// R0 is command (label or query)
// R1 is buf_start
// R2 is length
// R3 is offset (not currently implemented)
void arm_hypercall_callback(CPUState *env){
target_ulong buf_start = env->regs[1];
target_ulong buf_len = env->regs[2];
if (env->regs[0] == 7 || env->regs[0] == 8){ //Taint label
if (!taintEnabled){
printf("Taint plugin: Label operation detected\n");
printf("Enabling taint processing\n");
__taint_enable_taint();
}
TaintOpBuffer *tempBuf = tob_new(buf_len * sizeof(TaintOp));
add_taint_ram(env, shadow, tempBuf, (uint64_t)buf_start, (int)buf_len);
tob_delete(tempBuf);
}
else if (env->regs[0] == 9){ //Query taint on label
if (taintEnabled){
printf("Taint plugin: Query operation detected\n");
Addr a = make_maddr(buf_start);
bufplot(env, shadow, &a, (int)buf_len);
}
//printf("Disabling taint processing\n");
//taintEnabled = false;
//taintJustDisabled = true;
//printf("Label occurrences on HD: %d\n", shad_dir_occ_64(shadow->hd));
}
}
static int user_read(abi_long ret, abi_long fd, void *p){
if (ret > 0 && fd == infd){
TaintOpBuffer *tempBuf = tob_new(5*1048576 /* 1MB */);
add_taint(shadow, tempBuf, (uint64_t)p /*pointer*/, ret /*length*/);
tob_delete(tempBuf);
}
return 0;
}
void i386_hypercall_callback(CPUState *env){
target_ulong buf_start = env->regs[R_EBX];
target_ulong buf_len = env->regs[R_ECX];
long label = env->regs[R_EDI];
// call to label data
// EBX contains addr of that data
// ECX contains size of data
// EDI is the label integer
// EDX = starting offset (for positional labels only)
// -mostly not used, this is managed in pirate_utils
if (env->regs[R_EAX] == 7 || env->regs[R_EAX] == 8){
if (!taintEnabled){
printf("Taint plugin: Label operation detected\n");
printf("Enabling taint processing\n");
__taint_enable_taint();
}
TaintOpBuffer *tempBuf = tob_new( buf_len * sizeof(TaintOp));
if (env->regs[R_EAX] == 7){
// Standard buffer label
add_taint_ram_single_label(env, shadow, tempBuf,
(uint64_t)buf_start, (int)buf_len, label);
}
else if (env->regs[R_EAX] == 8){
// Positional buffer label
add_taint_ram_pos(env, shadow, tempBuf, (uint64_t)buf_start, (int)buf_len);
}
tob_delete(tempBuf);
}
//mz Query taint on this buffer
//mz EBX = start of buffer (VA)
//mz ECX = size of buffer (bytes)
// EDX = starting offset - for file queries
// -mostly not used, this is managed in pirate_utils
else if (env->regs[R_EAX] == 9){ //Query taint on label
if (taintEnabled){
printf("Taint plugin: Query operation detected\n");
Addr a = make_maddr(buf_start);
bufplot(env, shadow, &a, (int)buf_len);
}
//printf("Disabling taint processing\n");
//taintEnabled = false;
//taintJustDisabled = true;
//printf("Label occurrences on HD: %d\n", shad_dir_occ_64(shadow->hd));
}
else if (env->regs[R_EAX] == 10){
// Guest util done - reset positional label counter
taint_pos_count = 0;
}
}
int guest_hypercall_callback(CPUState *env) {
#ifdef TARGET_I386
if(env->regs[R_EAX] == 0xdeadbeef) {
target_ulong buf_start = env->regs[R_ECX];
target_ulong buf_len = env->regs[R_EDX];
if(env->regs[R_EBX] == 0) { //Taint label
TaintOpBuffer *tempBuf = tob_new(5*1048576 /* 1MB */);
add_taint(shadow, tempBuf, (uint64_t)buf_start, (int)buf_len);
tob_delete(tempBuf);
}
else if(env->regs[R_EBX] == 1) { //Query taint on label
bufplot(shadow, (uint64_t)buf_start, (int)buf_len);
}
}
#endif
return 1;
}
int guest_hypercall_callback(CPUState *env){
#ifdef TARGET_I386
if (env->regs[R_EAX] == 0xdeadbeef){
target_ulong buf_start = env->regs[R_ECX];
target_ulong buf_len = env->regs[R_EDX];
if (env->regs[R_EBX] == 0){ //Taint label
if (!taintEnabled){
printf("Taint plugin: Label operation detected\n");
printf("Enabling taint processing\n");
taintJustEnabled = true;
taintEnabled = true;
enable_taint();
}
TaintOpBuffer *tempBuf = tob_new(5*1048576 /* 5MB */);
#ifndef CONFIG_SOFTMMU
add_taint(shadow, tempBuf, (uint64_t)buf_start, (int)buf_len);
#else
add_taint(shadow, tempBuf, cpu_get_phys_addr(env, buf_start),
(int)buf_len);
#endif //CONFIG_SOFTMMU
tob_delete(tempBuf);
}
else if (env->regs[R_EBX] == 1){ //Query taint on label
#ifndef CONFIG_SOFTMMU
bufplot(shadow, (uint64_t)buf_start, (int)buf_len);
#else
bufplot(shadow, cpu_get_phys_addr(env, buf_start), (int)buf_len);
#endif //CONFIG_SOFTMMU
printf("Taint plugin: Query operation detected\n");
printf("Disabling taint processing\n");
taintEnabled = false;
taintJustDisabled = true;
}
}
#endif // TARGET_I386
return 1;
}
// XXX: Support all features of label and query program
void i386_hypercall_callback(CPUState *env){
target_ulong buf_start = env->regs[R_EBX];
target_ulong buf_len = env->regs[R_ECX];
// call to iferret to label data
// EBX contains addr of that data
// ECX contains size of data
// EDI is a pointer to a buffer containing the label string
// ESI contains the length of that label
// EDX = starting offset (for positional labels only)
if (env->regs[R_EAX] == 7 || env->regs[R_EAX] == 8){
if (!taintEnabled){
printf("Taint plugin: Label operation detected\n");
printf("Enabling taint processing\n");
__taint_enable_taint();
}
TaintOpBuffer *tempBuf = tob_new( buf_len * sizeof(TaintOp));
add_taint_ram(env, shadow, tempBuf, (uint64_t)buf_start, (int)buf_len);
tob_delete(tempBuf);
}
//mz Query taint on this buffer
//mz EBX = start of buffer (VA)
//mz ECX = size of buffer (bytes)
// EDI is a pointer to a buffer containing the filename or another name for this query
// ESI contains the length of that string
// EDX = starting offset - for file queries
else if (env->regs[R_EAX] == 9){ //Query taint on label
if (taintEnabled){
printf("Taint plugin: Query operation detected\n");
Addr a = make_maddr(buf_start);
bufplot(env, shadow, &a, (int)buf_len);
}
//printf("Disabling taint processing\n");
//taintEnabled = false;
//taintJustDisabled = true;
//printf("Label occurrences on HD: %d\n", shad_dir_occ_64(shadow->hd));
}
}
// R0 is command (label or query)
// R1 is buf_start
// R2 is length
// R3 is offset (not currently implemented, managed in pirate_utils)
// R4 is the label integer
void arm_hypercall_callback(CPUState *env){
target_ulong buf_start = env->regs[1];
target_ulong buf_len = env->regs[2];
long label = env->regs[4];
if (env->regs[0] == 7 || env->regs[0] == 8){
if (!taintEnabled){
printf("Taint plugin: Label operation detected\n");
printf("Enabling taint processing\n");
__taint_enable_taint();
}
TaintOpBuffer *tempBuf = tob_new( buf_len * sizeof(TaintOp));
if (env->regs[0] == 7){
// Standard buffer label
add_taint_ram_single_label(env, shadow, tempBuf,
(uint64_t)buf_start, (int)buf_len, label);
}
else if (env->regs[0] == 8){
// Positional buffer label
add_taint_ram_pos(env, shadow, tempBuf, (uint64_t)buf_start, (int)buf_len);
}
tob_delete(tempBuf);
}
else if (env->regs[0] == 9){ //Query taint on label
if (taintEnabled){
printf("Taint plugin: Query operation detected\n");
Addr a = make_maddr(buf_start);
bufplot(env, shadow, &a, (int)buf_len);
}
//printf("Disabling taint processing\n");
//taintEnabled = false;
//taintJustDisabled = true;
//printf("Label occurrences on HD: %d\n", shad_dir_occ_64(shadow->hd));
}
else if (env->regs[0] == 10){
// Guest util done - reset positional label counter
taint_pos_count = 0;
}
}
bool init_plugin(void *self) {
printf("Initializing taint plugin\n");
plugin_ptr = self;
panda_cb pcb;
panda_enable_memcb();
panda_disable_tb_chaining();
pcb.guest_hypercall = guest_hypercall_callback;
panda_register_callback(self, PANDA_CB_GUEST_HYPERCALL, pcb);
pcb.replay_handle_packet = handle_packet;
panda_register_callback(plugin_ptr, PANDA_CB_REPLAY_HANDLE_PACKET, pcb);
#ifndef CONFIG_SOFTMMU
pcb.user_after_syscall = user_after_syscall;
panda_register_callback(self, PANDA_CB_USER_AFTER_SYSCALL, pcb);
#endif
tob_io_thread = tob_new(tob_io_thread_max_size);
panda_arg_list *args = panda_get_args("taint");
int i;
if (NULL != args) {
for (i = 0; i < args->nargs; i++) {
if (0 == strncmp(args->list[i].key, "max_taintset_card", 17)) {
max_taintset_card = atoi(args->list[i].value);
printf ("max_taintset_card = %d\n", max_taintset_card);
}
if (0 == strncmp(args->list[i].key, "max_taintset_compute_number", 24)) {
max_taintset_compute_number = atoi(args->list[i].value);
printf ("max_taintset_compute_number = %d\n", max_taintset_compute_number);
}
if (0 == strncmp(args->list[i].key, "compute_is_delete", 17)) {
compute_is_delete = 1;
}
if (0 == strncmp(args->list[i].key, "label_incoming_network", 22)) {
taint_label_incoming_network_traffic = 1;
}
if (0 == strncmp(args->list[i].key, "query_outgoing_network", 22)) {
taint_query_outgoing_network_traffic = 1;
}
if (0 == strncmp(args->list[i].key, "no_tainted_pointer", 18)) {
tainted_pointer = 0;
}
if (0 == strncmp(args->list[i].key, "label_mode", 10)) {
if (0 == strncmp(args->list[i].value, "binary", 6)){
taint_label_mode = TAINT_BINARY_LABEL;
}
else if (0 == strncmp(args->list[i].value, "byte", 4)){
taint_label_mode = TAINT_BYTE_LABEL;
}
else {
printf("Invalid taint label_mode. Using default byte label.\n");
taint_label_mode = TAINT_BYTE_LABEL;
}
}
if (0 == strncmp (args->list[i].key, "tainted_instructions", 20)) {
tainted_instructions = 1;
}
}
}
if (taint_label_mode == TAINT_BYTE_LABEL){
printf("Taint: running in byte labeling mode.\n");
}
else if (taint_label_mode == TAINT_BINARY_LABEL){
printf("Taint: running in binary labeling mode.\n");
}
printf ("max_taintset_card = %d\n", max_taintset_card);
printf ("max_taintset_compute_number = %d\n", max_taintset_compute_number);
printf ("taint_label_incoming_network_traffic = %d\n",
taint_label_incoming_network_traffic);
printf ("taint_query_outgoing_network_traffic = %d\n",
taint_query_outgoing_network_traffic);
printf ("tainted_pointer = %d\n", tainted_pointer);
printf ("compute_is_delete = %d\n", compute_is_delete);
printf ("done initializing taint plugin\n");
return true;
}
