_EXEC callback.</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:#222222;background:white'><br><br></span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:#222222;background:white'>Thanks in advance,</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Arial",sans-serif;color:#222222;background:white'>Manolis</span><o:p></o:p></p></div></div></div></body></html>