// this does a bunch of the dmas in hd taint transfer
int cb_replay_cpu_physical_mem_rw_ram(CPUState *env, uint32_t is_write,
uint8_t *src_addr, uint64_t dest_addr, uint32_t num_bytes){
// NB:
// is_write == 1 means write from qemu buffer to guest RAM.
// is_write == 0 means RAM -> qemu buffer
// Replay dmas in hd taint transfer
if (taintEnabled) {
TaintOp top;
top.typ = BULKCOPYOP;
top.val.bulkcopy.l = num_bytes;
if (is_write) {
// its a "write", i.e., transfer from IO buffer to RAM
// printf("cpu_physical_mem_rw IO->RAM\n");
top.val.bulkcopy.a = make_iaddr((uint64_t)src_addr);
top.val.bulkcopy.b = make_maddr(dest_addr);
}
else {
// its a "read", i.e., transfer from RAM to IO buffer
// printf("cpu_physical_mem_rw RAM->IO\n");
top.val.bulkcopy.a = make_maddr(dest_addr);
top.val.bulkcopy.b = make_iaddr((uint64_t)src_addr);
}
// make the taint op buffer bigger if necessary
tob_resize(&tob_io_thread);
// add bulk copy corresponding to this hd transfer to buffer
// of taint ops for io thread.
tob_op_write(tob_io_thread, &top);
}
return 0;
}
void guestDeleteTaint(GReg guestDst, int len, TaintOpBuffer *buf){
struct addr_struct dst = {0,{0},0,0};
TaintOp op;
memset(&op, 0, sizeof(TaintOp));
op.typ = DELETEOP;
dst.typ = GREG;
dst.val.gr = guestDst;
int i;
for (i = 0; i < len; i++){
dst.off = i;
op.val.deletel.a = dst;
tob_op_write(buf, op);
}
}
// Apply taint to a buffer of memory
void add_taint(Shad *shad, TaintOpBuffer *tbuf, uint64_t addr, int length){
struct addr_struct a = {};
a.typ = MADDR;
a.val.ma = addr;
struct taint_op_struct op = {};
op.typ = LABELOP;
for (int i = 0; i < length; i++){
a.off = i;
op.val.label.a = a;
op.val.label.l = i + count; // byte label
//op.val.label.l = 1; // binary label
tob_op_write(tbuf, op);
}
tob_process(tbuf, shad, NULL);
count += length;
}
void guestLoadTaint(GReg guestSrc, LAddr localDst, int len, TaintOpBuffer *buf){
struct addr_struct src = {0,{0},0,0};
struct addr_struct dst = {0,{0},0,0};
TaintOp op;
memset(&op, 0, sizeof(TaintOp));
op.typ = COPYOP;
src.typ = GREG;
src.val.gr = guestSrc;
dst.typ = LADDR;
dst.val.la = localDst;
int i;
for (i = 0; i < len; i++){
dst.off = i;
src.off = i;
op.val.copy.a = src;
op.val.copy.b = dst;
tob_op_write(buf, op);
}
}
// this is for much of the network taint transfers.
// this gets called from rr_log.c, rr_replay_skipped_calls, RR_CALL_NET_TRANSFER
// case.
int cb_replay_net_transfer_taint(CPUState *env, uint32_t type, uint64_t src_addr,
uint64_t dest_addr, uint32_t num_bytes){
// Replay network transfer as taint transfer
if (taintEnabled) {
TaintOp top;
top.typ = BULKCOPYOP;
top.val.bulkcopy.l = num_bytes;
switch (type) {
case NET_TRANSFER_RAM_TO_IOB:
#ifdef TAINTDEBUG
printf("NET_TRANSFER_RAM_TO_IOB src: 0x%lx, dest 0x%lx, len %d\n",
src_addr, dest_addr, num_bytes);
#endif
top.val.bulkcopy.a = make_maddr(src_addr);
top.val.bulkcopy.b = make_iaddr(dest_addr);
break;
case NET_TRANSFER_IOB_TO_RAM:
#ifdef TAINTDEBUG
printf("NET_TRANSFER_IOB_TO_RAM src: 0x%lx, dest 0x%lx, len %d\n",
src_addr, dest_addr, num_bytes);
#endif
top.val.bulkcopy.a = make_iaddr(src_addr);
top.val.bulkcopy.b = make_maddr(dest_addr);
break;
case NET_TRANSFER_IOB_TO_IOB:
#ifdef TAINTDEBUG
printf("NET_TRANSFER_IOB_TO_IOB src: 0x%lx, dest 0x%lx, len %d\n",
src_addr, dest_addr, num_bytes);
#endif
top.val.bulkcopy.a = make_iaddr(src_addr);
top.val.bulkcopy.b = make_iaddr(dest_addr);
break;
default:
assert(0);
}
// make the taint op buffer bigger if necessary
tob_resize(&tob_io_thread);
// add bulk copy corresponding to this hd transfer to buffer
// of taint ops for io thread.
tob_op_write(tob_io_thread, &top);
}
return 0;
}
int handle_packet(CPUState *env, uint8_t *buf, int size, uint8_t direction,
uint64_t old_buf_addr){
switch (direction){
case PANDA_NET_RX:
{
#ifdef TAINTDEBUG
printf("RX packet\n");
printf("Buf: 0x%lx, Old Buf: 0x%lx, Size %d\n",
(uint64_t)buf, old_buf_addr, size);
#endif
if (taint_label_incoming_network_traffic){
if (!taintEnabled){
printf("Taint plugin: Label operation detected (network)\n");
printf("Enabling taint processing\n");
__taint_enable_taint();
}
add_taint_io(env, shadow, tob_io_thread, old_buf_addr, size);
count += size;
break;
}
}
case PANDA_NET_TX:
#ifdef TAINTDEBUG
printf("TX packet\n");
printf("Buf: 0x%lx, Old Buf: 0x%lx, Size %d\n",
(uint64_t)buf, old_buf_addr, size);
#endif
if (taintEnabled && taint_query_outgoing_network_traffic){
TaintOp top;
top.typ = QUERYOP;
top.val.query.l = size;
top.val.query.a = make_iaddr(old_buf_addr);
// make the taint op buffer bigger if necessary
tob_resize(&tob_io_thread);
tob_op_write(tob_io_thread, &top);
}
break;
default:
assert(0);
}
return 0;
}
// this is for much of the hd taint transfers.
// this gets called from rr_log.c, rr_replay_skipped_calls, RR_CALL_HD_TRANSFER
// case.
int cb_replay_hd_transfer_taint(CPUState *env, uint32_t type, uint64_t src_addr,
uint64_t dest_addr, uint32_t num_bytes) {
// Replay hd transfer as taint transfer
if (taintEnabled) {
TaintOp top;
top.typ = BULKCOPYOP;
top.val.bulkcopy.l = num_bytes;
switch (type) {
case HD_TRANSFER_HD_TO_IOB:
#ifdef TAINTDEBUG
printf("replay_hd_transfer HD_TRANSFER_HD_TO_IOB\n");
#endif
top.val.bulkcopy.a = make_haddr(src_addr);
top.val.bulkcopy.b = make_iaddr(dest_addr);
break;
case HD_TRANSFER_IOB_TO_HD:
#ifdef TAINTDEBUG
printf("replay_hd_transfer HD_TRANSFER_IOB_TO_HD\n");
#endif
top.val.bulkcopy.a = make_iaddr(src_addr);
top.val.bulkcopy.b = make_haddr(dest_addr);
break;
case HD_TRANSFER_PORT_TO_IOB:
#ifdef TAINTDEBUG
printf("replay_hd_transfer HD_TRANSFER_PORT_TO_IOB\n");
#endif
top.val.bulkcopy.a = make_paddr(src_addr);
top.val.bulkcopy.b = make_iaddr(dest_addr);
break;
case HD_TRANSFER_IOB_TO_PORT:
#ifdef TAINTDEBUG
printf("replay_hd_transfer HD_TRANSFER_IOB_TO_PORT\n");
#endif
top.val.bulkcopy.a = make_iaddr(src_addr);
top.val.bulkcopy.b = make_paddr(dest_addr);
break;
case HD_TRANSFER_HD_TO_RAM:
#ifdef TAINTDEBUG
printf("replay_hd_transfer HD_TRANSFER_HD_TO_RAM\n");
printf("\tSource: 0x%lx, Dest: 0x%lx, Len: %d\n",
src_addr, dest_addr, num_bytes);
#endif
top.val.bulkcopy.a = make_haddr(src_addr);
top.val.bulkcopy.b = make_maddr(dest_addr);
break;
case HD_TRANSFER_RAM_TO_HD:
#ifdef TAINTDEBUG
printf("replay_hd_transfer HD_TRANSFER_RAM_TO_HD\n");
printf("\tSource: 0x%lx, Dest: 0x%lx, Len: %d\n",
src_addr, dest_addr, num_bytes);
#endif
top.val.bulkcopy.a = make_maddr(src_addr);
top.val.bulkcopy.b = make_haddr(dest_addr);
break;
default:
printf ("Impossible hd transfer type: %d\n", type);
assert (1==0);
}
// make the taint op buffer bigger if necessary
tob_resize(&tob_io_thread);
// add bulk copy corresponding to this hd transfer to buffer
// of taint ops for io thread.
tob_op_write(tob_io_thread, &top);
}
return 0;
}
