[panda-users] taint segmentation fault

Sun Apr 12 16:52:40 EDT 2015

Also, just a check.  Are you able to reproduce the results here?

https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md

--
Tim Leek
Technical Staff
Cyber System Assessments
MIT Lincoln Laboratory
781-981-2975

From:  Brendan Dolan-Gavitt <brendandg at gatech.edu>
Date:  Sunday, April 12, 2015 at 4:04 PM
To:  xiaojuan Li <xiaotan6666 at gmail.com>
Cc:  "panda-users at mit.edu" <panda-users at mit.edu>
Subject:  Re: [panda-users] taint segmentation fault

A few things: 

1. Did you make sure to do a make clean and then re-run build.sh after
updating? I got a segfault just after taint was turned on as well until I
did a make clean and re-ran build.sh.
2. Are you running this on a 64-bit system? What kernel version?

-Brendan

On Sun, Apr 12, 2015 at 9:16 AM, xiaojuan Li <xiaotan6666 at gmail.com> wrote:
> any suggestions? about segmentation fault?
>  and after my test,I make sure it is not caused by insufficient memory.
> Thanks a lot!
> 
> 2015-04-11 11:59 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>> excuse me:
>> I try to fix the segmentation error:
>> and find this piece of code:
>> 
>>  do you mean that it doesn't support so large byte?or it doesn't support for
>> android arm?
>> in the doc I noticed that network tainting is not supported for arm
>> architecture,and the string I tainted was something may go through the
>> network.
>> 
>> Thanks!
>> 
>> 
>> 
>> 
>> 
>> 2015-04-09 21:30 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>> Now that the panda taint.md <http://taint.md>  is not fresh,can you guys
>>> give me some help?
>>> I use the replay plugin,here is my command and the result.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> the content of pk_search_strings.txt is :"sdt"
>>> 
>>> I am confused here:in the paper— Repeatable reverse with panda:
>>> :
>>> it is clear that:if I use the stringsearch and taint plugin,when it matches,
>>> the taint label will be put and then taint action will start.but when I use
>>> it, it seems wrong(the picture showed before):no taint action execute,and i
>>> am confused about the tstringsearch's result.
>>> how can i use it to analysis?
>>> Thanks a lot!
>>>  
>>> 
>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>> I get the replay file by running runandroid script. and i use
>>>> qemu-system-arm command just to do some replay work.
>>>> I may not understand you at all in this emal.do you mean that i should gdb
>>>> the original program rather than the record file?
>>>> Thansk
>>>> 
>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>>>>> Hmm. gdb should normally stop when you get a segfault.
>>>>> 
>>>>> Are you by any chance running PANDA using the runandroid script? If so,
>>>>> you will need to instead invoke PANDA manually, i.e.:
>>>>> 
>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>>>>> 
>>>>> And then once it crashes, type "bt" at the gdb prompt to get a backtrace.
>>>>> 
>>>>> -Brendan
>>>>> 
>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <xiaotan6666 at gmail.com> wrote:
>>>>>> when gdb,it shows:
>>>>>> and then i see the log:it shows segfault:
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>> maybe  i am wrong.
>>>>>>>  i use the command
>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I found that
>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>>>>>>> 
>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>> ok. 
>>>>>>> 1.I want to use taint plugin to get information about some functions(of
>>>>>>> course, it is closed-source),so I think I can stringsearch potential
>>>>>>> data and then taint them and next I can locate the functions which
>>>>>>> solves these data.
>>>>>>> 
>>>>>>> 2.the command line I used is :
>>>>>>> stringsearch:name=***;taint2:tainted_instructions=1.
>>>>>>> 
>>>>>>> thanks
>>>>>>> 
>>>>>>> 
>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>>>>>>> Could you provide:
>>>>>>> 
>>>>>>> 1. What information you're trying to get
>>>>>>> 2. The command line you're using to run PANDA with the taint2 plugin
>>>>>>> 
>>>>>>> ?
>>>>>>> 
>>>>>>> Right now I believe taint2 does not produce very much output by default.
>>>>>>> Instead you use the -pandalog <filename> command line option, and taint2
>>>>>>> will write its results there in pandalog format; you can then read them
>>>>>>> using pandalog_reader (see panda/pandalog_reader.c for details on that
>>>>>>> tool).
>>>>>>> 
>>>>>>> -Brendan
>>>>>>> 
>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>> wrote:
>>>>>>> when I tried taint2,it showed the same error with taint1, the olny
>>>>>>> difference is that taint2 has no segfault error,just uninit taint
>>>>>>> plugin.
>>>>>>> 
>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>>>>>>> Could you be a little more descriptive about how it failed? Segfault?
>>>>>>> Error message? Incorrect output?
>>>>>>> 
>>>>>>> -Brendan
>>>>>>> 
>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>> wrote:
>>>>>>> i tried taint2 too,it failed.
>>>>>>> 
>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL
>>>>>>> <tleek at ll.mit.edu>:
>>>>>>> Also note that the “taint” plugin is somewhat defunct.  “taint2” is the
>>>>>>> one we are actively using and developing.
>>>>>>> --
>>>>>>> Tim Leek
>>>>>>> Technical Staff
>>>>>>> Cyber System Assessments
>>>>>>> MIT Lincoln Laboratory
>>>>>>> 781-981-2975 <tel:781-981-2975>
>>>>>>> 
>>>>>>> 
>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>>>>>>> 
>>>>>>> Could you run that under gdb and provide us with a backtrace when it
>>>>>>> crashes? 
>>>>>>> 
>>>>>>> -Brendan
>>>>>>> 
>>>>>>> On Sunday, April 5, 2015, xiaojuan Li <xiaotan6666 at gmail.com> wrote:
>>>>>>> Hi, 
>>>>>>> excuse me,i have a question about taint
>>>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>>>>>>> when I started it showed success:
>>>>>>> 
>>>>>>> 
>>>>>>> but when it finished search,it showd "uninit taint plugin segementation
>>>>>>> fault"
>>>>>>> 
>>>>>>> 
>>>>>>> how can I fix it?
>>>>>>> Thanks a lot!
>>>>>>> -- 
>>>>>>> wait and hope~~
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> -- 
>>>>>>> wait and hope~~
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> panda-users mailing list
>>>>>>> panda-users at mit.edu
>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> -- 
>>>>>>> wait and hope~~
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> -- 
>>>>>>> wait and hope~~
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> -- 
>>>>>>> wait and hope~~
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> -- 
>>>>>> wait and hope~~
>>>>> 
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> wait and hope~~
>>> 
>>> 
>>> 
>>> -- 
>>> wait and hope~~
>> 
>> 
>> 
>> -- 
>> wait and hope~~
> 
> 
> 
> -- 
> wait and hope~~

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/9a175a60/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted3.png
Type: image/png
Size: 106030 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/9a175a60/attachment-0009.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fast_shad.jpg
Type: image/jpeg
Size: 57614 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/9a175a60/attachment-0002.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted4.png
Type: image/png
Size: 90587 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/9a175a60/attachment-0010.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tainted1.jpg
Type: image/jpeg
Size: 63070 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/9a175a60/attachment-0003.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint1.png
Type: image/png
Size: 25300 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/9a175a60/attachment-0011.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb1-2.png
Type: image/png
Size: 13244 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/9a175a60/attachment-0012.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted2.png
Type: image/png
Size: 118621 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/9a175a60/attachment-0013.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted1.png
Type: image/png
Size: 99277 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/9a175a60/attachment-0014.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted52.png
Type: image/png
Size: 134012 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/9a175a60/attachment-0015.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint2.png
Type: image/png
Size: 12246 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/9a175a60/attachment-0016.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb2.png
Type: image/png
Size: 194887 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/9a175a60/attachment-0017.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3076 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150412/9a175a60/attachment-0001.bin