[panda-users] EXT :Re: Question about file_taint

Brendan Dolan-Gavitt brendandg at nyu.edu
Thu Dec 20 15:05:54 EST 2018 

Hmm, I'm not sure why that would be hanging off the top of my head but it
could be a bug in the version of QEMU we based PANDA off of.

Is the analysis you're trying to do something that specifically depends on
that version of Ubuntu? If not, they you may want to try using the
"run_debian.py" script, which handles the work of getting a working guest
VM running and then recording the execution of a single command for you.

On Thu, Dec 20, 2018 at 2:57 PM Vikas Puri <vpurinet at gmail.com> wrote:

> Hi Brendan,
>
> Thank you for your response. When I boot the the existing disk image using
> the command below, the boot seems to hang (see attached
> screenshot_boot.png, ).
>
>    - $PANDA_PATH/i386-softmmu/qemu-system-i386 -m 4096 -hda
>    ubuntu32_x64.img --monitor stdio
>
> If I attempt to create a new 32-bit image, using the following command,
> the installation also hangs (as shown in screenshot_install.png):
>
>    - $PANDA_PATH/i386-softmmu/qemu-system-i386 -m 4096 -hda ubuntu32.img
>    -cdrom ~/Downloads/ubuntu-16.04.5-server-i386.iso -boot d
>
> -VIkas
>
> On Thu, Dec 20, 2018 at 10:35 AM Brendan Dolan-Gavitt <brendandg at nyu.edu>
> wrote:
>
>> OK, I see what's going on. It looks like you are running a 32-bit guest
>> under qemu-system-x86_64. I think this should work (i.e., that assertion in
>> file_taint is wrong), but it is not as well-tested, which may be why it's
>> disabled.
>>
>> Your second attempt, replaying a recording made under qemu-system-x86_64
>> using qemu-system-i386, won't work – the two machine definitions are
>> incompatible.
>>
>> What should work is to boot the VM and create the recording under
>> qemu-system-i386, then replay it under qemu-system-i386 as well.
>>
>> On Thu, Dec 20, 2018 at 12:04 PM Vikas Puri <vpurinet at gmail.com> wrote:
>>
>>> Hi Mark,
>>>
>>> I get a different error when I attempt to run with qemu-system-i386.
>>> This is shown below:
>>>
>>> $PANDA_PATH/i386-softmmu/qemu-system-i386 -replay append_file_3 -os
>>> linux-32-ubuntu:4.4.0-131-generic -panda osi -m 4096 -panda
>>> osi_linux:kconf_group=ubuntu:4.4.0-131-generic:32 -panda
>>> file_taint:filename=test.txt
>>> PANDA[core]:os_familyno=2 bits=32 os_details=ubuntu:4.4.0-131-generic
>>> PANDA[osi_linux]:adding argument kconf_group=ubuntu:4.4.0-131-generic:32.
>>> PANDA[file_taint]:adding argument filename=test.txt.
>>> PANDA[core]:initializing osi
>>> Looking for kconffile in
>>> /home/hackuser5/panda/panda/build/i386-softmmu/panda/plugins/osi_linux/kernelinfo.conf
>>> OSI grabbing Linux introspection backend.
>>> Linux OSI, using group ubuntu:4.4.0-131-generic:32 from
>>> /home/hackuser5/panda/panda/build/i386-softmmu/panda/plugins/osi_linux/kernelinfo.conf.
>>> PANDA[core]:loading required plugin osi_linux
>>> PANDA[core]:initializing osi_linux
>>> PANDA[osi_linux]:W> kernelinfo bytes [76-79] not read
>>> PANDA[osi_linux]:W> kernelinfo bytes [92-95] not read
>>> PANDA[core]:/home/hackuser5/panda/panda/build/i386-softmmu/panda/plugins/panda_osi_linux.so
>>> already loaded
>>> PANDA[core]:initializing file_taint
>>> PANDA[core]:loading required plugin syscalls2
>>> PANDA[core]:initializing syscalls2
>>> PANDA[syscalls2]:using profile for linux x86 32-bit
>>> PANDA[core]:loading required plugin osi
>>> PANDA[core]:/home/hackuser5/panda/panda/build/i386-softmmu/panda/plugins/panda_osi.so
>>> already loaded
>>> PANDA[core]:loading required plugin taint2
>>> PANDA[core]:initializing taint2
>>> PANDA[taint2]:propagation via pointer dereference ENABLED
>>> PANDA[taint2]:taint operations inlining DISABLED
>>> PANDA[taint2]:llvm optimizations DISABLED
>>> PANDA[taint2]:taint debugging DISABLED
>>> PANDA[taint2]:detaint if control bits 0 DISABLED
>>> PANDA[taint2]:maximum taint compute number (0=unlimited) 0
>>> PANDA[taint2]:maximum taintset cardinality (0=unlimited) 0
>>> PANDA[core]:loading required plugin callstack_instr
>>> PANDA[core]:initializing callstack_instr
>>> PANDA[core]:loading required plugin osi_linux
>>> PANDA[core]:/home/hackuser5/panda/panda/build/i386-softmmu/panda/plugins/panda_osi_linux.so
>>> already loaded
>>> loading snapshot
>>> *qemu-system-i386: Missing section footer for cpu*
>>> Failed to load vmstate
>>> Failed to start replay
>>>
>>> -Vikas
>>>
>>> On Thu, Dec 20, 2018 at 8:34 AM Mankins, Mark A [US] (MS) <
>>> mark.mankins at ngc.com> wrote:
>>>
>>>> I believe this is the expected behavior.  Try running with
>>>> qemu-system-i386 instead of qemu-system-x86_64.
>>>>
>>>>
>>>>
>>>> Mark
>>>> ------------------------------
>>>> *From:* panda-users-bounces at mit.edu <panda-users-bounces at mit.edu> on
>>>> behalf of Vikas Puri <vpurinet at gmail.com>
>>>> *Sent:* Thursday, December 20, 2018 9:18 AM
>>>> *To:* Brendan Dolan-Gavitt
>>>> *Cc:* panda-users at mit.edu
>>>> *Subject:* EXT :Re: [panda-users] Question about file_taint
>>>>
>>>> Hi Brendan,
>>>>
>>>> Sorry for the late reply. Here is the information that you requested. I
>>>> appreciate your help.
>>>>
>>>> *Guest OS*:
>>>>
>>>>    - ubuntu 4.4.0-31-generic i686
>>>>
>>>> *Host OS:*
>>>>
>>>>    - Ubuntu 4.4.0-31-generic x86_64 x86_64
>>>>
>>>> *Command Executed on Host*:
>>>>
>>>>    - $PANDA_PATH/x86_64-softmmu/qemu-system-x86_64 -replay
>>>>    append_file_3 -os linux-32-ubuntu:4.4.0-131-generic -panda osi -m 4096
>>>>    -panda osi_linux:kconf_group=ubuntu:4.4.0-131-generic:32 -panda
>>>>    file_taint:filename=test.txt
>>>>
>>>> *Error reported on Host:*
>>>>
>>>> PANDA[core]:os_familyno=2 bits=32 os_details=ubuntu:4.4.0-131-generic
>>>> PANDA[osi_linux]:adding argument
>>>> kconf_group=ubuntu:4.4.0-131-generic:32.
>>>> PANDA[file_taint]:adding argument filename=test.txt.
>>>> PANDA[core]:initializing osi
>>>> Looking for kconffile in
>>>> /home/hackuser5/panda/panda/build/x86_64-softmmu/panda/plugins/osi_linux/kernelinfo.conf
>>>> OSI grabbing Linux introspection backend.
>>>> Linux OSI, using group ubuntu:4.4.0-131-generic:32 from
>>>> /home/hackuser5/panda/panda/build/x86_64-softmmu/panda/plugins/osi_linux/kernelinfo.conf.
>>>> PANDA[core]:loading required plugin osi_linux
>>>> PANDA[core]:initializing osi_linux
>>>> PANDA[osi_linux]:W> kernelinfo bytes [76-79] not read
>>>> PANDA[osi_linux]:W> kernelinfo bytes [92-95] not read
>>>> PANDA[core]:/home/hackuser5/panda/panda/build/x86_64-softmmu/panda/plugins/panda_osi_linux.so
>>>> already loaded
>>>> PANDA[core]:initializing file_taint
>>>> PANDA[core]:loading required plugin syscalls2
>>>> PANDA[core]:initializing syscalls2
>>>> PANDA[syscalls2]:using profile for linux x86 32-bit
>>>> PANDA[core]:loading required plugin osi
>>>> PANDA[core]:/home/hackuser5/panda/panda/build/x86_64-softmmu/panda/plugins/panda_osi.so
>>>> already loaded
>>>> PANDA[core]:loading required plugin taint2
>>>> PANDA[core]:initializing taint2
>>>> PANDA[taint2]:propagation via pointer dereference ENABLED
>>>> PANDA[taint2]:taint operations inlining DISABLED
>>>> PANDA[taint2]:llvm optimizations DISABLED
>>>> PANDA[taint2]:taint debugging DISABLED
>>>> PANDA[taint2]:detaint if control bits 0 DISABLED
>>>> PANDA[taint2]:maximum taint compute number (0=unlimited) 0
>>>> PANDA[taint2]:maximum taintset cardinality (0=unlimited) 0
>>>> PANDA[core]:loading required plugin callstack_instr
>>>> PANDA[core]:initializing callstack_instr
>>>> *ERROR: Linux is only supported on x86 (32-bit)*
>>>> FAIL: Unable to load plugin
>>>> `/home/hackuser5/panda/panda/build/x86_64-softmmu/panda/plugins/panda_file_taint.so'
>>>>
>>>> -Vikas
>>>>
>>>> On Tue, Dec 18, 2018 at 7:11 PM Brendan Dolan-Gavitt <brendandg at nyu.edu>
>>>> wrote:
>>>>
>>>>> You should be able to compile *and* run syscalls2 on a 64 bit host as
>>>>> long as the guest virtual machine is 32-bit. In particular, we have tested
>>>>> Ubuntu 16.04 64-bit hosts pretty extensively with file_taint: they work
>>>>> fine. What's the actual error you're getting?
>>>>>
>>>>> On Tue, Dec 18, 2018 at 9:59 PM Vikas Puri <vpurinet at gmail.com> wrote:
>>>>>
>>>>>> Hi Brendan,
>>>>>>
>>>>>> Thanks for your reply. As you indicate, I can compile syscalls2 on a
>>>>>> 64-bit host. However, I cannot execute it and the plugins that it's a
>>>>>> dependency for (like file_taint) on a 64 bit host. On a 32-bit host, I have
>>>>>> issues with taint2 since it requires LLVM support.
>>>>>>
>>>>>> My question is simply on what host platforms can I execute file_taint
>>>>>> and related taint plugins?
>>>>>>
>>>>>> Thanks for your help.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> -Vikas
>>>>>>
>>>>>> On Tue, Dec 18, 2018 at 5:00 PM Brendan Dolan-Gavitt <
>>>>>> brendandg at nyu.edu> wrote:
>>>>>>
>>>>>>> For (2), syscalls2 only supports analyzing 32 bit guests, but it
>>>>>>> should compile on a 64-bit host operating system just fine (this is the
>>>>>>> configuration we use normally). Could you post the error you’re getting
>>>>>>> when trying to compile it?
>>>>>>>
>>>>>>> On Tue, Dec 18, 2018 at 3:58 PM Vikas Puri <vpurinet at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I am attempting to use the file_taint plugin. However, I am running
>>>>>>>> into a few problems (listed below). I am attempting to run this on a ubuntu
>>>>>>>> 16.04 host and guest:
>>>>>>>>
>>>>>>>>    1. "file_taint" depends on the taint2 plugin. Taint2 requires
>>>>>>>>    LLVM. LLVM support requires a 64-bit host OS.
>>>>>>>>    2. file_taint also requires the syscalls2 plugin. Syscalls2
>>>>>>>>    seems to be supported for the ARM and i386 CPU families. It does not appear
>>>>>>>>    to be supported on x86_64 platforms. I get an error when executing this on
>>>>>>>>    a x86_64 Ubuntu 16.04 host.
>>>>>>>>    3. Given the constraints of items 1 and 2, I cannot identify a
>>>>>>>>    host OS that I can use to build and execute file_taint.
>>>>>>>>
>>>>>>>> Any suggestions that you can provide would be greatly appreciated.
>>>>>>>>
>>>>>>>> Sincerely,
>>>>>>>>
>>>>>>>> -Vikas
>>>>>>>> _______________________________________________
>>>>>>>> panda-users mailing list
>>>>>>>> panda-users at mit.edu
>>>>>>>>
>>>>>>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.mit.edu_mailman_listinfo_panda-2Dusers&d=DwICAg&c=slrrB7dE8n7gBJbeO0g-IQ&r=A4wu5Zmpus3hDmokNWeJTO0SLjrxguzCAxn30Hc-o48&m=wlCAgCNUC_P-8nSM_ArRoZfarTg_fpwoE8E2IZBYXRo&s=eFlh9e8xVYsffx6nie7-Pk--u9ykujp3zQd5zejToFw&e=
>>>>>>>>
>>>>>>> --
>>>>>>> Brendan Dolan-Gavitt
>>>>>>> Assistant Professor, Department of Computer Science and Engineering
>>>>>>> NYU Tandon School of Engineering
>>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Brendan Dolan-Gavitt
>>>>> Assistant Professor, Department of Computer Science and Engineering
>>>>> NYU Tandon School of Engineering
>>>>>
>>>>
>>
>> --
>> Brendan Dolan-Gavitt
>> Assistant Professor, Department of Computer Science and Engineering
>> NYU Tandon School of Engineering
>>
>

-- 
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20181220/3854ca70/attachment-0001.html

More information about the panda-users mailing list