[panda-users] taint segmentation fault
Brendan Dolan-Gavitt
brendandg at gatech.edu
Tue Apr 21 00:04:57 EDT 2015
Ok! Another option is to try making a recording with only 256M of RAM,
which would need only 4GB to replay.
One last thing you can try – it is possible that the taint system will
not actually use all of the memory it allocates. In this case, if you
allow the kernel to overcommit memory it may succeed. You can do this
either by setting /proc/sys/vm/overcommit_memory to 1 or by setting
/proc/sys/vm/overcommit_ratio to a higher value. There are more
details about this feature here:
https://www.kernel.org/doc/Documentation/vm/overcommit-accounting
-Brendan
On Mon, Apr 20, 2015 at 11:54 PM, xiaojuan Li <xiaotan6666 at gmail.com> wrote:
> sorry i make a mistake: my ram size is:
> (free -g)
> total used free shared buffers cached
> Mem: 7 6 1 0 0 2
> -/+ buffers/cache: 3 4
> Swap: 0 0 0
>
> before i mistake the size of hardware...
>
> there is unlimit.
> I think i should increase the memory chips.
> Thanks !
>
> 2015-04-20 23:36 GMT-04:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>
>> It is still not able to allocate the memory for the taint system, it
>> seems (based on the "Cannot allocate memory" part). Since you said
>> your host system has 16GB of RAM, I'm not sure what else could be the
>> problem.
>>
>> Do you have any memory quota set up on your system? (for example, does
>> "ulimit -v" show any limits on the amount of memory you're allowed to
>> allocate in a single process?)
>>
>> -Brendan
>>
>> On Mon, Apr 20, 2015 at 11:28 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>> wrote:
>> > use the new version, but still segfault :(
>> >
>> > opening nondet log for read :
>> > /home/shentanli/pandanew/scripts/api414-4-20-rr-nondet.log
>> > api414-4-20: 81316759 ( 1.04%) instrs. 7.49 sec. 0.61 GB ram.
>> > api414-4-20: 156342747 ( 2.00%) instrs. 16.14 sec. 0.69 GB ram.
>> > api414-4-20: 234368551 ( 3.00%) instrs. 25.29 sec. 0.76 GB ram.
>> > api414-4-20: 312493247 ( 4.00%) instrs. 36.09 sec. 0.83 GB ram.
>> > api414-4-20: 390616091 ( 5.00%) instrs. 44.62 sec. 0.87 GB ram.
>> > api414-4-20: 468738195 ( 6.00%) instrs. 50.08 sec. 0.90 GB ram.
>> > api414-4-20: 547631582 ( 7.01%) instrs. 54.95 sec. 0.93 GB ram.
>> > api414-4-20: 624983872 ( 8.00%) instrs. 58.64 sec. 0.94 GB ram.
>> > api414-4-20: 703122355 ( 9.00%) instrs. 61.98 sec. 0.94 GB ram.
>> > api414-4-20: 783198179 ( 10.03%) instrs. 65.80 sec. 0.95 GB ram.
>> > READ Match of str 0 at: instr_count=812336749 : 72a7562e b6cb2e02
>> > 0d36c000
>> > tstringsearch: thestring = [passwordisqemu]
>> > tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
>> > tstringsearch: string in memory @ 0xa70d6212
>> > enabling taint at instr count 812336749
>> > taint2: __taint_enable_taint
>> > taint2: Creating byte-level taint processor
>> > taint2: Allocating large fast_shad (8589934592 bytes).
>> > taint2: Hugetlb failed. Trying without.
>> > Cannot allocate memory
>> > taint2: Allocating small fast_shad (12800000 bytes) using malloc @
>> > 7f38ff62e010.
>> > taint2: Allocating small fast_shad (256 bytes) using malloc @ 17cda900.
>> > taint2: Allocating small fast_shad (1024 bytes) using malloc @ 17cd91f0.
>> > taint2: Allocating small fast_shad (867840 bytes) using malloc @
>> > 17d24e70.
>> > taint2: Linking taint ops from
>> >
>> > /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_taint2_ops.bc
>> > taint2: Done initializing taint transformation.
>> > taint2: Done processing helper functions for taint.
>> > taint2: Done verifying module. Running...
>> >
>> >
>> > ****************************************************************************
>> > applying taint labels to search string of length 14 @ p=0xa70d6212
>> >
>> > ******************************************************************************
>> > Segmentation fault
>> >
>> >
>> > 2015-04-20 23:18 GMT-04:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>> >
>> >> That was caused by some code that was left in by mistake from another
>> >> branch of the project. I have fixed it and pushed the change. Once
>> >> again you will need to do git pull && make clean && ./build.sh to
>> >> rebuild.
>> >>
>> >> Hopefully this will fix things for you!
>> >>
>> >> -Brendan
>> >>
>> >> On Mon, Apr 20, 2015 at 11:11 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>> >> wrote:
>> >> > it is the path that caused terminated.
>> >> > i can find that panda_hypercall_struct.h in
>> >> > /qemu/panda_tools/pirate_utils/linux direcroty
>> >> >
>> >> > 2015-04-20 23:02 GMT-04:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>> >> >
>> >> >> while rebuild:
>> >> >> taint2.cpp:109:61: fatal error:
>> >> >> ../../../../lava/include/panda_hypercall_struct.h: No such file or
>> >> >> directory
>> >> >> compilation terminated.
>> >> >> miss some files to push?
>> >> >>
>> >> >>
>> >> >> 2015-04-20 22:56 GMT-04:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>> >> >>
>> >> >>> you mean that it caused by "allocate at a fixed address"
>> >> >>> i am going to try and thanks.
>> >> >>>
>> >> >>> 2015-04-20 22:53 GMT-04:00 Brendan Dolan-Gavitt
>> >> >>> <brendandg at gatech.edu>:
>> >> >>>
>> >> >>>> Ah! I forgot to push the commit I made to stop it from trying to
>> >> >>>> allocate at a fixed address.
>> >> >>>>
>> >> >>>> Could you do a git pull, rebuild, and try again?
>> >> >>>>
>> >> >>>> -Brendan
>> >> >>>>
>> >> >>>> On Mon, Apr 20, 2015 at 10:51 PM, xiaojuan Li
>> >> >>>> <xiaotan6666 at gmail.com>
>> >> >>>> wrote:
>> >> >>>> > 1. the command i use is :
>> >> >>>> > ./qemu-system-arm 0m 512 -replay api414-4-20 -M android_arm
>> >> >>>> > -kernel
>> >> >>>> > /dev/null -android -panda
>> >> >>>> > "stringsearch:name=test;tstringsearch;tainted_instr"
>> >> >>>> > 2.the output is:
>> >> >>>> > Adding PANDA arg stringsearch:name=test.
>> >> >>>> > adding
>> >> >>>> >
>> >> >>>> >
>> >> >>>> >
>> >> >>>> > /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_stringsearch.so
>> >> >>>> > to panda_plugin_files 0
>> >> >>>> > adding
>> >> >>>> >
>> >> >>>> >
>> >> >>>> >
>> >> >>>> > /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_tstringsearch.so
>> >> >>>> > to panda_plugin_files 1
>> >> >>>> > adding
>> >> >>>> >
>> >> >>>> >
>> >> >>>> >
>> >> >>>> > /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_tainted_instr.so
>> >> >>>> > to panda_plugin_files 2
>> >> >>>> > emulator: registered 'boot-properties' qemud service
>> >> >>>> > emulator: Adding boot property: 'dalvik.vm.heapsize' = '48m'
>> >> >>>> > emulator: Adding boot property: 'qemu.sf.fake_camera' = 'both'
>> >> >>>> > emulator: Adding boot property: 'qemu.hw.mainkeys' = '0'
>> >> >>>> > loading
>> >> >>>> >
>> >> >>>> >
>> >> >>>> >
>> >> >>>> > /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_stringsearch.so
>> >> >>>> > Initializing plugin stringsearch
>> >> >>>> > panda_require: callstack_instr
>> >> >>>> > loading
>> >> >>>> >
>> >> >>>> >
>> >> >>>> >
>> >> >>>> > /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_callstack_instr.so
>> >> >>>> > Initializing plugin callstack_instr
>> >> >>>> > Success
>> >> >>>> > stringsearch: added string of length 14 to search set
>> >> >>>> > Success
>> >> >>>> > loading
>> >> >>>> >
>> >> >>>> >
>> >> >>>> >
>> >> >>>> > /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_tstringsearch.so
>> >> >>>> > Initializing tstringsearch
>> >> >>>> > panda_require: stringsearch
>> >> >>>> > panda_load_plugin:
>> >> >>>> >
>> >> >>>> >
>> >> >>>> >
>> >> >>>> > /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_stringsearch.so
>> >> >>>> > already loaded
>> >> >>>> > panda_require: taint2
>> >> >>>> > loading
>> >> >>>> >
>> >> >>>> >
>> >> >>>> >
>> >> >>>> > /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_taint2.so
>> >> >>>> > Initializing taint plugin
>> >> >>>> > taint2: Instructed not to inline taint ops.
>> >> >>>> > panda_require: callstack_instr
>> >> >>>> > panda_load_plugin:
>> >> >>>> >
>> >> >>>> >
>> >> >>>> >
>> >> >>>> > /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_callstack_instr.so
>> >> >>>> > already loaded
>> >> >>>> > Success
>> >> >>>> > Success
>> >> >>>> > loading
>> >> >>>> >
>> >> >>>> >
>> >> >>>> >
>> >> >>>> > /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_tainted_instr.so
>> >> >>>> > panda_require: taint2
>> >> >>>> > panda_load_plugin:
>> >> >>>> >
>> >> >>>> >
>> >> >>>> >
>> >> >>>> > /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_taint2.so
>> >> >>>> > already loaded
>> >> >>>> > panda_require: callstack_instr
>> >> >>>> > panda_load_plugin:
>> >> >>>> >
>> >> >>>> >
>> >> >>>> >
>> >> >>>> > /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_callstack_instr.so
>> >> >>>> > already loaded
>> >> >>>> > Success
>> >> >>>> > goldfish_add_device: goldfish_device_bus, base ff001000 1000,
>> >> >>>> > irq 1
>> >> >>>> > 1
>> >> >>>> > goldfish_device_bus: ff001000 30
>> >> >>>> > goldfish_add_device: goldfish_int, base ff000000 1000, irq 0 0
>> >> >>>> > goldfish_int: ff000000 38
>> >> >>>> > goldfish_add_device: goldfish_timer, base ff003000 1000, irq 3 1
>> >> >>>> > goldfish_timer: ff003000 40
>> >> >>>> > goldfish_add_device: goldfish_rtc, base ff010000 1000, irq 10 1
>> >> >>>> > goldfish_rtc: ff010000 48
>> >> >>>> > goldfish_add_device: goldfish_tty, base ff002000 1000, irq 4 1
>> >> >>>> > goldfish_tty: ff002000 50
>> >> >>>> > android_arm_init serial 1 0
>> >> >>>> > android_arm_init serial 2 0
>> >> >>>> > android_arm_init serial 3 0
>> >> >>>> > goldfish_add_device: smc91x, base ff011000 1000, irq 11 1
>> >> >>>> > goldfish_add_device: goldfish_fb, base ff012000 1000, irq 12 1
>> >> >>>> > goldfish_fb: ff012000 68
>> >> >>>> > Using tmpfile for SD card:
>> >> >>>> > /tmp/android-shentanli/emulator-P6kmpf
>> >> >>>> > goldfish_add_device: goldfish_mmc, base ff005000 1000, irq 13 1
>> >> >>>> > goldfish_mmc: ff005000 70
>> >> >>>> > goldfish_add_device: goldfish_memlog, base ff006000 1000, irq 0
>> >> >>>> > 0
>> >> >>>> > goldfish_memlog: ff006000 78
>> >> >>>> > goldfish_add_device: goldfish-battery, base ff013000 1000, irq
>> >> >>>> > 14 1
>> >> >>>> > goldfish-battery: ff013000 80
>> >> >>>> > goldfish_add_device: goldfish_events, base ff014000 1000, irq 15
>> >> >>>> > 1
>> >> >>>> > goldfish_events: ff014000 88
>> >> >>>> > Using event IRQ
>> >> >>>> > Invalid system partition size for non-QCOW image: 0emulator:
>> >> >>>> > geometry
>> >> >>>> > says
>> >> >>>> > there are 0 blocks
>> >> >>>> >
>> >> >>>> > emulator: Dev size of /tmp/android-shentanli/emulator-jxC2Uf is
>> >> >>>> > 0
>> >> >>>> >
>> >> >>>> > Invalid data partition size for non-QCOW image: 0emulator: Dev
>> >> >>>> > size
>> >> >>>> > 0x0 came
>> >> >>>> > from argument
>> >> >>>> >
>> >> >>>> > emulator: geometry says there are 0 blocks
>> >> >>>> >
>> >> >>>> > emulator: Dev size of /tmp/android-shentanli/emulator-2FZLqg is
>> >> >>>> > 0
>> >> >>>> >
>> >> >>>> > emulator: Dev size 0x0 came from argument
>> >> >>>> >
>> >> >>>> > emulator: geometry says there are 0 blocks
>> >> >>>> >
>> >> >>>> > emulator: Dev size of /tmp/android-shentanli/emulator-lyszWg is
>> >> >>>> > 0
>> >> >>>> >
>> >> >>>> > goldfish_add_device: goldfish_nand, base ff015000 1000, irq 16 1
>> >> >>>> > goldfish_nand: ff015000 90
>> >> >>>> > goldfish_add_device: qemu_pipe, base ff016000 2000, irq 17 1
>> >> >>>> > qemu_pipe: ff016000 98
>> >> >>>> > emulator: control console listening on port 5554, ADB on port
>> >> >>>> > 5555
>> >> >>>> > emulator: can't connect to ADB server: Connection refused
>> >> >>>> > emulator: Realistic sensor emulation is not available, since the
>> >> >>>> > remote
>> >> >>>> > controller is not accessible:
>> >> >>>> > Connection refused
>> >> >>>> > loading snapshot
>> >> >>>> > emulator: Adding boot property: 'dalvik.vm.heapsize' = '48m'
>> >> >>>> > emulator: Adding boot property: 'qemu.sf.fake_camera' = 'both'
>> >> >>>> > emulator: Adding boot property: 'qemu.hw.mainkeys' = '0'
>> >> >>>> > Unknown savevm section or instance 'goldfish_tty' 1
>> >> >>>> > ... done.
>> >> >>>> >
>> >> >>>> > Logging all cpu states
>> >> >>>> > CPU #0:
>> >> >>>> > R00=00000000 R01=c049bcb8 R02=00000000 R03=00000000
>> >> >>>> > R04=c0480000 R05=c04b9948 R06=c048fd34 R07=c047b374
>> >> >>>> > R08=c0a05100 R09=410fc090 R10=00000000 R11=00000000
>> >> >>>> > R12=c049bcb8 R13=c0481fb0 R14=c000e3f4 R15=c00158c8
>> >> >>>> > PSR=60000093 -ZC- A svc32
>> >> >>>> > opening nondet log for read :
>> >> >>>> > /home/shentanli/pandanew/scripts/api414-4-20-rr-nondet.log
>> >> >>>> > api414-4-20: 81316759 ( 1.04%) instrs. 7.52 sec. 0.61 GB
>> >> >>>> > ram.
>> >> >>>> > api414-4-20: 156342747 ( 2.00%) instrs. 15.90 sec. 0.69 GB
>> >> >>>> > ram.
>> >> >>>> > api414-4-20: 234368551 ( 3.00%) instrs. 24.93 sec. 0.76 GB
>> >> >>>> > ram.
>> >> >>>> > api414-4-20: 312493247 ( 4.00%) instrs. 35.45 sec. 0.83 GB
>> >> >>>> > ram.
>> >> >>>> > api414-4-20: 390616091 ( 5.00%) instrs. 43.97 sec. 0.87 GB
>> >> >>>> > ram.
>> >> >>>> > api414-4-20: 468738195 ( 6.00%) instrs. 49.32 sec. 0.90 GB
>> >> >>>> > ram.
>> >> >>>> > api414-4-20: 547631582 ( 7.01%) instrs. 54.12 sec. 0.93 GB
>> >> >>>> > ram.
>> >> >>>> > api414-4-20: 624983872 ( 8.00%) instrs. 57.67 sec. 0.94 GB
>> >> >>>> > ram.
>> >> >>>> > api414-4-20: 703122355 ( 9.00%) instrs. 60.94 sec. 0.94 GB
>> >> >>>> > ram.
>> >> >>>> > api414-4-20: 783198179 ( 10.03%) instrs. 64.60 sec. 0.95 GB
>> >> >>>> > ram.
>> >> >>>> > READ Match of str 0 at: instr_count=812336749 : 72a7562e
>> >> >>>> > b6cb2e02
>> >> >>>> > 0d36c000
>> >> >>>> > tstringsearch: thestring = [passwordisqemu]
>> >> >>>> > tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
>> >> >>>> > tstringsearch: string in memory @ 0xa70d6212
>> >> >>>> > enabling taint at instr count 812336749
>> >> >>>> > taint2: __taint_enable_taint
>> >> >>>> > taint2: Creating byte-level taint processor
>> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes) @
>> >> >>>> > 0x10000000000.
>> >> >>>> > taint2: Hugetlb failed. Trying without.
>> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes) @
>> >> >>>> > 0x20000000000.
>> >> >>>> > taint2: Hugetlb failed. Trying without.
>> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes) @
>> >> >>>> > 0x30000000000.
>> >> >>>> > taint2: Hugetlb failed. Trying without.
>> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes) @
>> >> >>>> > 0x40000000000.
>> >> >>>> > taint2: Hugetlb failed. Trying without.
>> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes) @
>> >> >>>> > 0x50000000000.
>> >> >>>> > taint2: Hugetlb failed. Trying without.
>> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes) @
>> >> >>>> > 0x60000000000.
>> >> >>>> > taint2: Hugetlb failed. Trying without.
>> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes) @
>> >> >>>> > 0x70000000000.
>> >> >>>> > taint2: Hugetlb failed. Trying without.
>> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes) @
>> >> >>>> > 0x80000000000.
>> >> >>>> > taint2: Hugetlb failed. Trying without.
>> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes) @
>> >> >>>> > 0x90000000000.
>> >> >>>> > taint2: Hugetlb failed. Trying without.
>> >> >>>> > Cannot allocate memory
>> >> >>>> > taint2: Allocating small fast_shad (12800000 bytes) using malloc
>> >> >>>> > @
>> >> >>>> > 7f8b608d0010.
>> >> >>>> > taint2: Allocating small fast_shad (256 bytes) using malloc @
>> >> >>>> > 16be2a70.
>> >> >>>> > taint2: Allocating small fast_shad (1024 bytes) using malloc @
>> >> >>>> > 171c3540.
>> >> >>>> > taint2: Allocating small fast_shad (867840 bytes) using malloc @
>> >> >>>> > 1720ddd0.
>> >> >>>> > taint2: Linking taint ops from
>> >> >>>> >
>> >> >>>> >
>> >> >>>> >
>> >> >>>> > /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_taint2_ops.bc
>> >> >>>> > taint2: Done initializing taint transformation.
>> >> >>>> > taint2: Done processing helper functions for taint.
>> >> >>>> > taint2: Done verifying module. Running...
>> >> >>>> >
>> >> >>>> >
>> >> >>>> >
>> >> >>>> >
>> >> >>>> > ****************************************************************************
>> >> >>>> > applying taint labels to search string of length 14 @
>> >> >>>> > p=0xa70d6212
>> >> >>>> >
>> >> >>>> >
>> >> >>>> >
>> >> >>>> > ******************************************************************************
>> >> >>>> > Segmentation fault
>> >> >>>> >
>> >> >>>> >
>> >> >>>> > 2015-04-20 22:42 GMT-04:00 Brendan Dolan-Gavitt
>> >> >>>> > <brendandg at gatech.edu>:
>> >> >>>> >
>> >> >>>> >> I am currently running your taint replay, and it is (so far)
>> >> >>>> >> working
>> >> >>>> >> fine. Here is the (slightly abbreviated) output I get:
>> >> >>>> >>
>> >> >>>> >> api414-4-20: 783198179 ( 10.03%) instrs. 218.26 sec. 0.96
>> >> >>>> >> GB
>> >> >>>> >> ram.
>> >> >>>> >> READ Match of str 0 at: instr_count=812336749 : 72a7562e
>> >> >>>> >> b6cb2e02
>> >> >>>> >> 0d36c000
>> >> >>>> >> tstringsearch: thestring = [passwordisqemu]
>> >> >>>> >> tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
>> >> >>>> >> tstringsearch: string in memory @ 0xa70d6212
>> >> >>>> >> enabling taint at instr count 812336749
>> >> >>>> >> taint2: __taint_enable_taint
>> >> >>>> >> taint2: Creating byte-level taint processor
>> >> >>>> >> taint2: Allocating large fast_shad (8589934592 bytes).
>> >> >>>> >> taint2: Hugetlb failed. Trying without.
>> >> >>>> >> taint2: Allocating small fast_shad (12800000 bytes) using
>> >> >>>> >> malloc @
>> >> >>>> >> 7fdd165c6010.
>> >> >>>> >> taint2: Allocating small fast_shad (256 bytes) using malloc @
>> >> >>>> >> 7fdd0bec21a0.
>> >> >>>> >> taint2: Allocating small fast_shad (1024 bytes) using malloc @
>> >> >>>> >> 7fdcfc49ddc0.
>> >> >>>> >> taint2: Allocating small fast_shad (867840 bytes) using malloc
>> >> >>>> >> @
>> >> >>>> >> 7fdcfc4e7db0.
>> >> >>>> >> taint2: Linking taint ops from
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >> /scratch/git/pandroid/qemu/arm-softmmu/panda_plugins/panda_taint2_ops.bc
>> >> >>>> >> taint2: Done initializing taint transformation.
>> >> >>>> >> taint2: Done processing helper functions for taint.
>> >> >>>> >> taint2: Done verifying module. Running...
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >> ****************************************************************************
>> >> >>>> >> applying taint labels to search string of length 14 @
>> >> >>>> >> p=0xa70d6212
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >> ******************************************************************************
>> >> >>>> >> READ Match of str 0 at: instr_count=812336765 : 72a7562e
>> >> >>>> >> b6cb2a2a
>> >> >>>> >> 0d36c000
>> >> >>>> >> tstringsearch: thestring = [passwordisqemu]
>> >> >>>> >> tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
>> >> >>>> >> tstringsearch: string in memory @ 0xa70d6212
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >> ****************************************************************************
>> >> >>>> >> applying taint labels to search string of length 14 @
>> >> >>>> >> p=0xa70d6212
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >> ******************************************************************************
>> >> >>>> >> READ Match of str 0 at: instr_count=812337316 : 72a7562e
>> >> >>>> >> b6cb2e4a
>> >> >>>> >> 0d36c000
>> >> >>>> >> tstringsearch: thestring = [passwordisqemu]
>> >> >>>> >> tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
>> >> >>>> >> tstringsearch: string in memory @ 0xa70d6212
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >> ****************************************************************************
>> >> >>>> >> applying taint labels to search string of length 14 @
>> >> >>>> >> p=0xa70d6212
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >> ******************************************************************************
>> >> >>>> >> READ Match of str 0 at: instr_count=812337331 : 72a7562e
>> >> >>>> >> b6cb2a2a
>> >> >>>> >> 0d36c000
>> >> >>>> >> tstringsearch: thestring = [passwordisqemu]
>> >> >>>> >> tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
>> >> >>>> >> tstringsearch: string in memory @ 0xa70d6212
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >> ****************************************************************************
>> >> >>>> >> applying taint labels to search string of length 14 @
>> >> >>>> >> p=0xa70d6212
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >> ******************************************************************************
>> >> >>>> >> api414-4-20: 859399601 ( 11.00%) instrs. 658.13 sec. 3.27
>> >> >>>> >> GB
>> >> >>>> >> ram.
>> >> >>>> >> api414-4-20: 937474512 ( 12.00%) instrs. 1017.48 sec. 4.70
>> >> >>>> >> GB
>> >> >>>> >> ram.
>> >> >>>> >> api414-4-20: 1015597970 ( 13.00%) instrs. 1265.76 sec. 5.58
>> >> >>>> >> GB
>> >> >>>> >> ram.
>> >> >>>> >>
>> >> >>>> >> My command line to replay was:
>> >> >>>> >>
>> >> >>>> >> arm-softmmu/qemu-system-arm -m 512 -replay api414-4-20 -M
>> >> >>>> >> android_arm
>> >> >>>> >> -cpu cortex-a9 -android -kernel /dev/null -pandalog api.log
>> >> >>>> >> -panda
>> >> >>>> >> 'stringsearch:name=api;tstringsearch;tainted_instr'
>> >> >>>> >>
>> >> >>>> >> From the screenshot you posted earlier, it looks like yours had
>> >> >>>> >> already failed by this point. If you are still getting a
>> >> >>>> >> segfault
>> >> >>>> >> with
>> >> >>>> >> this replay, could you post:
>> >> >>>> >>
>> >> >>>> >> 1. The full command line you are using (as text, not a
>> >> >>>> >> screenshot)
>> >> >>>> >> 2. The full output from PANDA up to the point where the
>> >> >>>> >> segfault
>> >> >>>> >> happens (as text, not a screenshot)
>> >> >>>> >>
>> >> >>>> >> -Brendan
>> >> >>>> >>
>> >> >>>> >> On Mon, Apr 20, 2015 at 7:57 PM, xiaojuan Li
>> >> >>>> >> <xiaotan6666 at gmail.com>
>> >> >>>> >> wrote:
>> >> >>>> >> > i know you are busy.
>> >> >>>> >> > I just get stuck in this taint step but have no idea no fix
>> >> >>>> >> > it...(use
>> >> >>>> >> > core
>> >> >>>> >> > dump to find where it segfault )
>> >> >>>> >> > here is the 512M version:
>> >> >>>> >> > http://pan.baidu.com/s/1mgopzIg
>> >> >>>> >> > the content of search string .txt is "passwordisqemu"
>> >> >>>> >> > thanks!
>> >> >>>> >> >
>> >> >>>> >> > 2015-04-20 11:32 GMT-04:00 Brendan Dolan-Gavitt
>> >> >>>> >> > <brendandg at gatech.edu>:
>> >> >>>> >> >
>> >> >>>> >> >> I will try to reproduce from those instructions in the next
>> >> >>>> >> >> couple
>> >> >>>> >> >> days.
>> >> >>>> >> >> Sorry for the delay! Did you post the .rr of the recording
>> >> >>>> >> >> with
>> >> >>>> >> >> 512M
>> >> >>>> >> >> somewhere? I only saw the 2G one.
>> >> >>>> >> >>
>> >> >>>> >> >> Thanks,
>> >> >>>> >> >> Brendan
>> >> >>>> >> >>
>> >> >>>> >> >> On Mon, Apr 20, 2015 at 8:07 AM, xiaojuan Li
>> >> >>>> >> >> <xiaotan6666 at gmail.com>
>> >> >>>> >> >> wrote:
>> >> >>>> >> >>>
>> >> >>>> >> >>> about the taint segfault, if you cannot download that .rr i
>> >> >>>> >> >>> upload
>> >> >>>> >> >>> before, you can follow the step to reproduce:
>> >> >>>> >> >>> 1)use android studio to create avd, choose api21 target
>> >> >>>> >> >>> android
>> >> >>>> >> >>> 5.0.1
>> >> >>>> >> >>> use
>> >> >>>> >> >>> the default size;you can get the
>> >> >>>> >> >>> cache-img,sdcard.img,data.img
>> >> >>>> >> >>> and
>> >> >>>> >> >>> system.img and then copy kernel-qemu & rmdisk.img from
>> >> >>>> >> >>> sdk/systemimg;
>> >> >>>> >> >>> 2)use pandaCovert.py to convert them and get the
>> >> >>>> >> >>> (cache,data,system)-pandroid.qcow2 as well as kernel and
>> >> >>>> >> >>> initramfs;
>> >> >>>> >> >>> 3)use runpandroid.py(-m 512) to boot emulator;telnet and
>> >> >>>> >> >>> begin_record
>> >> >>>> >> >>> 4)run an app and input a string : end_record;
>> >> >>>> >> >>> 5)use qemu-system-arm to replay(-m 512) with the panda
>> >> >>>> >> >>> plugins:stringsearch,tstringsearch;tainted_instr.(the
>> >> >>>> >> >>> search
>> >> >>>> >> >>> string
>> >> >>>> >> >>> .txt is
>> >> >>>> >> >>> the string you input)
>> >> >>>> >> >>>
>> >> >>>> >> >>> do you guys get the segfault ?
>> >> >>>> >> >>> how can i fix it?
>> >> >>>> >> >>> Thanks a lot!
>> >> >>>> >> >>>
>> >> >>>> >> >>> 2015-04-20 17:51 GMT+08:00 xiaojuan Li
>> >> >>>> >> >>> <xiaotan6666 at gmail.com>:
>> >> >>>> >> >>>>
>> >> >>>> >> >>>> excuse me, i have noticed that the ida_taint plugin:"win7
>> >> >>>> >> >>>> only
>> >> >>>> >> >>>> but
>> >> >>>> >> >>>> othre
>> >> >>>> >> >>>> os could be easily added".
>> >> >>>> >> >>>> i have installed ida pro in my system(debian),modified the
>> >> >>>> >> >>>> ida_taint.bat
>> >> >>>> >> >>>> with my ida path,when i use it :./ida_taint.bat name.json
>> >> >>>> >> >>>> qemu-system-arm
>> >> >>>> >> >>>> it failed. it seems not available in linux, is it?
>> >> >>>> >> >>>> Thanks a lot!
>> >> >>>> >> >>>>
>> >> >>>> >> >>>>
>> >> >>>> >> >>>> 2015-04-10 21:24 GMT-04:00 Brendan Dolan-Gavitt
>> >> >>>> >> >>>> <brendandg at gatech.edu>:
>> >> >>>> >> >>>>
>> >> >>>> >> >>>>> Once you have used PANDA's taint system to identify the
>> >> >>>> >> >>>>> portions of
>> >> >>>> >> >>>>> the
>> >> >>>> >> >>>>> code that process the data you're interested in, you will
>> >> >>>> >> >>>>> still
>> >> >>>> >> >>>>> have
>> >> >>>> >> >>>>> to
>> >> >>>> >> >>>>> analyze that code do understand how it works. One way to
>> >> >>>> >> >>>>> do
>> >> >>>> >> >>>>> that
>> >> >>>> >> >>>>> might be to
>> >> >>>> >> >>>>> use the scissors plugin to extract out the portion of the
>> >> >>>> >> >>>>> trace
>> >> >>>> >> >>>>> that
>> >> >>>> >> >>>>> contains the code you're interested in, and then replay
>> >> >>>> >> >>>>> it
>> >> >>>> >> >>>>> with
>> >> >>>> >> >>>>> QEMU's "-d
>> >> >>>> >> >>>>> in_asm -D asmlog.txt" options to get the disassembly for
>> >> >>>> >> >>>>> that
>> >> >>>> >> >>>>> code.
>> >> >>>> >> >>>>>
>> >> >>>> >> >>>>> Alternatively, you could take a memory snapshot at some
>> >> >>>> >> >>>>> point
>> >> >>>> >> >>>>> when
>> >> >>>> >> >>>>> the
>> >> >>>> >> >>>>> code you want to analyze is in memory (using something
>> >> >>>> >> >>>>> like
>> >> >>>> >> >>>>> the
>> >> >>>> >> >>>>> pmemsave
>> >> >>>> >> >>>>> plugin in PANDA), then use Volatility to analyze that
>> >> >>>> >> >>>>> memory
>> >> >>>> >> >>>>> image
>> >> >>>> >> >>>>> to
>> >> >>>> >> >>>>> extract out the binary, which you could look at in IDA or
>> >> >>>> >> >>>>> something
>> >> >>>> >> >>>>> similar.
>> >> >>>> >> >>>>>
>> >> >>>> >> >>>>> Basically – disassemble the code that handles the data
>> >> >>>> >> >>>>> you're
>> >> >>>> >> >>>>> interested in and find out how it works. Exactly what
>> >> >>>> >> >>>>> that
>> >> >>>> >> >>>>> means
>> >> >>>> >> >>>>> will depend
>> >> >>>> >> >>>>> on what you're hoping to accomplish.
>> >> >>>> >> >>>>>
>> >> >>>> >> >>>>> -Brendan
>> >> >>>> >> >>>>>
>> >> >>>> >> >>>>> On Fri, Apr 10, 2015 at 9:07 PM, xiaojuan Li
>> >> >>>> >> >>>>> <xiaotan6666 at gmail.com>
>> >> >>>> >> >>>>> wrote:
>> >> >>>> >> >>>>>>
>> >> >>>> >> >>>>>> Hi,
>> >> >>>> >> >>>>>> Thanks for your job first.
>> >> >>>> >> >>>>>> I am a little confused about the result of the
>> >> >>>> >> >>>>>> tainted.how
>> >> >>>> >> >>>>>> can
>> >> >>>> >> >>>>>> I
>> >> >>>> >> >>>>>> get
>> >> >>>> >> >>>>>> enough information about the processing code from the
>> >> >>>> >> >>>>>> binary?
>> >> >>>> >> >>>>>> use
>> >> >>>> >> >>>>>> the gdb?
>> >> >>>> >> >>>>>> Thanks!
>> >> >>>> >> >>>>>>
>> >> >>>> >> >>>>>> 2015-04-10 12:05 GMT+08:00 xiaojuan Li
>> >> >>>> >> >>>>>> <xiaotan6666 at gmail.com>:
>> >> >>>> >> >>>>>>>
>> >> >>>> >> >>>>>>> Thanks for your guys great work!
>> >> >>>> >> >>>>>>> and I will try.
>> >> >>>> >> >>>>>>>
>> >> >>>> >> >>>>>>> 2015-04-10 11:42 GMT+08:00 Brendan Dolan-Gavitt
>> >> >>>> >> >>>>>>> <brendandg at gatech.edu>:
>> >> >>>> >> >>>>>>>>
>> >> >>>> >> >>>>>>>> Hi,
>> >> >>>> >> >>>>>>>>
>> >> >>>> >> >>>>>>>> Tim has just updated the tainted_instructions tutorial
>> >> >>>> >> >>>>>>>> so
>> >> >>>> >> >>>>>>>> that it
>> >> >>>> >> >>>>>>>> reflects how things work now. Could you look through
>> >> >>>> >> >>>>>>>> that
>> >> >>>> >> >>>>>>>> tutorial and see
>> >> >>>> >> >>>>>>>> if it helps with your problem?
>> >> >>>> >> >>>>>>>>
>> >> >>>> >> >>>>>>>>
>> >> >>>> >> >>>>>>>>
>> >> >>>> >> >>>>>>>>
>> >> >>>> >> >>>>>>>>
>> >> >>>> >> >>>>>>>>
>> >> >>>> >> >>>>>>>> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
>> >> >>>> >> >>>>>>>>
>> >> >>>> >> >>>>>>>> Note that you will probably need to do a "git pull"
>> >> >>>> >> >>>>>>>> and
>> >> >>>> >> >>>>>>>> rebuild
>> >> >>>> >> >>>>>>>> (make clean ; ./build.sh) in order to make sure
>> >> >>>> >> >>>>>>>> everything
>> >> >>>> >> >>>>>>>> works
>> >> >>>> >> >>>>>>>> as it says
>> >> >>>> >> >>>>>>>> in the tutorial.
>> >> >>>> >> >>>>>>>>
>> >> >>>> >> >>>>>>>> -Brendan
>> >> >>>> >> >>>>>>>>
>> >> >>>> >> >>>>>>>> On Thu, Apr 9, 2015 at 9:30 AM, xiaojuan Li
>> >> >>>> >> >>>>>>>> <xiaotan6666 at gmail.com>
>> >> >>>> >> >>>>>>>> wrote:
>> >> >>>> >> >>>>>>>>>
>> >> >>>> >> >>>>>>>>> Now that the panda taint.md is not fresh,can you guys
>> >> >>>> >> >>>>>>>>> give
>> >> >>>> >> >>>>>>>>> me
>> >> >>>> >> >>>>>>>>> some
>> >> >>>> >> >>>>>>>>> help?
>> >> >>>> >> >>>>>>>>> I use the replay plugin,here is my command and the
>> >> >>>> >> >>>>>>>>> result.
>> >> >>>> >> >>>>>>>>>
>> >> >>>> >> >>>>>>>>>
>> >> >>>> >> >>>>>>>>>
>> >> >>>> >> >>>>>>>>>
>> >> >>>> >> >>>>>>>>>
>> >> >>>> >> >>>>>>>>> the content of pk_search_strings.txt is :"sdt"
>> >> >>>> >> >>>>>>>>>
>> >> >>>> >> >>>>>>>>> I am confused here:in the paper— Repeatable reverse
>> >> >>>> >> >>>>>>>>> with
>> >> >>>> >> >>>>>>>>> panda:
>> >> >>>> >> >>>>>>>>> :
>> >> >>>> >> >>>>>>>>> it is clear that:if I use the stringsearch and taint
>> >> >>>> >> >>>>>>>>> plugin,when
>> >> >>>> >> >>>>>>>>> it
>> >> >>>> >> >>>>>>>>> matches, the taint label will be put and then taint
>> >> >>>> >> >>>>>>>>> action
>> >> >>>> >> >>>>>>>>> will
>> >> >>>> >> >>>>>>>>> start.but
>> >> >>>> >> >>>>>>>>> when I use it, it seems wrong(the picture showed
>> >> >>>> >> >>>>>>>>> before):no
>> >> >>>> >> >>>>>>>>> taint action
>> >> >>>> >> >>>>>>>>> execute,and i am confused about the tstringsearch's
>> >> >>>> >> >>>>>>>>> result.
>> >> >>>> >> >>>>>>>>> how can i use it to analysis?
>> >> >>>> >> >>>>>>>>> Thanks a lot!
>> >> >>>> >> >>>>>>>>>
>> >> >>>> >> >>>>>>>>>
>> >> >>>> >> >>>>>>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li
>> >> >>>> >> >>>>>>>>> <xiaotan6666 at gmail.com>:
>> >> >>>> >> >>>>>>>>>>
>> >> >>>> >> >>>>>>>>>> I get the replay file by running runandroid script.
>> >> >>>> >> >>>>>>>>>> and
>> >> >>>> >> >>>>>>>>>> i
>> >> >>>> >> >>>>>>>>>> use
>> >> >>>> >> >>>>>>>>>> qemu-system-arm command just to do some replay work.
>> >> >>>> >> >>>>>>>>>> I may not understand you at all in this emal.do you
>> >> >>>> >> >>>>>>>>>> mean
>> >> >>>> >> >>>>>>>>>> that i
>> >> >>>> >> >>>>>>>>>> should gdb the original program rather than the
>> >> >>>> >> >>>>>>>>>> record
>> >> >>>> >> >>>>>>>>>> file?
>> >> >>>> >> >>>>>>>>>> Thansk
>> >> >>>> >> >>>>>>>>>>
>> >> >>>> >> >>>>>>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt
>> >> >>>> >> >>>>>>>>>> <brendandg at gatech.edu>:
>> >> >>>> >> >>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>> Hmm. gdb should normally stop when you get a
>> >> >>>> >> >>>>>>>>>>> segfault.
>> >> >>>> >> >>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>> Are you by any chance running PANDA using the
>> >> >>>> >> >>>>>>>>>>> runandroid
>> >> >>>> >> >>>>>>>>>>> script?
>> >> >>>> >> >>>>>>>>>>> If so, you will need to instead invoke PANDA
>> >> >>>> >> >>>>>>>>>>> manually,
>> >> >>>> >> >>>>>>>>>>> i.e.:
>> >> >>>> >> >>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>> >> >>>> >> >>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>> And then once it crashes, type "bt" at the gdb
>> >> >>>> >> >>>>>>>>>>> prompt
>> >> >>>> >> >>>>>>>>>>> to
>> >> >>>> >> >>>>>>>>>>> get a
>> >> >>>> >> >>>>>>>>>>> backtrace.
>> >> >>>> >> >>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>> -Brendan
>> >> >>>> >> >>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li
>> >> >>>> >> >>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>> >> >>>> >> >>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>> when gdb,it shows:
>> >> >>>> >> >>>>>>>>>>>> and then i see the log:it shows segfault:
>> >> >>>> >> >>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li
>> >> >>>> >> >>>>>>>>>>>> <xiaotan6666 at gmail.com>:
>> >> >>>> >> >>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>> maybe i am wrong.
>> >> >>>> >> >>>>>>>>>>>>> i use the command
>> >> >>>> >> >>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and
>> >> >>>> >> >>>>>>>>>>>>> I found that
>> >> >>>> >> >>>>>>>>>>>>> when i use taint2, after it loads
>> >> >>>> >> >>>>>>>>>>>>> panda_taint2.so,it
>> >> >>>> >> >>>>>>>>>>>>> shows:"taint2:instructed not to inline taint ops
>> >> >>>> >> >>>>>>>>>>>>> .success".
>> >> >>>> >> >>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li
>> >> >>>> >> >>>>>>>>>>>>> <xiaotan6666 at gmail.com>:
>> >> >>>> >> >>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>> ok.
>> >> >>>> >> >>>>>>>>>>>>>> 1.I want to use taint plugin to get information
>> >> >>>> >> >>>>>>>>>>>>>> about
>> >> >>>> >> >>>>>>>>>>>>>> some
>> >> >>>> >> >>>>>>>>>>>>>> functions(of course, it is closed-source),so I
>> >> >>>> >> >>>>>>>>>>>>>> think I
>> >> >>>> >> >>>>>>>>>>>>>> can
>> >> >>>> >> >>>>>>>>>>>>>> stringsearch
>> >> >>>> >> >>>>>>>>>>>>>> potential data and then taint them and next I
>> >> >>>> >> >>>>>>>>>>>>>> can
>> >> >>>> >> >>>>>>>>>>>>>> locate
>> >> >>>> >> >>>>>>>>>>>>>> the functions which
>> >> >>>> >> >>>>>>>>>>>>>> solves these data.
>> >> >>>> >> >>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>> 2.the command line I used is :
>> >> >>>> >> >>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>> stringsearch:name=***;taint2:tainted_instructions=1.
>> >> >>>> >> >>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>> thanks
>> >> >>>> >> >>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt
>> >> >>>> >> >>>>>>>>>>>>>> <brendandg at gatech.edu>:
>> >> >>>> >> >>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>> Could you provide:
>> >> >>>> >> >>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>> 1. What information you're trying to get
>> >> >>>> >> >>>>>>>>>>>>>>> 2. The command line you're using to run PANDA
>> >> >>>> >> >>>>>>>>>>>>>>> with
>> >> >>>> >> >>>>>>>>>>>>>>> the
>> >> >>>> >> >>>>>>>>>>>>>>> taint2
>> >> >>>> >> >>>>>>>>>>>>>>> plugin
>> >> >>>> >> >>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>> ?
>> >> >>>> >> >>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>> Right now I believe taint2 does not produce
>> >> >>>> >> >>>>>>>>>>>>>>> very
>> >> >>>> >> >>>>>>>>>>>>>>> much
>> >> >>>> >> >>>>>>>>>>>>>>> output
>> >> >>>> >> >>>>>>>>>>>>>>> by default. Instead you use the -pandalog
>> >> >>>> >> >>>>>>>>>>>>>>> <filename>
>> >> >>>> >> >>>>>>>>>>>>>>> command line option,
>> >> >>>> >> >>>>>>>>>>>>>>> and taint2 will write its results there in
>> >> >>>> >> >>>>>>>>>>>>>>> pandalog
>> >> >>>> >> >>>>>>>>>>>>>>> format; you can then
>> >> >>>> >> >>>>>>>>>>>>>>> read them using pandalog_reader (see
>> >> >>>> >> >>>>>>>>>>>>>>> panda/pandalog_reader.c for details on
>> >> >>>> >> >>>>>>>>>>>>>>> that tool).
>> >> >>>> >> >>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>> -Brendan
>> >> >>>> >> >>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li
>> >> >>>> >> >>>>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>> >> >>>> >> >>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>> when I tried taint2,it showed the same error
>> >> >>>> >> >>>>>>>>>>>>>>>> with
>> >> >>>> >> >>>>>>>>>>>>>>>> taint1,
>> >> >>>> >> >>>>>>>>>>>>>>>> the olny difference is that taint2 has no
>> >> >>>> >> >>>>>>>>>>>>>>>> segfault
>> >> >>>> >> >>>>>>>>>>>>>>>> error,just uninit taint
>> >> >>>> >> >>>>>>>>>>>>>>>> plugin.
>> >> >>>> >> >>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt
>> >> >>>> >> >>>>>>>>>>>>>>>> <brendandg at gatech.edu>:
>> >> >>>> >> >>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>> Could you be a little more descriptive about
>> >> >>>> >> >>>>>>>>>>>>>>>>> how
>> >> >>>> >> >>>>>>>>>>>>>>>>> it
>> >> >>>> >> >>>>>>>>>>>>>>>>> failed?
>> >> >>>> >> >>>>>>>>>>>>>>>>> Segfault? Error message? Incorrect output?
>> >> >>>> >> >>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>> -Brendan
>> >> >>>> >> >>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li
>> >> >>>> >> >>>>>>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>> i tried taint2 too,it failed.
>> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy -
>> >> >>>> >> >>>>>>>>>>>>>>>>>> 0559
>> >> >>>> >> >>>>>>>>>>>>>>>>>> -
>> >> >>>> >> >>>>>>>>>>>>>>>>>> MITLL
>> >> >>>> >> >>>>>>>>>>>>>>>>>> <tleek at ll.mit.edu>:
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> Also note that the “taint” plugin is
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> somewhat
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> defunct.
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> “taint2” is the one we are actively using
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> and
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> developing.
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> --
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> Tim Leek
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> Technical Staff
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> Cyber System Assessments
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> MIT Lincoln Laboratory
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> 781-981-2975
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> <brendandg at gatech.edu>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> Cc: "panda-users at mit.edu"
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> <panda-users at mit.edu>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> Subject: Re: [panda-users] taint
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> segmentation
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> fault
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> Could you run that under gdb and provide us
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> with
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> a
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> backtrace when it crashes?
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> -Brendan
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li
>> >> >>>> >> >>>>>>>>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>> Hi,
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>> excuse me,i have a question about taint
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>> when I started it showed success:
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>> but when it finished search,it showd
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>> "uninit
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>> taint
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>> plugin segementation fault"
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>> how can I fix it?
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>> Thanks a lot!
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>> --
>> >> >>>> >> >>>>>>>>>>>>>>>>>>>> wait and hope~~
>> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>> --
>> >> >>>> >> >>>>>>>>>>>>>>>>>> wait and hope~~
>> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>> _______________________________________________
>> >> >>>> >> >>>>>>>>>>>>>>>>>> panda-users mailing list
>> >> >>>> >> >>>>>>>>>>>>>>>>>> panda-users at mit.edu
>> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>> --
>> >> >>>> >> >>>>>>>>>>>>>>>> wait and hope~~
>> >> >>>> >> >>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>> --
>> >> >>>> >> >>>>>>>>>>>>>> wait and hope~~
>> >> >>>> >> >>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>> --
>> >> >>>> >> >>>>>>>>>>>>> wait and hope~~
>> >> >>>> >> >>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>> --
>> >> >>>> >> >>>>>>>>>>>> wait and hope~~
>> >> >>>> >> >>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>
>> >> >>>> >> >>>>>>>>>>
>> >> >>>> >> >>>>>>>>>> --
>> >> >>>> >> >>>>>>>>>> wait and hope~~
>> >> >>>> >> >>>>>>>>>
>> >> >>>> >> >>>>>>>>>
>> >> >>>> >> >>>>>>>>>
>> >> >>>> >> >>>>>>>>>
>> >> >>>> >> >>>>>>>>> --
>> >> >>>> >> >>>>>>>>> wait and hope~~
>> >> >>>> >> >>>>>>>>
>> >> >>>> >> >>>>>>>>
>> >> >>>> >> >>>>>>>
>> >> >>>> >> >>>>>>>
>> >> >>>> >> >>>>>>>
>> >> >>>> >> >>>>>>> --
>> >> >>>> >> >>>>>>> wait and hope~~
>> >> >>>> >> >>>>>>
>> >> >>>> >> >>>>>>
>> >> >>>> >> >>>>>>
>> >> >>>> >> >>>>>>
>> >> >>>> >> >>>>>> --
>> >> >>>> >> >>>>>> wait and hope~~
>> >> >>>> >> >>>>>
>> >> >>>> >> >>>>>
>> >> >>>> >> >>>>
>> >> >>>> >> >>>>
>> >> >>>> >> >>>>
>> >> >>>> >> >>>> --
>> >> >>>> >> >>>> wait and hope~~
>> >> >>>> >> >>>
>> >> >>>> >> >>>
>> >> >>>> >> >>>
>> >> >>>> >> >>>
>> >> >>>> >> >>> --
>> >> >>>> >> >>> wait and hope~~
>> >> >>>> >> >>
>> >> >>>> >> >>
>> >> >>>> >> >
>> >> >>>> >> >
>> >> >>>> >> >
>> >> >>>> >> > --
>> >> >>>> >> > wait and hope~~
>> >> >>>> >
>> >> >>>> >
>> >> >>>> >
>> >> >>>> >
>> >> >>>> > --
>> >> >>>> > wait and hope~~
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> --
>> >> >>> wait and hope~~
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> wait and hope~~
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > wait and hope~~
>> >
>> >
>> >
>> >
>> > --
>> > wait and hope~~
>
>
>
>
> --
> wait and hope~~
More information about the panda-users
mailing list