[panda-users] a bunch of questions for taint2

Mon Feb 12 17:57:35 EST 2018

Thanks for the info Tim.

Yes, speeding up execution is the motivation for this. Currently, I have a
trace which took ~30' to record. Running it with taint analysis enabled
took more than 24h before exhausting all the host virtual memory and
crashing.

For my analysis, I only care about taint propagation within specific
processes and/or execution domains (user/kernel). Temporarily disabling
taint propagation would hopefully speed-up the execution and also help to
limit the taint explosion that leads to virtual memory exhaustion.

Could you give me any pointers on where to look for the qemu translation
block cache?
I wanted to play with it for another project, but I could only find
high-level information about it but no specific information about where/how
it is implemented.

Thanks in advance,
Manolis

2018-02-02 17:44 GMT+01:00 Leek, Timothy - 0559 - MITLL <tleek at ll.mit.edu>:

> Sure, it’s possible.  I assume you want to do this so slowdown due to
> taint is only incurred for a little while or something?  That is, you want
> to label something as tainted, have labels propagate around, query
> something, and then disable taint, run a little longer at faster execution
> (non-llvm) and then repeat?
>
>
>
> enable-> label -> query -> disable -> emulate -> enable-> label -> query
> -> …
>
>
>
> You would have to clear the translation block cache as well as dumping the
> taint shadow memory to disable the taint stuff right.  I’d be a little
> concerned about orchestrating everything properly.  If you are going to
> this many times it might make things slower than just leaving taint on.
> Certainly if you use the existing routines which would free memory and
> reconstruct.  You’d have to clear the shadow memory instead.  Also might be
> tricks you could play with translation caches.  Like keeping them around
> instead of flushing them.
>
>
>
> -Tim
>
>
>
> --
>
> Tim Leek
>
> Technical Staff
>
> Cyber System Assessments
>
> MIT Lincoln Laboratory
>
> 781-981-2975
>
>
>
>
>
> *From: *<panda-users-bounces at mit.edu> on behalf of Manolis
> Stamatogiannakis <mstamat at gmail.com>
> *Date: *Thursday, February 1, 2018 at 10:49 AMEST
> *To: *"panda-users at mit.edu" <panda-users at mit.edu>
> *Subject: *[panda-users] a bunch of questions for taint2
>
>
>
> Would it be technically possible to temporarily disable taint propagation
> for the taint2 plugin? What would it take to do so?
>
> For other plugins unregistering the callbacks would be enough to
> temporarily disable the plugin. But I'm not sure if this is the case for
> taint2, which also uses the LLVM backend.
>
>
>
> What would clearing all the taint shadow memory involve? Is "delete
> shadow; shadow = new ShadowState();" enough?
>
>
>
> If directly disabling taint propagation is not directly possible, would it
> be an option to emulate this by dumping the shadow state and loading it
> later?
>
>
>
> Is there a way to give access to the CPUState object to the on_branch2()
> callback? Currently, I only need this to determine if user or kernel code
> is executed. As a workaround to get this information, I use global which is
> set by a PANDA_CB_BEFORE_BLOCK_EXEC callback.
>
>
>
> Thanks in advance,
>
> Manolis
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20180212/d85b215e/attachment.html