[panda-users] file_taint question

Leek, Timothy - 0559 - MITLL tleek at ll.mit.edu
Mon Jul 18 08:56:43 EDT 2016 

Weighing in.  Yes, I found data structures to be unreliable for a few 10s of
basic blocks after ASID change so I monitor until they seem sane.  I¹m sure
there is a better and less computationally intensive way to achieve same.
For taint, however, this sort of compute burden is dwarfed by the taint
processing itself.

Cheers.

Tim

Tim Leek
Technical Staff
Cyber System Assessments
MIT Lincoln Laboratory

From:  <panda-users-bounces at mit.edu> on behalf of Manolis Stamatogiannakis
<mstamat at gmail.com>
Date:  Sunday, July 17, 2016 at 2:45 PM
To:  Brendan Dolan-Gavitt <brendandg at nyu.edu>
Cc:  "panda-users at mit.edu" <panda-users at mit.edu>
Subject:  Re: [panda-users] file_taint question

Ah, yes. This sounds right.

I had also observed the delayed update of kernel data structures. This
happens when a new process starts. Most of the OsiProc fields were correct
at the callback time, but the process name was still that of the parent
process.

For my plugin, I opted to mark the new process as "fresh" and update the
name next time I see the process.

Thanks!

M.



2016-07-17 19:34 GMT+02:00 Brendan Dolan-Gavitt <brendandg at nyu.edu>:
> I *think* the reasoning was that right when PGD_CHANGED happens the
> data structures that track the current process may be in transition,
> and so it might not be reliable to get the current process. But I
> don't know if this was actually tested. According to git-blame, Tim is
> the one to ask, so hopefully he'll weigh in.
> 
> It should also be easy enough to test this hypothesis by switching it
> to PGD_CHANGED on a few test cases an seeing if the results match up.
> If we can get away with only invoking on PGD change that would
> definitely be an improvement.
> 
> -Brendan
> 
> On Sun, Jul 17, 2016 at 1:20 PM, Manolis Stamatogiannakis
> <mstamat at gmail.com> wrote:
>> > Hello,
>> >
>> > I was going through the file_taint plugin code and was wondering about the
>> > osi_foo() callback.
>> > 
>> https://github.com/moyix/panda/blob/master/qemu/panda_plugins/file_taint/file
>> _taint.cpp#L386
>> >
>> > Is there any reason that the function is hooked as a
>> > PANDA_CB_BEFORE_BLOCK_EXEC callback rather than PANDA_CB_VMI_PGD_CHANGED
>> > callback?
>> >
>> > For linux it seems to me that PANDA_CB_VMI_PGD_CHANGED would yield
>> > equivalent results at only a tiny fraction of the invocations.
>> >
>> > Same should be true for windows as far as I can tell.
>> >
>> > Thanks,
>> > M.
>> >
>> > _______________________________________________
>> > panda-users mailing list
>> > panda-users at mit.edu
>> > http://mailman.mit.edu/mailman/listinfo/panda-users
>> >
> 
> 
> 
> --
> Brendan Dolan-Gavitt
> Assistant Professor, Department of Computer Science and Engineering
> NYU Tandon School of Engineering



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20160718/eceb3e9a/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3076 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20160718/eceb3e9a/attachment-0001.bin

More information about the panda-users mailing list