[panda-users] taint propagation in imagemagick
Brendan Dolan-Gavitt
brendandg at nyu.edu
Thu Jul 28 21:10:53 EDT 2016
My first thought is tainted pointers. If the conversion is done via
something like greyscale_table[color_value], the
On the other hand, I think those are enabled by default (and judging
by the pull request you just opened, you already know about them).
Is it possible the conversion is done with something like the following?
if (color >= 0 && color < 64) out_color = 0;
else if (color >= 64 && color < 128) out_color = 1;
...
In that case since taint doesn't propagate through control flow it
could be lost there.
Unfortunately I think the best way to figure out what's going on is to
go and look for a taint transfer that you think should be happening
and trace where it fails to get propagated....
Patrick or Tim may be able to weigh in with other theories too.
-Brendan
On Thu, Jul 28, 2016 at 8:10 PM, Manolis Stamatogiannakis
<mstamat at gmail.com> wrote:
> Hello,
>
> I tried using taint2 plugin + file_taint plugin to track taint propagation
> of taint for Imagemagick convert.
>
> My command line was like this:
> convert image.jpg -colorspace GRAY out.jpg
>
> I use a custom plugin to query taint when writting to out.jpg. However, the
> bytes written to out.jpg appear clean.
>
> Is there an explanation for this? It could be because of the use of floating
> point instructions, but shouldn't LLVM IR handle those transparently?
>
> Thanks,
> M.
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
--
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering
More information about the panda-users
mailing list