[panda-users] EXT :Re: Question about file_taint

Brendan Dolan-Gavitt brendandg at nyu.edu
Thu Dec 20 13:34:57 EST 2018 

OK, I see what's going on. It looks like you are running a 32-bit guest
under qemu-system-x86_64. I think this should work (i.e., that assertion in
file_taint is wrong), but it is not as well-tested, which may be why it's
disabled.

Your second attempt, replaying a recording made under qemu-system-x86_64
using qemu-system-i386, won't work – the two machine definitions are
incompatible.

What should work is to boot the VM and create the recording under
qemu-system-i386, then replay it under qemu-system-i386 as well.

On Thu, Dec 20, 2018 at 12:04 PM Vikas Puri <vpurinet at gmail.com> wrote:

> Hi Mark,
>
> I get a different error when I attempt to run with qemu-system-i386. This
> is shown below:
>
> $PANDA_PATH/i386-softmmu/qemu-system-i386 -replay append_file_3 -os
> linux-32-ubuntu:4.4.0-131-generic -panda osi -m 4096 -panda
> osi_linux:kconf_group=ubuntu:4.4.0-131-generic:32 -panda
> file_taint:filename=test.txt
> PANDA[core]:os_familyno=2 bits=32 os_details=ubuntu:4.4.0-131-generic
> PANDA[osi_linux]:adding argument kconf_group=ubuntu:4.4.0-131-generic:32.
> PANDA[file_taint]:adding argument filename=test.txt.
> PANDA[core]:initializing osi
> Looking for kconffile in
> /home/hackuser5/panda/panda/build/i386-softmmu/panda/plugins/osi_linux/kernelinfo.conf
> OSI grabbing Linux introspection backend.
> Linux OSI, using group ubuntu:4.4.0-131-generic:32 from
> /home/hackuser5/panda/panda/build/i386-softmmu/panda/plugins/osi_linux/kernelinfo.conf.
> PANDA[core]:loading required plugin osi_linux
> PANDA[core]:initializing osi_linux
> PANDA[osi_linux]:W> kernelinfo bytes [76-79] not read
> PANDA[osi_linux]:W> kernelinfo bytes [92-95] not read
> PANDA[core]:/home/hackuser5/panda/panda/build/i386-softmmu/panda/plugins/panda_osi_linux.so
> already loaded
> PANDA[core]:initializing file_taint
> PANDA[core]:loading required plugin syscalls2
> PANDA[core]:initializing syscalls2
> PANDA[syscalls2]:using profile for linux x86 32-bit
> PANDA[core]:loading required plugin osi
> PANDA[core]:/home/hackuser5/panda/panda/build/i386-softmmu/panda/plugins/panda_osi.so
> already loaded
> PANDA[core]:loading required plugin taint2
> PANDA[core]:initializing taint2
> PANDA[taint2]:propagation via pointer dereference ENABLED
> PANDA[taint2]:taint operations inlining DISABLED
> PANDA[taint2]:llvm optimizations DISABLED
> PANDA[taint2]:taint debugging DISABLED
> PANDA[taint2]:detaint if control bits 0 DISABLED
> PANDA[taint2]:maximum taint compute number (0=unlimited) 0
> PANDA[taint2]:maximum taintset cardinality (0=unlimited) 0
> PANDA[core]:loading required plugin callstack_instr
> PANDA[core]:initializing callstack_instr
> PANDA[core]:loading required plugin osi_linux
> PANDA[core]:/home/hackuser5/panda/panda/build/i386-softmmu/panda/plugins/panda_osi_linux.so
> already loaded
> loading snapshot
> *qemu-system-i386: Missing section footer for cpu*
> Failed to load vmstate
> Failed to start replay
>
> -Vikas
>
> On Thu, Dec 20, 2018 at 8:34 AM Mankins, Mark A [US] (MS) <
> mark.mankins at ngc.com> wrote:
>
>> I believe this is the expected behavior.  Try running with
>> qemu-system-i386 instead of qemu-system-x86_64.
>>
>>
>>
>> Mark
>> ------------------------------
>> *From:* panda-users-bounces at mit.edu <panda-users-bounces at mit.edu> on
>> behalf of Vikas Puri <vpurinet at gmail.com>
>> *Sent:* Thursday, December 20, 2018 9:18 AM
>> *To:* Brendan Dolan-Gavitt
>> *Cc:* panda-users at mit.edu
>> *Subject:* EXT :Re: [panda-users] Question about file_taint
>>
>> Hi Brendan,
>>
>> Sorry for the late reply. Here is the information that you requested. I
>> appreciate your help.
>>
>> *Guest OS*:
>>
>>    - ubuntu 4.4.0-31-generic i686
>>
>> *Host OS:*
>>
>>    - Ubuntu 4.4.0-31-generic x86_64 x86_64
>>
>> *Command Executed on Host*:
>>
>>    - $PANDA_PATH/x86_64-softmmu/qemu-system-x86_64 -replay append_file_3
>>    -os linux-32-ubuntu:4.4.0-131-generic -panda osi -m 4096 -panda
>>    osi_linux:kconf_group=ubuntu:4.4.0-131-generic:32 -panda
>>    file_taint:filename=test.txt
>>
>> *Error reported on Host:*
>>
>> PANDA[core]:os_familyno=2 bits=32 os_details=ubuntu:4.4.0-131-generic
>> PANDA[osi_linux]:adding argument kconf_group=ubuntu:4.4.0-131-generic:32.
>> PANDA[file_taint]:adding argument filename=test.txt.
>> PANDA[core]:initializing osi
>> Looking for kconffile in
>> /home/hackuser5/panda/panda/build/x86_64-softmmu/panda/plugins/osi_linux/kernelinfo.conf
>> OSI grabbing Linux introspection backend.
>> Linux OSI, using group ubuntu:4.4.0-131-generic:32 from
>> /home/hackuser5/panda/panda/build/x86_64-softmmu/panda/plugins/osi_linux/kernelinfo.conf.
>> PANDA[core]:loading required plugin osi_linux
>> PANDA[core]:initializing osi_linux
>> PANDA[osi_linux]:W> kernelinfo bytes [76-79] not read
>> PANDA[osi_linux]:W> kernelinfo bytes [92-95] not read
>> PANDA[core]:/home/hackuser5/panda/panda/build/x86_64-softmmu/panda/plugins/panda_osi_linux.so
>> already loaded
>> PANDA[core]:initializing file_taint
>> PANDA[core]:loading required plugin syscalls2
>> PANDA[core]:initializing syscalls2
>> PANDA[syscalls2]:using profile for linux x86 32-bit
>> PANDA[core]:loading required plugin osi
>> PANDA[core]:/home/hackuser5/panda/panda/build/x86_64-softmmu/panda/plugins/panda_osi.so
>> already loaded
>> PANDA[core]:loading required plugin taint2
>> PANDA[core]:initializing taint2
>> PANDA[taint2]:propagation via pointer dereference ENABLED
>> PANDA[taint2]:taint operations inlining DISABLED
>> PANDA[taint2]:llvm optimizations DISABLED
>> PANDA[taint2]:taint debugging DISABLED
>> PANDA[taint2]:detaint if control bits 0 DISABLED
>> PANDA[taint2]:maximum taint compute number (0=unlimited) 0
>> PANDA[taint2]:maximum taintset cardinality (0=unlimited) 0
>> PANDA[core]:loading required plugin callstack_instr
>> PANDA[core]:initializing callstack_instr
>> *ERROR: Linux is only supported on x86 (32-bit)*
>> FAIL: Unable to load plugin
>> `/home/hackuser5/panda/panda/build/x86_64-softmmu/panda/plugins/panda_file_taint.so'
>>
>> -Vikas
>>
>> On Tue, Dec 18, 2018 at 7:11 PM Brendan Dolan-Gavitt <brendandg at nyu.edu>
>> wrote:
>>
>>> You should be able to compile *and* run syscalls2 on a 64 bit host as
>>> long as the guest virtual machine is 32-bit. In particular, we have tested
>>> Ubuntu 16.04 64-bit hosts pretty extensively with file_taint: they work
>>> fine. What's the actual error you're getting?
>>>
>>> On Tue, Dec 18, 2018 at 9:59 PM Vikas Puri <vpurinet at gmail.com> wrote:
>>>
>>>> Hi Brendan,
>>>>
>>>> Thanks for your reply. As you indicate, I can compile syscalls2 on a
>>>> 64-bit host. However, I cannot execute it and the plugins that it's a
>>>> dependency for (like file_taint) on a 64 bit host. On a 32-bit host, I have
>>>> issues with taint2 since it requires LLVM support.
>>>>
>>>> My question is simply on what host platforms can I execute file_taint
>>>> and related taint plugins?
>>>>
>>>> Thanks for your help.
>>>>
>>>> Regards,
>>>>
>>>> -Vikas
>>>>
>>>> On Tue, Dec 18, 2018 at 5:00 PM Brendan Dolan-Gavitt <brendandg at nyu.edu>
>>>> wrote:
>>>>
>>>>> For (2), syscalls2 only supports analyzing 32 bit guests, but it
>>>>> should compile on a 64-bit host operating system just fine (this is the
>>>>> configuration we use normally). Could you post the error you’re getting
>>>>> when trying to compile it?
>>>>>
>>>>> On Tue, Dec 18, 2018 at 3:58 PM Vikas Puri <vpurinet at gmail.com> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I am attempting to use the file_taint plugin. However, I am running
>>>>>> into a few problems (listed below). I am attempting to run this on a ubuntu
>>>>>> 16.04 host and guest:
>>>>>>
>>>>>>    1. "file_taint" depends on the taint2 plugin. Taint2 requires
>>>>>>    LLVM. LLVM support requires a 64-bit host OS.
>>>>>>    2. file_taint also requires the syscalls2 plugin. Syscalls2 seems
>>>>>>    to be supported for the ARM and i386 CPU families. It does not appear to be
>>>>>>    supported on x86_64 platforms. I get an error when executing this on a
>>>>>>    x86_64 Ubuntu 16.04 host.
>>>>>>    3. Given the constraints of items 1 and 2, I cannot identify a
>>>>>>    host OS that I can use to build and execute file_taint.
>>>>>>
>>>>>> Any suggestions that you can provide would be greatly appreciated.
>>>>>>
>>>>>> Sincerely,
>>>>>>
>>>>>> -Vikas
>>>>>> _______________________________________________
>>>>>> panda-users mailing list
>>>>>> panda-users at mit.edu
>>>>>>
>>>>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.mit.edu_mailman_listinfo_panda-2Dusers&d=DwICAg&c=slrrB7dE8n7gBJbeO0g-IQ&r=A4wu5Zmpus3hDmokNWeJTO0SLjrxguzCAxn30Hc-o48&m=wlCAgCNUC_P-8nSM_ArRoZfarTg_fpwoE8E2IZBYXRo&s=eFlh9e8xVYsffx6nie7-Pk--u9ykujp3zQd5zejToFw&e=
>>>>>>
>>>>> --
>>>>> Brendan Dolan-Gavitt
>>>>> Assistant Professor, Department of Computer Science and Engineering
>>>>> NYU Tandon School of Engineering
>>>>>
>>>>
>>>
>>> --
>>> Brendan Dolan-Gavitt
>>> Assistant Professor, Department of Computer Science and Engineering
>>> NYU Tandon School of Engineering
>>>
>>

-- 
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20181220/03d9a77b/attachment-0001.html

More information about the panda-users mailing list