[panda-users] Tracing instructions from kernel space

Brendan Dolan-Gavitt brendandg at nyu.edu
Fri Nov 9 23:18:26 EST 2018 

Hmm, something definitely seems odd – with this test program:

https://gist.github.com/moyix/ed0d6dde9bc8164ff5e58030282d72af

and then testing with -panda stringsearch:str="averylongstring" I can
see writes in the kernel in __copy_from_user_ll_nozero – but only if I
do a memcpy to a different userspace buffer first!

Could you share the userland program you're using to test so I can compare?

-Brendan

On Fri, Nov 9, 2018 at 9:06 PM, Jayashree Mohan <jayashree2912 at gmail.com> wrote:
> Hi Brendan,
>
> We verified by enabling tracing the entire memory region rather than
> confining it to 1-2G. However, the writes still cannot be traced. The
> behaviour we see if rather interesting. When we write something less
> than a cacheline(64B) using a write system call followed by fsync, it
> gets traced by PANDA during the PANDA_CB_VIRT_MEM_AFTER_WRITE
> callback. However, when we write anything in multiples of aligned
> cachelines, we don't see any memory write traces. For example, if I
> write 258B into a file, I can see the last two bytes of data alone.
> This seems weird as PANDA is not tracing full aligned cachelines. Do
> you seem to understand why this could be happening?
>
> Thanks,
> Jayashree Mohan
>
> On Fri, Nov 9, 2018 at 11:41 AM Brendan Dolan-Gavitt <brendandg at nyu.edu> wrote:
>>
>> The only thing I can think of from looking at your code briefly is
>> your use of the physical address range to restrict it to only log
>> writes in the 1-2GB range. Could it be that the kernel does
>> copy_from_user at the start and copies it into someplace outside that
>> range, then writes it back with copy_to_user at the end?
>>
>> On Fri, Nov 9, 2018 at 11:01 AM, Jayashree Mohan
>> <jayashree2912 at gmail.com> wrote:
>> > Hi Brendan,
>> >
>> > Thanks for the reply.
>> >
>> > Take a look at the plugin here :
>> > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_williewillus_panda-5Fscratchpad_blob_master_personal-5Fplugins_panda_plugins_writetracker_writetracker.cpp&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=A4wu5Zmpus3hDmokNWeJTO0SLjrxguzCAxn30Hc-o48&m=kHkbR-cTusA4zz6euYKwT5Pzf8nrwZP1idV_9NTfZaA&s=BDZjQuADJrBGUzNIgo2EW_xVvAN7aN-caR1Rl0PqNgo&e=
>> >
>> > We load this plugin, and in the VM, write a simple program that writes to
>> > the pmem device mounted within the memory region being tracked. I see memcpy
>> > writes being traced, but not the ones due to write system call.
>> >
>> > I'll try checking if any of my writes originate in the kernel.
>> >
>> > Thanks,
>> > Jayashree Mohan
>> >
>> >
>> >
>> > Thanks,
>> > Jayashree Mohan
>> >
>> >
>> >
>> > On Fri, Nov 9, 2018 at 9:56 AM Brendan Dolan-Gavitt <brendandg at nyu.edu>
>> > wrote:
>> >>
>> >> Yes, it should definitely be tracing memory accesses in the kernel (it
>> >> traces all memory accesses on the system) – could you post your plugin
>> >> code?
>> >>
>> >> You may also want to simply log all memory accesses, along with the
>> >> current program counter and (optionally) whether or not they originate
>> >> in the kernel (using the panda_in_kernel API) to debug.
>> >>
>> >> On Fri, Nov 9, 2018 at 10:35 AM, Jayashree Mohan
>> >> <jayashree2912 at gmail.com> wrote:
>> >> > Hi all,
>> >> >
>> >> > I am using PANDA to trace all store instructions in an emulated pmem
>> >> > device. I do this by writing a plugin that issues calbacks on
>> >> > "PANDA_CB_VIRT_MEM_AFTER_WRITE" events. If I run a simple workload
>> >> > that does write() system calls followed by mmap and memcpy, I can see
>> >> > the callbacks being triggered for the user-space memcpy calls to a
>> >> > file, but not anytime during the write system call. Does PANDA allow
>> >> > tracing instructions from the kernel space?
>> >> >
>> >> > Thanks,
>> >> > Jayashree Mohan
>> >> > _______________________________________________
>> >> > panda-users mailing list
>> >> > panda-users at mit.edu
>> >> >
>> >> > https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.mit.edu_mailman_listinfo_panda-2Dusers&d=DwICAg&c=slrrB7dE8n7gBJbeO0g-IQ&r=A4wu5Zmpus3hDmokNWeJTO0SLjrxguzCAxn30Hc-o48&m=t_XD-sNNGDpfuGLf63sp5f-I-OP6dhEVNn-r9F-giQU&s=o4Ml-SG3gwaAZ7JrRz3N2W7BvJdTyZvua-jgEyicY2Q&e=
>> >>
>> >>
>> >>
>> >> --
>> >> Brendan Dolan-Gavitt
>> >> Assistant Professor, Department of Computer Science and Engineering
>> >> NYU Tandon School of Engineering
>>
>>
>>
>> --
>> Brendan Dolan-Gavitt
>> Assistant Professor, Department of Computer Science and Engineering
>> NYU Tandon School of Engineering



-- 
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering

More information about the panda-users mailing list