[panda-users] A TCG-based taint plugin for Panda

Brendan Dolan-Gavitt brendandg at nyu.edu
Mon Nov 20 14:41:09 EST 2017 

Really interesting, I will have to take a look! I saw that the basic shadow
memory is essentially an unordered_map from the physical address in memory
to an std::set of labels. I'm a little surprised this is performant,
because we had tried this a few years back and found it was pretty slow
(hence our current sparse virtual memory approach).

How hard would it be to add additional helpers? (Not saying I would want
you to do it, just how hard it would be if someone later wanted to make the
taint support more complete)

On Mon, Nov 20, 2017 at 9:58 PM, Gabriele Viglianisi <vigliag at gmail.com>
wrote:

> Hi everbody,
>
> I had some difficulties with taint2, which I was unable to debug with my
> current qemu and llvm knowledge, so I decided to make a quick attempt to
> port the tcg-based taint instrumentation from Qtrace (
> https://github.com/rpaleari/qtrace), a different qemu port by @rpaleari.
> I've suprisingly managed to get something working well enough for my
> purposes (or so appears from a few tests), and I thougth I'd share it with
> you. Most of the credit goes to Roberto Paleari for publishing the original
> Qtrace code.
>
> The plugin is not a full replacement for taint2, as it's not as general or
> powerful, but it seems lighter on resources. It only supports the i386
> target, doesn't instrument helpers, and it is composed of two parts: the
> instrumentation (additional helper calls generated inside of tcg's
> frontend), and the "tcgtaint" plugin, managing the data structures, and
> exposing an interface similar to the one of taint2.
>
> The approach is probably not the cleanest, as it requires some insertions
> to qemu's tcg code, and is maybe not general enough to be included in panda.
> If by the way Panda developers are interesting in including it (in the
> main or in a separate branch), I'd be happy to do some cleanup and prepare
> a PR.
>
> All the relevant code is in ifdefs (you can grep for
> "CONFIG_QTRACE_TAINT"), and is only built when the "--enable-tcgtaint"
> switch is present. The instrumentation helper calls are only generated when
> requested via the plugin api, and shouldn't affect the performances when
> disabled.
>
> Differences with respect to taint2:
> - comparatively very light on memory (unless you actually taint a lot)
> - a little faster
> - can be enabled and disabled via the plugin api, can also be told to only
> instrument user-level code
> - doesn't instrument helpers (the main use case is being able to tell the
> provenance of some piece of data, so the focus was on getting movs, memcpys
> and similar working correctly)
> - the instrumentation is added before stores, so you safely can taint on a
> "virt_mem_after_write" callback
> - doesn't support tainting through pointer dereference
> - doesn't suppot tainted branches
> - only partial support to xmm registers (movs only)
>
> Differences with respect to the original instrumentation in qtrace:
> - it uses panda's memory functions and callbacks instead of qtrace's
> - I moved load instrumentation deeper down in tcg's frontend, so to
> support `rep mov` and similar
> - added partial support to xmm registers, in order to support `movqda`
> - some bug fixes
>
> The code still lacks some comments, copyright notices, and documentation,
> but it should work. Any comment or feedback is welcome!
>
> You can find the code at the tcgtaint branch in my repo
> https://github.com/vigliag/panda/tree/tcgtaint
>
> changes wrt panda's master are here: https://github.com/panda-re/pa
> nda/compare/master...vigliag:tcgtaint
>
> Best regards,
> Gabriele
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
>


-- 
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20171120/6ff28f2c/attachment-0001.html

More information about the panda-users mailing list