<div dir="ltr">Thanks for the info Tim.<div><br></div><div>Yes, speeding up execution is the motivation for this. Currently, I have a trace which took ~30' to record. Running it with taint analysis enabled took more than 24h before exhausting all the host virtual memory and crashing.</div><div><br></div><div>For my analysis, I only care about taint propagation within specific processes and/or execution domains (user/kernel). Temporarily disabling taint propagation would hopefully speed-up the execution and also help to limit the taint explosion that leads to virtual memory exhaustion.</div><div><br></div><div>Could you give me any pointers on where to look for the qemu translation block cache?</div><div>I wanted to play with it for another project, but I could only find high-level information about it but no specific information about where/how it is implemented.</div><div><br></div><div>Thanks in advance,</div><div>Manolis</div><div> </div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-02-02 17:44 GMT+01:00 Leek, Timothy - 0559 - MITLL <span dir="ltr"><<a href="mailto:tleek@ll.mit.edu" target="_blank">tleek@ll.mit.edu</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72"><div class="m_-880707913872389510WordSection1"><p class="MsoNormal">Sure, it’s possible. I assume you want to do this so slowdown due to taint is only incurred for a little while or something? That is, you want to label something as tainted, have labels propagate around, query something, and then disable taint, run a little longer at faster execution (non-llvm) and then repeat?<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">enable-> label -> query -> disable -> emulate -> enable-> label -> query -> …<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">You would have to clear the translation block cache as well as dumping the taint shadow memory to disable the taint stuff right. I’d be a little concerned about orchestrating everything properly. If you are going to this many times it might make things slower than just leaving taint on. Certainly if you use the existing routines which would free memory and reconstruct. You’d have to clear the shadow memory instead. Also might be tricks you could play with translation caches. Like keeping them around instead of flushing them.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">-Tim<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal"><span style="font-size:10.5pt;color:black">-- <u></u><u></u></span></p><div><div><p class="MsoNormal"><span style="font-size:10.5pt;color:black">Tim Leek<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.5pt;color:black">Technical Staff<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.5pt;color:black">Cyber System Assessments<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.5pt;color:black">MIT Lincoln Laboratory<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.5pt;color:black">781-981-2975<u></u><u></u></span></p></div></div></div><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black"><<a href="mailto:panda-users-bounces@mit.edu" target="_blank">panda-users-bounces@mit.edu</a>> on behalf of Manolis Stamatogiannakis <<a href="mailto:mstamat@gmail.com" target="_blank">mstamat@gmail.com</a>><br><b>Date: </b>Thursday, February 1, 2018 at 10:49 AMEST<br><b>To: </b>"<a href="mailto:panda-users@mit.edu" target="_blank">panda-users@mit.edu</a>" <<a href="mailto:panda-users@mit.edu" target="_blank">panda-users@mit.edu</a>><br><b>Subject: </b>[panda-users] a bunch of questions for taint2<u></u><u></u></span></p></div><div><div class="h5"><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Would it be technically possible to temporarily disable taint propagation for the taint2 plugin? What would it take to do so? <u></u><u></u></p><div><p class="MsoNormal">For other plugins unregistering the callbacks would be enough to temporarily disable the plugin. But I'm not sure if this is the case for taint2, which also uses the LLVM backend.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">What would clearing all the taint shadow memory involve? Is "delete shadow; shadow = new ShadowState();" enough?<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">If directly disabling taint propagation is not directly possible, would it be an option to emulate this by dumping the shadow state and loading it later?<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Is there a way to give access to the CPUState object to the on_branch2() callback? Currently, I only need this to determine if user or kernel code is executed. As a workaround to get this information, I use global which is set by <span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#222222;background:white">a PANDA_CB_BEFORE_BLOCK_EXEC callback.</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#222222;background:white"><br><br></span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#222222;background:white">Thanks in advance,</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#222222;background:white">Manolis</span><u></u><u></u></p></div></div></div></div></div></div>
</blockquote></div><br></div>