bool init_plugin(void *self) { printf("Initializing taint plugin\n"); plugin_ptr = self; panda_cb pcb; panda_enable_memcb(); panda_disable_tb_chaining(); pcb.guest_hypercall = guest_hypercall_callback; panda_register_callback(self, PANDA_CB_GUEST_HYPERCALL, pcb); pcb.before_block_exec_invalidate_opt = before_block_exec_invalidate_opt; panda_register_callback(self, PANDA_CB_BEFORE_BLOCK_EXEC_INVALIDATE_OPT, pcb); /* pcb.replay_handle_packet = handle_packet; panda_register_callback(plugin_ptr, PANDA_CB_REPLAY_HANDLE_PACKET, pcb); */ panda_arg_list *args = panda_get_args("taint2"); tainted_pointer = !panda_parse_bool(args, "no_tp"); inline_taint = panda_parse_bool(args, "inline"); if (inline_taint) { printf("taint2: Inlining taint ops by default.\n"); } else { printf("taint2: Instructed not to inline taint ops.\n"); } if (panda_parse_bool(args, "binary")) mode = TAINT_BINARY_LABEL; if (panda_parse_bool(args, "word")) granularity = TAINT_GRANULARITY_WORD; optimize_llvm = panda_parse_bool(args, "opt"); panda_require("callstack_instr"); assert(init_callstack_instr_api()); return true; }
bool init_plugin(void *self) { printf("Initializing taint plugin\n"); plugin_ptr = self; panda_cb pcb; panda_enable_memcb(); panda_disable_tb_chaining(); pcb.guest_hypercall = guest_hypercall_callback; panda_register_callback(self, PANDA_CB_GUEST_HYPERCALL, pcb); #ifndef CONFIG_SOFTMMU pcb.user_after_syscall = user_after_syscall; panda_register_callback(self, PANDA_CB_USER_AFTER_SYSCALL, pcb); #endif return true; }
bool init_plugin(void *self) { printf("Initializing taint plugin\n"); plugin_ptr = self; panda_cb pcb; panda_enable_memcb(); panda_disable_tb_chaining(); pcb.guest_hypercall = guest_hypercall_callback; panda_register_callback(self, PANDA_CB_GUEST_HYPERCALL, pcb); pcb.replay_handle_packet = handle_packet; panda_register_callback(plugin_ptr, PANDA_CB_REPLAY_HANDLE_PACKET, pcb); #ifndef CONFIG_SOFTMMU pcb.user_after_syscall = user_after_syscall; panda_register_callback(self, PANDA_CB_USER_AFTER_SYSCALL, pcb); #endif tob_io_thread = tob_new(tob_io_thread_max_size); panda_arg_list *args = panda_get_args("taint"); int i; if (NULL != args) { for (i = 0; i < args->nargs; i++) { if (0 == strncmp(args->list[i].key, "max_taintset_card", 17)) { max_taintset_card = atoi(args->list[i].value); printf ("max_taintset_card = %d\n", max_taintset_card); } if (0 == strncmp(args->list[i].key, "max_taintset_compute_number", 24)) { max_taintset_compute_number = atoi(args->list[i].value); printf ("max_taintset_compute_number = %d\n", max_taintset_compute_number); } if (0 == strncmp(args->list[i].key, "compute_is_delete", 17)) { compute_is_delete = 1; } if (0 == strncmp(args->list[i].key, "label_incoming_network", 22)) { taint_label_incoming_network_traffic = 1; } if (0 == strncmp(args->list[i].key, "query_outgoing_network", 22)) { taint_query_outgoing_network_traffic = 1; } if (0 == strncmp(args->list[i].key, "no_tainted_pointer", 18)) { tainted_pointer = 0; } if (0 == strncmp(args->list[i].key, "label_mode", 10)) { if (0 == strncmp(args->list[i].value, "binary", 6)){ taint_label_mode = TAINT_BINARY_LABEL; } else if (0 == strncmp(args->list[i].value, "byte", 4)){ taint_label_mode = TAINT_BYTE_LABEL; } else { printf("Invalid taint label_mode. Using default byte label.\n"); taint_label_mode = TAINT_BYTE_LABEL; } } if (0 == strncmp (args->list[i].key, "tainted_instructions", 20)) { tainted_instructions = 1; } } } if (taint_label_mode == TAINT_BYTE_LABEL){ printf("Taint: running in byte labeling mode.\n"); } else if (taint_label_mode == TAINT_BINARY_LABEL){ printf("Taint: running in binary labeling mode.\n"); } printf ("max_taintset_card = %d\n", max_taintset_card); printf ("max_taintset_compute_number = %d\n", max_taintset_compute_number); printf ("taint_label_incoming_network_traffic = %d\n", taint_label_incoming_network_traffic); printf ("taint_query_outgoing_network_traffic = %d\n", taint_query_outgoing_network_traffic); printf ("tainted_pointer = %d\n", tainted_pointer); printf ("compute_is_delete = %d\n", compute_is_delete); printf ("done initializing taint plugin\n"); return true; }
bool init_plugin(void *self) { printf("Initializing taint plugin\n"); panda_cb pcb; panda_enable_memcb(); panda_disable_tb_chaining(); pcb.before_block_exec = before_block_exec; panda_register_callback(self, PANDA_CB_BEFORE_BLOCK_EXEC, pcb); pcb.after_block_exec = after_block_exec; panda_register_callback(self, PANDA_CB_AFTER_BLOCK_EXEC, pcb); pcb.phys_mem_read = phys_mem_read_callback; panda_register_callback(self, PANDA_CB_PHYS_MEM_READ, pcb); pcb.phys_mem_write = phys_mem_write_callback; panda_register_callback(self, PANDA_CB_PHYS_MEM_WRITE, pcb); pcb.cb_cpu_restore_state = cb_cpu_restore_state; panda_register_callback(self, PANDA_CB_CPU_RESTORE_STATE, pcb); pcb.guest_hypercall = guest_hypercall_callback; panda_register_callback(self, PANDA_CB_GUEST_HYPERCALL, pcb); #ifndef CONFIG_SOFTMMU pcb.user_after_syscall = user_after_syscall; panda_register_callback(self, PANDA_CB_USER_AFTER_SYSCALL, pcb); #endif if (!execute_llvm){ panda_enable_llvm(); } llvm::llvm_init(); panda_enable_llvm_helpers(); /* * Run instrumentation pass over all helper functions that are now in the * module, and verify module. */ llvm::Module *mod = tcg_llvm_ctx->getModule(); for (llvm::Module::iterator i = mod->begin(); i != mod->end(); i++){ if (i->isDeclaration()){ continue; } PIFP->runOnFunction(*i); } std::string err; if(verifyModule(*mod, llvm::AbortProcessAction, &err)){ printf("%s\n", err.c_str()); exit(1); } /* * Taint processor initialization */ //uint32_t ram_size = 536870912; // 500MB each #ifdef TARGET_X86_64 // this is only for the fast bitmap which we currently aren't using for // 64-bit, it only supports 32-bit uint64_t ram_size = 0; #else uint32_t ram_size = 0xffffffff; //guest address space -- QEMU user mode #endif uint64_t hd_size = 536870912; uint64_t io_size = 536870912; uint16_t num_vals = 2000; // LLVM virtual registers shadow = tp_init(hd_size, ram_size, io_size, num_vals); if (shadow == NULL){ printf("Error initializing shadow memory...\n"); exit(1); } taintfpm = new llvm::FunctionPassManager(tcg_llvm_ctx->getModule()); // Add the taint analysis pass to our taint pass manager llvm::FunctionPass *taintfp = llvm::createPandaTaintFunctionPass(15*1048576/* global taint op buffer size, 10MB */, NULL /* existing taint cache */); PTFP = static_cast<llvm::PandaTaintFunctionPass*>(taintfp); taintfpm->add(taintfp); taintfpm->doInitialization(); // Populate taint cache with helper function taint ops for (llvm::Module::iterator i = mod->begin(); i != mod->end(); i++){ if (i->isDeclaration()){ continue; } PTFP->runOnFunction(*i); } return true; }