bap-pintraces's People
bap-pintraces's Issues
what's the difference between bpt.so and gentrace.so
The earlier version of pintraces generates gentrace.so only. Now bpt.so was added. The README.md says gentrace.so records taint information while bpt.so just record trace data.
My question is
- gentrace.so records the tainted instructions and neglect other instructions, whereas bpt.so records all the instructions executed. Is that right?
- If so, is there any other difference?
- i do not quite understand the taint propogating policy in pin_taint.cpp. Any document?
- Is there any relationship between bap taint plugin and pin_taint
undefined symbol: _ZN6google8protobuf8internal13empty_string_E
I try to use the bap-pintrace.
After following the instructions from this git, I run into this problem:
export LD_LIBRARY_PATH=/home/canicula/local/lib/ ; pin -injection child -t obj-intel64/gentrace.so -o exec.frames -logall_before 1 -- /bin/ls
E: Unable to load /home/canicula/work/gentool/bap-pintraces/obj-intel64/gentrace.so: /home/canicula/work/gentool/bap-pintraces/obj-intel64/gentrace.so: undefined symbol: _ZNK6google8protobuf7Message11GetTypeNameB5cxx11Ev
The demangled symobl is "google::protobuf::Message::GetTypeNameabi:cxx11 const
"
it seems that this is a compiler issue.
I'm using g++-4.9 from Ubuntu 16.04 amd64 version.
4.4.0-79-generic #100-Ubuntu SMP Wed May 17 19:58:14 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
The google protobuf is compiled using g++-4.9 as well.
Any way to solve this issue?
IA32
Hi, does it support 32-bit? When I compile the program, it only generates obj-intel64. How can I have obj-ia32? Thanks
control flow taint propagation
in gentrace.cpp:
if (!isBranch)
tracker->taintPropagation(ti->delta);
so bap-pintraces does not log the control flow taint propagation.
then the code in strcmp function:
Dump of assembler code for function strcmp:
0xb7ff5ea0 <+0>: mov ecx,DWORD PTR [esp+0x4]
0xb7ff5ea4 <+4>: mov edx,DWORD PTR [esp+0x8]
0xb7ff5ea8 <+8>: mov al,BYTE PTR [ecx]
0xb7ff5eaa <+10>: cmp al,BYTE PTR [edx]
0xb7ff5eac <+12>: jne 0xb7ff5eb7 <strcmp+23>
0xb7ff5eae <+14>: inc ecx
0xb7ff5eaf <+15>: inc edx
0xb7ff5eb0 <+16>: test al,al
0xb7ff5eb2 <+18>: jne 0xb7ff5ea8 <strcmp+8>
0xb7ff5eb4 <+20>: xor eax,eax
0xb7ff5eb6 <+22>: ret
0xb7ff5eb7 <+23>: mov eax,0x1 //control
0xb7ff5ebc <+28>: mov ecx,0xffffffff
0xb7ff5ec1 <+33>: cmovb eax,ecx //“below” are used for unsigned integers
0xb7ff5ec4 <+36>: ret
we can not log the taint instruction in the trace file, so we can not get the contrain.
How to distinguish if a jump was taken?
Looking at the generated trace I realize we can see if it is a branch instruction by checking if R_RIP has the written flag. But how can we identify if the jump was taken?
Looking at the next frame is not reliable if taint analysis is used.
Currently it seems like my only option is to parse the instruction and execute it with the logged rflags. Would it be possible to store the information on if a branch was taken?
If it doesn't cause too much overhead while executing, a logical solution could be never to have a value flagged as both read and written, and instead break this up into two values one for read and one for write. This would also solve the ambiguity whether the value represents the value that was read or the value that was written. If this is done, a simple solution is to check the written R_RIP
Segment Base Register Usage Issue
First,in the gentrace.cpp,you add FS & GS registers into the operand_pre_list.But you define its usage as 0,and usage macro define is here,which means FS&GS has no usage,no RD and no WR.
Second,in the frame_events.ml,the no usage op will be ignored.
The above means,if I use gentrace.so to generate a trace.frame and use Frame_events.of_frame function to parse it,I will lose all segment base register(FS&GS).And I found this because I can't find any FS or GS register in the trace dump file when I use bap's --trace-dump option.
Does no usage FS&GS is designed on purpose or just an issue?
Any help is highly appreciated,thanks~
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.