[panda-users] Iterate LabelSet in a plugin

Mon Mar 7 19:37:17 EST 2016

Hi,

You should be using taint2_labelset_ram_iter from the public API
instead, which is exported and can be used by C plugins. Have a look
at

https://github.com/moyix/panda/blob/master/docs/manual.md#plugin-api

Basically you do

#include "../taint2/taint2_ext.h"

Then in the init function of your plugin:

init_taint2_api()

And then you'll be able to use any of the functions listed in

https://github.com/moyix/panda/blob/master/qemu/panda_plugins/taint2/taint2_int_fns.h

Hope this helps,
Brendan

On Mon, Mar 7, 2016 at 7:17 PM, Hij Krix <hijkrix at gmail.com> wrote:
> Hello everyone.
> We can use 'tstringsearch' to taint labels to a string. I want to know if
> the origin string is tainted, what's the labels of each character of a
> string generated by the origin string.
> Now I have changed the tstringsearch.cpp, if there are any characters in a
> string have been tainted before, display the labelset of the string rather
> than taint on it.
> This is what I have done:
>>
>>
>> diff --git a/qemu/panda_plugins/tstringsearch/tstringsearch.cpp
>> b/qemu/panda_plugins/tstringsearch/tstringsearch.cpp
>> index ab4f21e..528b510 100644
>> --- a/qemu/panda_plugins/tstringsearch/tstringsearch.cpp
>> +++ b/qemu/panda_plugins/tstringsearch/tstringsearch.cpp
>> @@ -55,6 +55,8 @@ void uninit_plugin(void *);
>>
>>  }
>>
>> +extern Shad *shadow;
>> +
>>  #ifdef CONFIG_SOFTMMU
>>
>>  bool tstringsearch_label_on = true;
>> @@ -146,6 +148,32 @@ void tstringsearch_match(CPUState *env, target_ulong
>> pc, target_ulong addr,
>>      // yes, we can get this right. but, meh.
>>      if ((memcmp((char *)thestring, (char *)matched_string,
>> matched_string_length-1)) == 0) {
>>          printf ("tstringsearch: string in memory @ 0x%lx\n", (long
>> unsigned int) p);
>> +
>> +        bool tainted = false;
>> +        for (unsigned i=0; i<matched_string_length; i++) {
>> +            target_ulong va = p + i;
>> +            target_phys_addr_t pa = cpu_get_phys_addr(cpu_single_env,
>> va);
>> +            if (taint2_query_ram(pa)) {
>> +                tainted = true;
>> +                break;
>> +            }
>> +        }
>> +        if (tainted) {
>> +            printf ("Tainted\n");
>> +            for (unsigned i=0; i<matched_string_length; i++) {
>> +                printf ("%d:", i);
>> +                target_ulong va = p + i;
>> +                target_phys_addr_t pa = cpu_get_phys_addr(cpu_single_env,
>> va);
>> +                tp_ls_ram_iter(shadow, pa, [](uint32_t el, void *stuff)
>> ->int {
>> +                                printf ("%d,", el);
>> +                                return 0;
>> +                            }, NULL);
>> +                printf ("\n");
>> +            }
>> +            printf ("\n");
>> +            return;
>> +        }
>> +
>>          // ok this is ugly.  save pc, buffer addr and len
>>          the_pc = pc;
>>          the_buf = p;
>>
> Now I have met two problems:
> 1. 'shadow' is a global variable, but because plugins are compiled
> separately, the linker can't assign right address to 'shadow' here.
> 2. 'tp_ls_ram_iter' is declared in taint2.h, and it is written in c++, so I
> can't import it with 'extern "C"'.
>
> How to solve it, or how to change my code to make it works?
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>

-- 
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering