[panda-users] file_taint question
Brendan Dolan-Gavitt
brendandg at nyu.edu
Sun Jul 17 13:34:03 EDT 2016
I *think* the reasoning was that right when PGD_CHANGED happens the
data structures that track the current process may be in transition,
and so it might not be reliable to get the current process. But I
don't know if this was actually tested. According to git-blame, Tim is
the one to ask, so hopefully he'll weigh in.
It should also be easy enough to test this hypothesis by switching it
to PGD_CHANGED on a few test cases an seeing if the results match up.
If we can get away with only invoking on PGD change that would
definitely be an improvement.
-Brendan
On Sun, Jul 17, 2016 at 1:20 PM, Manolis Stamatogiannakis
<mstamat at gmail.com> wrote:
> Hello,
>
> I was going through the file_taint plugin code and was wondering about the
> osi_foo() callback.
> https://github.com/moyix/panda/blob/master/qemu/panda_plugins/file_taint/file_taint.cpp#L386
>
> Is there any reason that the function is hooked as a
> PANDA_CB_BEFORE_BLOCK_EXEC callback rather than PANDA_CB_VMI_PGD_CHANGED
> callback?
>
> For linux it seems to me that PANDA_CB_VMI_PGD_CHANGED would yield
> equivalent results at only a tiny fraction of the invocations.
>
> Same should be true for windows as far as I can tell.
>
> Thanks,
> M.
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
--
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering
More information about the panda-users
mailing list