Tracecap is not logging taint instructions, trace reader not working
T0m-Ph opened this issue · comments
Hi !
I'm currently trying to log tainted instructions using tracecap plugin. I followed this document to proceed: https://github.com/decaf-project/DECAF/blob/master/decaf/plugins/tracecap/USAGE
Here is the command i use to launch the VM:
./DECAF/decaf/i386-softmmu/qemu-system-i386 -monitor stdio -m 4096 -netdev user,id=mynet,hostfwd=tcp::10080-:80 -device rtl8139,netdev=mynet /opt/images/windows.img
Whether I use the "taint_nic" (with a program that reads data from the net, here apache server) command or the "taint_sendkey" command (with a program that reads data input by user on command line), there is 0 tainted instruction written to the trace file.
Also, before performing any taint operation, I make sure to enable tainting using the command "enable_tainting"
Finally, I noticed that one command specified in the USAGE doc enable_emulation, is not present in the list of commands associated to this plugin: https://github.com/decaf-project/DECAF/blob/master/decaf/plugins/tracecap/plugin_cmds.h.
How can I proceed to get the tainted instructions reported on the trace file ?
Also, when trying to compile the trace_reader, I encounter 2 problems, while I'm following instructions provided here https://github.com/decaf-project/DECAF/blob/master/decaf/plugins/tracecap/trace_reader/INSTALL:
- First is that there is no configure file
- Second, when compiling with the provided makefile I encounter the following errors:
libdasm.o: In function 'get_operand':
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:320: undefined reference to 'MODE_CHECK_ADDR'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:464: undefined reference to 'FETCH8'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:470: undefined reference to 'FETCH16'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:473: undefined reference to 'FETCH32'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:504: undefined reference to 'MODE_CHECK_OPERAND'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:509: undefined reference to 'FETCH8'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:518: undefined reference to 'FETCH32'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:519: undefined reference to 'FETCH16'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:523: undefined reference to 'FETCH16'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:533: undefined reference to 'MODE_CHECK_OPERAND'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:537: undefined reference to 'FETCH32'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:537: undefined reference to 'FETCH16'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:538: undefined reference to 'FETCH16'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:550: undefined reference to 'FETCH8'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:555: undefined reference to 'FETCH32'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:555: undefined reference to 'FETCH16'
libdasm.o: In function 'get_operand_string':
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:602: undefined reference to 'MODE_CHECK_OPERAND'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:676: undefined reference to 'MODE_CHECK_ADDR'
libdasm.o: In function 'get_mnemonic_string':
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:1068: undefined reference to 'MODE_CHECK_OPERAND'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:1088: undefined reference to 'MODE_CHECK_OPERAND'
collect2: error: ld returned 1 exit status
Makefile:16: recipe for target 'trace_reader_cpp' failed
make: *** [trace_reader_cpp] Error 1
Hi,
Regarding your first question, I tested the tracecap plugin, it works on my machine. Here are the steps and results:
- launch VM:
./i386-softmmu/qemu-system-i386 -m 1024 ~/images/lubuntu14.qcow -monitor stdio
. load_plugin ./plugin/tracecap/tracecap.so
enable_tainting
tracebyname PROCNAME "tmp.trace"
, replace the PROCNAME with the one to be tested.- start the test binary
taint_sendkey 1
Here are some statistics after the test:
- Number of instructions decoded: 104703
- Number of operands decoded: 239432
- Number of instructions written to trace: 104680
- Number of tainted instructions written to trace: 80
Please try the instructions above, if it's still not working, please provide the instructions you use during the process.
Zhenxiao
Hi Zhenxiao,
I tried the same commands as you did and wasn't successful. Here is what I did:
- launch VM
./DECAF/decaf/i386-softmmu/qemu-system-i386 -monitor stdio -m 1024 /opt/images/windows.img
load_plugin DECAF/decaf/plugins/tracecap/tracecap.so
enable_tainting
tracebyname a.exe "tmp.trace"
- start a.exe on the VM
taint_sendkey 1
After the test, I have the following:
Number of instructions decoded: 485444
Number of operands decoded: 1127172
Number of instructions written to trace: 485349
Number of tainted instructions written to trace: 0
Processing time: 7.41773 U: 6.85705 S: 0.560679
As you can see, no tainted instruction is written to the trace
Hi,
Just to make sure, does your a.exe take user input and further propagate it? I use taint_sendkey 1
because my test binary takes a number from input and does some calculation on it.
I will test it on windows image.
Zhenxiao
Hi,
Yes the program does some operations on the user input. It is designed to be a buffer overflow. Here is the source code used:
#include <stdio.h>
#include <string.h>
int func1(char * input) {
char buffer[4];
strcpy(buffer, input);
}
void main(void) {
char buffer[16];
scanf("%s", buffer);
func1(buffer);
}
Thank you!
Good afternoon @enlighten5 . Do you have any update on this issue?
Thanks!
Hi,
I think it's because the pointer tainting is not enabled. I set it to be on by default so I did not reproduce your result.
To enable pointer tainting, run taint_pointers on on
in the qemu console.
I tried your test program and here are some numbers before and after pointer tainting is enabled.
- taint_pointer enabled:
Stop tracing process 228
Number of instructions decoded: 288525
Number of operands decoded: 682218
Number of instructions written to trace: 288440
Number of tainted instructions written to trace: 68 - taint_pointer disabled:
Number of instructions decoded: 288525
Number of operands decoded: 682218
Number of instructions written to trace: 288440
Number of tainted instructions written to trace: 0
Please try taint_pointers on on
to enable pointer tainting and let me know if there is any further problem.
Zhenxiao
Hi @enlighten5 ,
I did enable the pointer tainting, but still couldn't get any tainted instruction written to the trace even though there is a buffer overflow and the program crashes. However thanks to the tainted_bytes command I noticed that i have some bytes that are tainted.
Regards,
Hi !
First of all sorry for this (very) late reply.
Thanks for your help @hengyin ! However for the sake of simplicity, as well as compatibility with other tasks I pursue, I will switch to a ubuntu VM.
Thanks again!