binaryanalysisplatform / bap-pintraces Goto Github PK

The earlier version of pintraces generates gentrace.so only. Now bpt.so was added. The README.md says gentrace.so records taint information while bpt.so just record trace data.

My question is

1. gentrace.so records the tainted instructions and neglect other instructions, whereas bpt.so records all the instructions executed. Is that right?
2. If so, is there any other difference?
3. i do not quite understand the taint propogating policy in pin_taint.cpp. Any document?
4. Is there any relationship between bap taint plugin and pin_taint

I try to use the bap-pintrace.
After following the instructions from this git, I run into this problem:

export LD_LIBRARY_PATH=/home/canicula/local/lib/ ; pin -injection child -t obj-intel64/gentrace.so -o exec.frames -logall_before 1 -- /bin/ls
E: Unable to load /home/canicula/work/gentool/bap-pintraces/obj-intel64/gentrace.so: /home/canicula/work/gentool/bap-pintraces/obj-intel64/gentrace.so: undefined symbol: _ZNK6google8protobuf7Message11GetTypeNameB5cxx11Ev

The demangled symobl is "google::protobuf::Message::GetTypeNameabi:cxx11 const
"
it seems that this is a compiler issue.
I'm using g++-4.9 from Ubuntu 16.04 amd64 version.
4.4.0-79-generic #100-Ubuntu SMP Wed May 17 19:58:14 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
The google protobuf is compiled using g++-4.9 as well.

Any way to solve this issue?

Hi, does it support 32-bit? When I compile the program, it only generates obj-intel64. How can I have obj-ia32? Thanks

in gentrace.cpp:

if (!isBranch)
            tracker->taintPropagation(ti->delta);

so bap-pintraces does not log the control flow taint propagation.
then the code in strcmp function:

Dump of assembler code for function strcmp:
   0xb7ff5ea0 <+0>:	mov    ecx,DWORD PTR [esp+0x4]
   0xb7ff5ea4 <+4>:	mov    edx,DWORD PTR [esp+0x8]
   0xb7ff5ea8 <+8>:	mov    al,BYTE PTR [ecx]
   0xb7ff5eaa <+10>:	cmp    al,BYTE PTR [edx]
   0xb7ff5eac <+12>:	jne    0xb7ff5eb7 <strcmp+23>
   0xb7ff5eae <+14>:	inc    ecx
   0xb7ff5eaf <+15>:	inc    edx
   0xb7ff5eb0 <+16>:	test   al,al
   0xb7ff5eb2 <+18>:	jne    0xb7ff5ea8 <strcmp+8>
   0xb7ff5eb4 <+20>:	xor    eax,eax
   0xb7ff5eb6 <+22>:	ret    
   0xb7ff5eb7 <+23>:	mov    eax,0x1  //control
   0xb7ff5ebc <+28>:	mov    ecx,0xffffffff
   0xb7ff5ec1 <+33>:	cmovb  eax,ecx //“below” are used for unsigned integers
   0xb7ff5ec4 <+36>:	ret  

we can not log the taint instruction in the trace file, so we can not get the contrain.

Looking at the generated trace I realize we can see if it is a branch instruction by checking if R_RIP has the written flag. But how can we identify if the jump was taken?
Looking at the next frame is not reliable if taint analysis is used.

Currently it seems like my only option is to parse the instruction and execute it with the logged rflags. Would it be possible to store the information on if a branch was taken?

If it doesn't cause too much overhead while executing, a logical solution could be never to have a value flagged as both read and written, and instead break this up into two values one for read and one for write. This would also solve the ambiguity whether the value represents the value that was read or the value that was written. If this is done, a simple solution is to check the written R_RIP

First,in the gentrace.cpp,you add FS & GS registers into the operand_pre_list.But you define its usage as 0,and usage macro define is here,which means FS&GS has no usage,no RD and no WR.

Second,in the frame_events.ml,the no usage op will be ignored.
The above means,if I use gentrace.so to generate a trace.frame and use Frame_events.of_frame function to parse it,I will lose all segment base register(FS&GS).And I found this because I can't find any FS or GS register in the trace dump file when I use bap's --trace-dump option.

Does no usage FS&GS is designed on purpose or just an issue?

Any help is highly appreciated,thanks~