[panda-users] How to hook device files in a Linux guest

Andrew Fasano fasano at mit.edu
Tue Jun 9 14:09:18 EDT 2020 

Hi Ben,

You're correct that handle_packet callback is (unfortunately) tied to the
e1000 interface and doing it in OSI could be a good alternative. The
osi_linux_fd_to_filename function should work fine on FDs that map to
things in /dev such as the tun device.

But it might be even easier if you instead use syscalls2 to hook
`sys_recvfrom` and apply taint labels there. In this python example
<https://github.com/panda-re/panda/blob/master/panda/python/examples/file_taint/file_network_taint.py#L66>
we
use syscalls2 to hook `sys_sendto` to check taint as packets are leaving
the system. You could use the same approach but just flip the logic to add
labels as packets enter the system.

Best,
Andrew

--
Andrew Fasano
MIT Lincoln Laboratory


On Thu, May 21, 2020 at 10:59 AM <ben at breakpointingbad.com> wrote:

> I have an OSI question that I hope to get some advice on. After making a
> recording,  during replay, I want to taint packets coming in on network
> interfaces in an Ubuntu 18.04 server, including the tun interfaces. I
> considered registering a "handle_packet" callback. Unfortunately, this
> function is not executed when packets traverse portions of the tun
> interface code. I verified this by running the "net" and "network"
> plugins. I believe this is because the tun interface is purely software
> and so the events recorded by the e1000 emulator are not captured (since
> the tun interface doesn't use that driver). This lead me to considering
> OSI as a solution. I would like to hook the kernel file object that
> describes the tun device, however, I am unsure whether the existing file
> resolution code (e.g.,  "osi_linux_fd_to_filename") in osi_linux will
> work for this use case. My question is, does the
> "osi_linux_fd_to_filename" function, or any of those in osi_linux,
> resolve device files like the tun device, is there a better method
> osi_linux provides to achieve this, or will I need to instrument
> additional capabilities? I'm still a panda and kernel newb, so apologies
> if my question doesn't make sense, I will try to clarify if needed. If I
> have to instrument additional functionality, that's OK, I just want to
> be sure there isn't an easier option before taking that route.
>
> Regards,
> Ben
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20200609/d715af8d/attachment.html

More information about the panda-users mailing list