[panda-users] EXT :Re: Question about file_taint

Vikas Puri vpurinet at gmail.com
Thu Dec 20 22:05:32 EST 2018 

Hi Brendan,

The "run_debian.py" script that downloads a pre-built Debian Wheezy 32-bit
qcow2 image works with file_taint. I am not tied to Ubuntu and working with
Debian will be fine. Thank you for your help.

-Vikas

On Thu, Dec 20, 2018 at 3:06 PM Brendan Dolan-Gavitt <brendandg at nyu.edu>
wrote:

> Hmm, I'm not sure why that would be hanging off the top of my head but it
> could be a bug in the version of QEMU we based PANDA off of.
>
> Is the analysis you're trying to do something that specifically depends on
> that version of Ubuntu? If not, they you may want to try using the
> "run_debian.py" script, which handles the work of getting a working guest
> VM running and then recording the execution of a single command for you.
>
> On Thu, Dec 20, 2018 at 2:57 PM Vikas Puri <vpurinet at gmail.com> wrote:
>
>> Hi Brendan,
>>
>> Thank you for your response. When I boot the the existing disk image
>> using the command below, the boot seems to hang (see attached
>> screenshot_boot.png, ).
>>
>>    - $PANDA_PATH/i386-softmmu/qemu-system-i386 -m 4096 -hda
>>    ubuntu32_x64.img --monitor stdio
>>
>> If I attempt to create a new 32-bit image, using the following command,
>> the installation also hangs (as shown in screenshot_install.png):
>>
>>    - $PANDA_PATH/i386-softmmu/qemu-system-i386 -m 4096 -hda ubuntu32.img
>>    -cdrom ~/Downloads/ubuntu-16.04.5-server-i386.iso -boot d
>>
>> -VIkas
>>
>> On Thu, Dec 20, 2018 at 10:35 AM Brendan Dolan-Gavitt <brendandg at nyu.edu>
>> wrote:
>>
>>> OK, I see what's going on. It looks like you are running a 32-bit guest
>>> under qemu-system-x86_64. I think this should work (i.e., that assertion in
>>> file_taint is wrong), but it is not as well-tested, which may be why it's
>>> disabled.
>>>
>>> Your second attempt, replaying a recording made under qemu-system-x86_64
>>> using qemu-system-i386, won't work – the two machine definitions are
>>> incompatible.
>>>
>>> What should work is to boot the VM and create the recording under
>>> qemu-system-i386, then replay it under qemu-system-i386 as well.
>>>
>>> On Thu, Dec 20, 2018 at 12:04 PM Vikas Puri <vpurinet at gmail.com> wrote:
>>>
>>>> Hi Mark,
>>>>
>>>> I get a different error when I attempt to run with qemu-system-i386.
>>>> This is shown below:
>>>>
>>>> $PANDA_PATH/i386-softmmu/qemu-system-i386 -replay append_file_3 -os
>>>> linux-32-ubuntu:4.4.0-131-generic -panda osi -m 4096 -panda
>>>> osi_linux:kconf_group=ubuntu:4.4.0-131-generic:32 -panda
>>>> file_taint:filename=test.txt
>>>> PANDA[core]:os_familyno=2 bits=32 os_details=ubuntu:4.4.0-131-generic
>>>> PANDA[osi_linux]:adding argument
>>>> kconf_group=ubuntu:4.4.0-131-generic:32.
>>>> PANDA[file_taint]:adding argument filename=test.txt.
>>>> PANDA[core]:initializing osi
>>>> Looking for kconffile in
>>>> /home/hackuser5/panda/panda/build/i386-softmmu/panda/plugins/osi_linux/kernelinfo.conf
>>>> OSI grabbing Linux introspection backend.
>>>> Linux OSI, using group ubuntu:4.4.0-131-generic:32 from
>>>> /home/hackuser5/panda/panda/build/i386-softmmu/panda/plugins/osi_linux/kernelinfo.conf.
>>>> PANDA[core]:loading required plugin osi_linux
>>>> PANDA[core]:initializing osi_linux
>>>> PANDA[osi_linux]:W> kernelinfo bytes [76-79] not read
>>>> PANDA[osi_linux]:W> kernelinfo bytes [92-95] not read
>>>> PANDA[core]:/home/hackuser5/panda/panda/build/i386-softmmu/panda/plugins/panda_osi_linux.so
>>>> already loaded
>>>> PANDA[core]:initializing file_taint
>>>> PANDA[core]:loading required plugin syscalls2
>>>> PANDA[core]:initializing syscalls2
>>>> PANDA[syscalls2]:using profile for linux x86 32-bit
>>>> PANDA[core]:loading required plugin osi
>>>> PANDA[core]:/home/hackuser5/panda/panda/build/i386-softmmu/panda/plugins/panda_osi.so
>>>> already loaded
>>>> PANDA[core]:loading required plugin taint2
>>>> PANDA[core]:initializing taint2
>>>> PANDA[taint2]:propagation via pointer dereference ENABLED
>>>> PANDA[taint2]:taint operations inlining DISABLED
>>>> PANDA[taint2]:llvm optimizations DISABLED
>>>> PANDA[taint2]:taint debugging DISABLED
>>>> PANDA[taint2]:detaint if control bits 0 DISABLED
>>>> PANDA[taint2]:maximum taint compute number (0=unlimited) 0
>>>> PANDA[taint2]:maximum taintset cardinality (0=unlimited) 0
>>>> PANDA[core]:loading required plugin callstack_instr
>>>> PANDA[core]:initializing callstack_instr
>>>> PANDA[core]:loading required plugin osi_linux
>>>> PANDA[core]:/home/hackuser5/panda/panda/build/i386-softmmu/panda/plugins/panda_osi_linux.so
>>>> already loaded
>>>> loading snapshot
>>>> *qemu-system-i386: Missing section footer for cpu*
>>>> Failed to load vmstate
>>>> Failed to start replay
>>>>
>>>> -Vikas
>>>>
>>>> On Thu, Dec 20, 2018 at 8:34 AM Mankins, Mark A [US] (MS) <
>>>> mark.mankins at ngc.com> wrote:
>>>>
>>>>> I believe this is the expected behavior.  Try running with
>>>>> qemu-system-i386 instead of qemu-system-x86_64.
>>>>>
>>>>>
>>>>>
>>>>> Mark
>>>>> ------------------------------
>>>>> *From:* panda-users-bounces at mit.edu <panda-users-bounces at mit.edu> on
>>>>> behalf of Vikas Puri <vpurinet at gmail.com>
>>>>> *Sent:* Thursday, December 20, 2018 9:18 AM
>>>>> *To:* Brendan Dolan-Gavitt
>>>>> *Cc:* panda-users at mit.edu
>>>>> *Subject:* EXT :Re: [panda-users] Question about file_taint
>>>>>
>>>>> Hi Brendan,
>>>>>
>>>>> Sorry for the late reply. Here is the information that you requested.
>>>>> I appreciate your help.
>>>>>
>>>>> *Guest OS*:
>>>>>
>>>>>    - ubuntu 4.4.0-31-generic i686
>>>>>
>>>>> *Host OS:*
>>>>>
>>>>>    - Ubuntu 4.4.0-31-generic x86_64 x86_64
>>>>>
>>>>> *Command Executed on Host*:
>>>>>
>>>>>    - $PANDA_PATH/x86_64-softmmu/qemu-system-x86_64 -replay
>>>>>    append_file_3 -os linux-32-ubuntu:4.4.0-131-generic -panda osi -m 4096
>>>>>    -panda osi_linux:kconf_group=ubuntu:4.4.0-131-generic:32 -panda
>>>>>    file_taint:filename=test.txt
>>>>>
>>>>> *Error reported on Host:*
>>>>>
>>>>> PANDA[core]:os_familyno=2 bits=32 os_details=ubuntu:4.4.0-131-generic
>>>>> PANDA[osi_linux]:adding argument
>>>>> kconf_group=ubuntu:4.4.0-131-generic:32.
>>>>> PANDA[file_taint]:adding argument filename=test.txt.
>>>>> PANDA[core]:initializing osi
>>>>> Looking for kconffile in
>>>>> /home/hackuser5/panda/panda/build/x86_64-softmmu/panda/plugins/osi_linux/kernelinfo.conf
>>>>> OSI grabbing Linux introspection backend.
>>>>> Linux OSI, using group ubuntu:4.4.0-131-generic:32 from
>>>>> /home/hackuser5/panda/panda/build/x86_64-softmmu/panda/plugins/osi_linux/kernelinfo.conf.
>>>>> PANDA[core]:loading required plugin osi_linux
>>>>> PANDA[core]:initializing osi_linux
>>>>> PANDA[osi_linux]:W> kernelinfo bytes [76-79] not read
>>>>> PANDA[osi_linux]:W> kernelinfo bytes [92-95] not read
>>>>> PANDA[core]:/home/hackuser5/panda/panda/build/x86_64-softmmu/panda/plugins/panda_osi_linux.so
>>>>> already loaded
>>>>> PANDA[core]:initializing file_taint
>>>>> PANDA[core]:loading required plugin syscalls2
>>>>> PANDA[core]:initializing syscalls2
>>>>> PANDA[syscalls2]:using profile for linux x86 32-bit
>>>>> PANDA[core]:loading required plugin osi
>>>>> PANDA[core]:/home/hackuser5/panda/panda/build/x86_64-softmmu/panda/plugins/panda_osi.so
>>>>> already loaded
>>>>> PANDA[core]:loading required plugin taint2
>>>>> PANDA[core]:initializing taint2
>>>>> PANDA[taint2]:propagation via pointer dereference ENABLED
>>>>> PANDA[taint2]:taint operations inlining DISABLED
>>>>> PANDA[taint2]:llvm optimizations DISABLED
>>>>> PANDA[taint2]:taint debugging DISABLED
>>>>> PANDA[taint2]:detaint if control bits 0 DISABLED
>>>>> PANDA[taint2]:maximum taint compute number (0=unlimited) 0
>>>>> PANDA[taint2]:maximum taintset cardinality (0=unlimited) 0
>>>>> PANDA[core]:loading required plugin callstack_instr
>>>>> PANDA[core]:initializing callstack_instr
>>>>> *ERROR: Linux is only supported on x86 (32-bit)*
>>>>> FAIL: Unable to load plugin
>>>>> `/home/hackuser5/panda/panda/build/x86_64-softmmu/panda/plugins/panda_file_taint.so'
>>>>>
>>>>> -Vikas
>>>>>
>>>>> On Tue, Dec 18, 2018 at 7:11 PM Brendan Dolan-Gavitt <
>>>>> brendandg at nyu.edu> wrote:
>>>>>
>>>>>> You should be able to compile *and* run syscalls2 on a 64 bit host as
>>>>>> long as the guest virtual machine is 32-bit. In particular, we have tested
>>>>>> Ubuntu 16.04 64-bit hosts pretty extensively with file_taint: they work
>>>>>> fine. What's the actual error you're getting?
>>>>>>
>>>>>> On Tue, Dec 18, 2018 at 9:59 PM Vikas Puri <vpurinet at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Brendan,
>>>>>>>
>>>>>>> Thanks for your reply. As you indicate, I can compile syscalls2 on a
>>>>>>> 64-bit host. However, I cannot execute it and the plugins that it's a
>>>>>>> dependency for (like file_taint) on a 64 bit host. On a 32-bit host, I have
>>>>>>> issues with taint2 since it requires LLVM support.
>>>>>>>
>>>>>>> My question is simply on what host platforms can I execute
>>>>>>> file_taint and related taint plugins?
>>>>>>>
>>>>>>> Thanks for your help.
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> -Vikas
>>>>>>>
>>>>>>> On Tue, Dec 18, 2018 at 5:00 PM Brendan Dolan-Gavitt <
>>>>>>> brendandg at nyu.edu> wrote:
>>>>>>>
>>>>>>>> For (2), syscalls2 only supports analyzing 32 bit guests, but it
>>>>>>>> should compile on a 64-bit host operating system just fine (this is the
>>>>>>>> configuration we use normally). Could you post the error you’re getting
>>>>>>>> when trying to compile it?
>>>>>>>>
>>>>>>>> On Tue, Dec 18, 2018 at 3:58 PM Vikas Puri <vpurinet at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I am attempting to use the file_taint plugin. However, I am
>>>>>>>>> running into a few problems (listed below). I am attempting to run this on
>>>>>>>>> a ubuntu 16.04 host and guest:
>>>>>>>>>
>>>>>>>>>    1. "file_taint" depends on the taint2 plugin. Taint2 requires
>>>>>>>>>    LLVM. LLVM support requires a 64-bit host OS.
>>>>>>>>>    2. file_taint also requires the syscalls2 plugin. Syscalls2
>>>>>>>>>    seems to be supported for the ARM and i386 CPU families. It does not appear
>>>>>>>>>    to be supported on x86_64 platforms. I get an error when executing this on
>>>>>>>>>    a x86_64 Ubuntu 16.04 host.
>>>>>>>>>    3. Given the constraints of items 1 and 2, I cannot identify a
>>>>>>>>>    host OS that I can use to build and execute file_taint.
>>>>>>>>>
>>>>>>>>> Any suggestions that you can provide would be greatly appreciated.
>>>>>>>>>
>>>>>>>>> Sincerely,
>>>>>>>>>
>>>>>>>>> -Vikas
>>>>>>>>> _______________________________________________
>>>>>>>>> panda-users mailing list
>>>>>>>>> panda-users at mit.edu
>>>>>>>>>
>>>>>>>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.mit.edu_mailman_listinfo_panda-2Dusers&d=DwICAg&c=slrrB7dE8n7gBJbeO0g-IQ&r=A4wu5Zmpus3hDmokNWeJTO0SLjrxguzCAxn30Hc-o48&m=wlCAgCNUC_P-8nSM_ArRoZfarTg_fpwoE8E2IZBYXRo&s=eFlh9e8xVYsffx6nie7-Pk--u9ykujp3zQd5zejToFw&e=
>>>>>>>>>
>>>>>>>> --
>>>>>>>> Brendan Dolan-Gavitt
>>>>>>>> Assistant Professor, Department of Computer Science and Engineering
>>>>>>>> NYU Tandon School of Engineering
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Brendan Dolan-Gavitt
>>>>>> Assistant Professor, Department of Computer Science and Engineering
>>>>>> NYU Tandon School of Engineering
>>>>>>
>>>>>
>>>
>>> --
>>> Brendan Dolan-Gavitt
>>> Assistant Professor, Department of Computer Science and Engineering
>>> NYU Tandon School of Engineering
>>>
>>
>
> --
> Brendan Dolan-Gavitt
> Assistant Professor, Department of Computer Science and Engineering
> NYU Tandon School of Engineering
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20181220/2669a50e/attachment-0001.html

More information about the panda-users mailing list