[panda-users] a bunch of questions for taint2
Leek, Timothy - 0559 - MITLL
tleek at ll.mit.edu
Fri Feb 2 11:44:27 EST 2018
Sure, it’s possible. I assume you want to do this so slowdown due to taint is only incurred for a little while or something? That is, you want to label something as tainted, have labels propagate around, query something, and then disable taint, run a little longer at faster execution (non-llvm) and then repeat?
enable-> label -> query -> disable -> emulate -> enable-> label -> query -> …
You would have to clear the translation block cache as well as dumping the taint shadow memory to disable the taint stuff right. I’d be a little concerned about orchestrating everything properly. If you are going to this many times it might make things slower than just leaving taint on. Certainly if you use the existing routines which would free memory and reconstruct. You’d have to clear the shadow memory instead. Also might be tricks you could play with translation caches. Like keeping them around instead of flushing them.
-Tim
--
Tim Leek
Technical Staff
Cyber System Assessments
MIT Lincoln Laboratory
781-981-2975
From: <panda-users-bounces at mit.edu> on behalf of Manolis Stamatogiannakis <mstamat at gmail.com>
Date: Thursday, February 1, 2018 at 10:49 AMEST
To: "panda-users at mit.edu" <panda-users at mit.edu>
Subject: [panda-users] a bunch of questions for taint2
Would it be technically possible to temporarily disable taint propagation for the taint2 plugin? What would it take to do so?
For other plugins unregistering the callbacks would be enough to temporarily disable the plugin. But I'm not sure if this is the case for taint2, which also uses the LLVM backend.
What would clearing all the taint shadow memory involve? Is "delete shadow; shadow = new ShadowState();" enough?
If directly disabling taint propagation is not directly possible, would it be an option to emulate this by dumping the shadow state and loading it later?
Is there a way to give access to the CPUState object to the on_branch2() callback? Currently, I only need this to determine if user or kernel code is executed. As a workaround to get this information, I use global which is set by a PANDA_CB_BEFORE_BLOCK_EXEC callback.
Thanks in advance,
Manolis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20180202/b88cb432/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3096 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20180202/b88cb432/attachment.bin
More information about the panda-users
mailing list