bool init_plugin(void *self) { printf("Initializing plugin llvm_trace\n"); // Look for llvm_trace:base=dir for (int i = 0; i < panda_argc; i++) { if(0 == strncmp(panda_argv[i], "llvm_trace", 10)) { basedir = strrchr(panda_argv[i], '='); if (basedir) basedir++; // advance past '=' } } if (basedir == NULL) { basedir = default_basedir; } if (tubtf_on) { char tubtf_path[256]; strcpy(tubtf_path, basedir); strcat(tubtf_path, "/tubtf.log"); tubtf_open(tubtf_path, TUBTF_COLW_64); panda_enable_precise_pc(); } else { // XXX: unsafe string manipulations char memlog_path[256]; char funclog_path[256]; strcpy(memlog_path, basedir); strcat(memlog_path, "/llvm-memlog.log"); open_memlog(memlog_path); strcpy(funclog_path, basedir); strcat(funclog_path, "/llvm-functions.log"); funclog = fopen(funclog_path, "w"); } panda_cb pcb; panda_enable_memcb(); pcb.before_block_exec = before_block_exec; panda_register_callback(self, PANDA_CB_BEFORE_BLOCK_EXEC, pcb); pcb.after_block_exec = after_block_exec; panda_register_callback(self, PANDA_CB_AFTER_BLOCK_EXEC, pcb); pcb.phys_mem_read = phys_mem_read_callback; panda_register_callback(self, PANDA_CB_PHYS_MEM_READ, pcb); pcb.phys_mem_write = phys_mem_write_callback; panda_register_callback(self, PANDA_CB_PHYS_MEM_WRITE, pcb); pcb.cb_cpu_restore_state = cb_cpu_restore_state; panda_register_callback(self, PANDA_CB_CPU_RESTORE_STATE, pcb); #ifndef CONFIG_SOFTMMU pcb.user_after_syscall = user_after_syscall; panda_register_callback(self, PANDA_CB_USER_AFTER_SYSCALL, pcb); #endif if (!execute_llvm){ panda_enable_llvm(); } llvm::llvm_init(); panda_enable_llvm_helpers(); /* * Run instrumentation pass over all helper functions that are now in the * module, and verify module. */ llvm::Module *mod = tcg_llvm_ctx->getModule(); for (llvm::Module::iterator i = mod->begin(); i != mod->end(); i++){ if (i->isDeclaration()){ continue; } PIFP->runOnFunction(*i); } std::string err; if(verifyModule(*mod, llvm::AbortProcessAction, &err)){ printf("%s\n", err.c_str()); exit(1); } return true; }
void __taint2_enable_taint(void) { if(taintEnabled) {return;} printf ("taint2: __taint_enable_taint\n"); taintEnabled = true; panda_cb pcb; pcb.after_block_translate = after_block_translate; panda_register_callback(plugin_ptr, PANDA_CB_AFTER_BLOCK_TRANSLATE, pcb); pcb.before_block_exec_invalidate_opt = before_block_exec_invalidate_opt; panda_register_callback(plugin_ptr, PANDA_CB_BEFORE_BLOCK_EXEC_INVALIDATE_OPT, pcb); pcb.before_block_exec = before_block_exec; panda_register_callback(plugin_ptr, PANDA_CB_BEFORE_BLOCK_EXEC, pcb); pcb.after_block_exec = after_block_exec; panda_register_callback(plugin_ptr, PANDA_CB_AFTER_BLOCK_EXEC, pcb); pcb.phys_mem_read = phys_mem_read_callback; panda_register_callback(plugin_ptr, PANDA_CB_PHYS_MEM_READ, pcb); pcb.phys_mem_write = phys_mem_write_callback; panda_register_callback(plugin_ptr, PANDA_CB_PHYS_MEM_WRITE, pcb); /* pcb.cb_cpu_restore_state = cb_cpu_restore_state; panda_register_callback(plugin_ptr, PANDA_CB_CPU_RESTORE_STATE, pcb); // for hd and network taint pcb.replay_hd_transfer = cb_replay_hd_transfer_taint; panda_register_callback(plugin_ptr, PANDA_CB_REPLAY_HD_TRANSFER, pcb); pcb.replay_net_transfer = cb_replay_net_transfer_taint; panda_register_callback(plugin_ptr, PANDA_CB_REPLAY_NET_TRANSFER, pcb); pcb.replay_before_cpu_physical_mem_rw_ram = cb_replay_cpu_physical_mem_rw_ram; panda_register_callback(plugin_ptr, PANDA_CB_REPLAY_BEFORE_CPU_PHYSICAL_MEM_RW_RAM, pcb); */ panda_enable_precise_pc(); //before_block_exec requires precise_pc for panda_current_asid if (!execute_llvm){ panda_enable_llvm(); } panda_enable_llvm_helpers(); /* * Taint processor initialization */ shadow = tp_init(TAINT_BYTE_LABEL, TAINT_GRANULARITY_BYTE); if (shadow == NULL){ printf("Error initializing shadow memory...\n"); exit(1); } // Initialize memlog. memset(&taint_memlog, 0, sizeof(taint_memlog)); llvm::Module *mod = tcg_llvm_ctx->getModule(); FPM = tcg_llvm_ctx->getFunctionPassManager(); // Add the taint analysis pass to our taint pass manager PTFP = new llvm::PandaTaintFunctionPass(shadow, &taint_memlog); FPM->add(PTFP); if (optimize_llvm) { printf("taint2: Adding default optimizations (-O1).\n"); llvm::PassManagerBuilder Builder; Builder.OptLevel = 1; Builder.SizeLevel = 0; Builder.populateFunctionPassManager(*FPM); } FPM->doInitialization(); // Populate module with helper function taint ops for (auto i = mod->begin(); i != mod->end(); i++){ if (!i->isDeclaration()) PTFP->runOnFunction(*i); } printf("taint2: Done processing helper functions for taint.\n"); std::string err; if(verifyModule(*mod, llvm::AbortProcessAction, &err)){ printf("%s\n", err.c_str()); exit(1); } //tcg_llvm_write_module(tcg_llvm_ctx, "/tmp/llvm-mod.bc"); printf("taint2: Done verifying module. Running...\n"); }
void enable_taint(){ panda_cb pcb; pcb.before_block_exec = before_block_exec; panda_register_callback(plugin_ptr, PANDA_CB_BEFORE_BLOCK_EXEC, pcb); pcb.after_block_exec = after_block_exec; panda_register_callback(plugin_ptr, PANDA_CB_AFTER_BLOCK_EXEC, pcb); pcb.phys_mem_read = phys_mem_read_callback; panda_register_callback(plugin_ptr, PANDA_CB_PHYS_MEM_READ, pcb); pcb.phys_mem_write = phys_mem_write_callback; panda_register_callback(plugin_ptr, PANDA_CB_PHYS_MEM_WRITE, pcb); pcb.cb_cpu_restore_state = cb_cpu_restore_state; panda_register_callback(plugin_ptr, PANDA_CB_CPU_RESTORE_STATE, pcb); if (!execute_llvm){ panda_enable_llvm(); } llvm::llvm_init(); panda_enable_llvm_helpers(); /* * Run instrumentation pass over all helper functions that are now in the * module, and verify module. */ llvm::Module *mod = tcg_llvm_ctx->getModule(); for (llvm::Module::iterator i = mod->begin(); i != mod->end(); i++){ if (i->isDeclaration()){ continue; } PIFP->runOnFunction(*i); } std::string err; if(verifyModule(*mod, llvm::AbortProcessAction, &err)){ printf("%s\n", err.c_str()); exit(1); } /* * Taint processor initialization */ //uint32_t ram_size = 536870912; // 500MB each #ifdef TARGET_X86_64 // this is only for the fast bitmap which we currently aren't using for // 64-bit, it only supports 32-bit //XXX FIXME uint64_t ram_size = 0; #else uint32_t ram_size = 0xffffffff; //guest address space -- QEMU user mode #endif uint64_t hd_size = 536870912; uint64_t io_size = 536870912; uint16_t num_vals = 2000; // LLVM virtual registers //XXX assert this shadow = tp_init(hd_size, ram_size, io_size, num_vals); if (shadow == NULL){ printf("Error initializing shadow memory...\n"); exit(1); } taintfpm = new llvm::FunctionPassManager(tcg_llvm_ctx->getModule()); // Add the taint analysis pass to our taint pass manager llvm::FunctionPass *taintfp = llvm::createPandaTaintFunctionPass(15*1048576/* global taint op buffer size, 10MB */, NULL /* existing taint cache */); PTFP = static_cast<llvm::PandaTaintFunctionPass*>(taintfp); taintfpm->add(taintfp); taintfpm->doInitialization(); // Populate taint cache with helper function taint ops for (llvm::Module::iterator i = mod->begin(); i != mod->end(); i++){ if (i->isDeclaration()){ continue; } PTFP->runOnFunction(*i); } }
void __taint_enable_taint(void) { if(taintEnabled) {return;} printf ("__taint_enable_taint\n"); taintJustEnabled = true; taintEnabled = true; panda_cb pcb; pcb.before_block_exec = before_block_exec; panda_register_callback(plugin_ptr, PANDA_CB_BEFORE_BLOCK_EXEC, pcb); pcb.after_block_exec = after_block_exec; panda_register_callback(plugin_ptr, PANDA_CB_AFTER_BLOCK_EXEC, pcb); pcb.phys_mem_read = phys_mem_read_callback; panda_register_callback(plugin_ptr, PANDA_CB_PHYS_MEM_READ, pcb); pcb.phys_mem_write = phys_mem_write_callback; panda_register_callback(plugin_ptr, PANDA_CB_PHYS_MEM_WRITE, pcb); pcb.cb_cpu_restore_state = cb_cpu_restore_state; panda_register_callback(plugin_ptr, PANDA_CB_CPU_RESTORE_STATE, pcb); // for hd and network taint #ifdef CONFIG_SOFTMMU pcb.replay_hd_transfer = cb_replay_hd_transfer_taint; panda_register_callback(plugin_ptr, PANDA_CB_REPLAY_HD_TRANSFER, pcb); pcb.replay_net_transfer = cb_replay_net_transfer_taint; panda_register_callback(plugin_ptr, PANDA_CB_REPLAY_NET_TRANSFER, pcb); pcb.replay_before_cpu_physical_mem_rw_ram = cb_replay_cpu_physical_mem_rw_ram; panda_register_callback(plugin_ptr, PANDA_CB_REPLAY_BEFORE_CPU_PHYSICAL_MEM_RW_RAM, pcb); #endif panda_enable_precise_pc(); //before_block_exec requires precise_pc for panda_current_asid if (!execute_llvm){ panda_enable_llvm(); } llvm::llvm_init(); panda_enable_llvm_helpers(); /* * Run instrumentation pass over all helper functions that are now in the * module, and verify module. */ llvm::Module *mod = tcg_llvm_ctx->getModule(); for (llvm::Module::iterator i = mod->begin(); i != mod->end(); i++){ if (i->isDeclaration()){ continue; } #if defined(TARGET_ARM) //TODO: Fix handling of ARM's cpu_reset() helper // Currently, we skip instrumenting it, because we generate invalid LLVM bitcode if we try std::string modname = i->getName().str(); if (modname == "cpu_reset_llvm"){ printf("Skipping instrumentation of cpu_reset\n"); continue; } #endif PIFP->runOnFunction(*i); } std::string err; if(verifyModule(*mod, llvm::AbortProcessAction, &err)){ printf("%s\n", err.c_str()); exit(1); } /* * Taint processor initialization */ //uint32_t ram_size = 536870912; // 500MB each #ifdef TARGET_X86_64 // this is only for the fast bitmap which we currently aren't using for // 64-bit, it only supports 32-bit //XXX FIXME uint64_t ram_size = 0; #else uint32_t ram_size = 0xffffffff; //guest address space -- QEMU user mode #endif uint64_t hd_size = 536870912; uint64_t io_size = 536870912; uint16_t num_vals = 2000; // LLVM virtual registers //XXX assert this shadow = tp_init(hd_size, ram_size, io_size, num_vals); if (shadow == NULL){ printf("Error initializing shadow memory...\n"); exit(1); } taintfpm = new llvm::FunctionPassManager(tcg_llvm_ctx->getModule()); // Add the taint analysis pass to our taint pass manager llvm::FunctionPass *taintfp = llvm::createPandaTaintFunctionPass(15*1048576/* global taint op buffer size, 10MB */, NULL /* existing taint cache */); PTFP = static_cast<llvm::PandaTaintFunctionPass*>(taintfp); taintfpm->add(taintfp); taintfpm->doInitialization(); // Populate taint cache with helper function taint ops for (llvm::Module::iterator i = mod->begin(); i != mod->end(); i++){ if (i->isDeclaration()){ continue; } PTFP->runOnFunction(*i); } }