bool init_plugin(void *self) {
printf("Initializing plugin llvm_trace\n");
// Look for llvm_trace:base=dir
for (int i = 0; i < panda_argc; i++) {
if(0 == strncmp(panda_argv[i], "llvm_trace", 10)) {
basedir = strrchr(panda_argv[i], '=');
if (basedir) basedir++; // advance past '='
}
}
if (basedir == NULL) {
basedir = default_basedir;
}
if (tubtf_on) {
char tubtf_path[256];
strcpy(tubtf_path, basedir);
strcat(tubtf_path, "/tubtf.log");
tubtf_open(tubtf_path, TUBTF_COLW_64);
panda_enable_precise_pc();
}
else {
// XXX: unsafe string manipulations
char memlog_path[256];
char funclog_path[256];
strcpy(memlog_path, basedir);
strcat(memlog_path, "/llvm-memlog.log");
open_memlog(memlog_path);
strcpy(funclog_path, basedir);
strcat(funclog_path, "/llvm-functions.log");
funclog = fopen(funclog_path, "w");
}
panda_cb pcb;
panda_enable_memcb();
pcb.before_block_exec = before_block_exec;
panda_register_callback(self, PANDA_CB_BEFORE_BLOCK_EXEC, pcb);
pcb.after_block_exec = after_block_exec;
panda_register_callback(self, PANDA_CB_AFTER_BLOCK_EXEC, pcb);
pcb.phys_mem_read = phys_mem_read_callback;
panda_register_callback(self, PANDA_CB_PHYS_MEM_READ, pcb);
pcb.phys_mem_write = phys_mem_write_callback;
panda_register_callback(self, PANDA_CB_PHYS_MEM_WRITE, pcb);
pcb.cb_cpu_restore_state = cb_cpu_restore_state;
panda_register_callback(self, PANDA_CB_CPU_RESTORE_STATE, pcb);
#ifndef CONFIG_SOFTMMU
pcb.user_after_syscall = user_after_syscall;
panda_register_callback(self, PANDA_CB_USER_AFTER_SYSCALL, pcb);
#endif
if (!execute_llvm){
panda_enable_llvm();
}
llvm::llvm_init();
panda_enable_llvm_helpers();
/*
* Run instrumentation pass over all helper functions that are now in the
* module, and verify module.
*/
llvm::Module *mod = tcg_llvm_ctx->getModule();
for (llvm::Module::iterator i = mod->begin(); i != mod->end(); i++){
if (i->isDeclaration()){
continue;
}
PIFP->runOnFunction(*i);
}
std::string err;
if(verifyModule(*mod, llvm::AbortProcessAction, &err)){
printf("%s\n", err.c_str());
exit(1);
}
return true;
}
void __taint2_enable_taint(void) {
if(taintEnabled) {return;}
printf ("taint2: __taint_enable_taint\n");
taintEnabled = true;
panda_cb pcb;
pcb.after_block_translate = after_block_translate;
panda_register_callback(plugin_ptr, PANDA_CB_AFTER_BLOCK_TRANSLATE, pcb);
pcb.before_block_exec_invalidate_opt = before_block_exec_invalidate_opt;
panda_register_callback(plugin_ptr, PANDA_CB_BEFORE_BLOCK_EXEC_INVALIDATE_OPT, pcb);
pcb.before_block_exec = before_block_exec;
panda_register_callback(plugin_ptr, PANDA_CB_BEFORE_BLOCK_EXEC, pcb);
pcb.after_block_exec = after_block_exec;
panda_register_callback(plugin_ptr, PANDA_CB_AFTER_BLOCK_EXEC, pcb);
pcb.phys_mem_read = phys_mem_read_callback;
panda_register_callback(plugin_ptr, PANDA_CB_PHYS_MEM_READ, pcb);
pcb.phys_mem_write = phys_mem_write_callback;
panda_register_callback(plugin_ptr, PANDA_CB_PHYS_MEM_WRITE, pcb);
/*
pcb.cb_cpu_restore_state = cb_cpu_restore_state;
panda_register_callback(plugin_ptr, PANDA_CB_CPU_RESTORE_STATE, pcb);
// for hd and network taint
pcb.replay_hd_transfer = cb_replay_hd_transfer_taint;
panda_register_callback(plugin_ptr, PANDA_CB_REPLAY_HD_TRANSFER, pcb);
pcb.replay_net_transfer = cb_replay_net_transfer_taint;
panda_register_callback(plugin_ptr, PANDA_CB_REPLAY_NET_TRANSFER, pcb);
pcb.replay_before_cpu_physical_mem_rw_ram = cb_replay_cpu_physical_mem_rw_ram;
panda_register_callback(plugin_ptr, PANDA_CB_REPLAY_BEFORE_CPU_PHYSICAL_MEM_RW_RAM, pcb);
*/
panda_enable_precise_pc(); //before_block_exec requires precise_pc for panda_current_asid
if (!execute_llvm){
panda_enable_llvm();
}
panda_enable_llvm_helpers();
/*
* Taint processor initialization
*/
shadow = tp_init(TAINT_BYTE_LABEL, TAINT_GRANULARITY_BYTE);
if (shadow == NULL){
printf("Error initializing shadow memory...\n");
exit(1);
}
// Initialize memlog.
memset(&taint_memlog, 0, sizeof(taint_memlog));
llvm::Module *mod = tcg_llvm_ctx->getModule();
FPM = tcg_llvm_ctx->getFunctionPassManager();
// Add the taint analysis pass to our taint pass manager
PTFP = new llvm::PandaTaintFunctionPass(shadow, &taint_memlog);
FPM->add(PTFP);
if (optimize_llvm) {
printf("taint2: Adding default optimizations (-O1).\n");
llvm::PassManagerBuilder Builder;
Builder.OptLevel = 1;
Builder.SizeLevel = 0;
Builder.populateFunctionPassManager(*FPM);
}
FPM->doInitialization();
// Populate module with helper function taint ops
for (auto i = mod->begin(); i != mod->end(); i++){
if (!i->isDeclaration()) PTFP->runOnFunction(*i);
}
printf("taint2: Done processing helper functions for taint.\n");
std::string err;
if(verifyModule(*mod, llvm::AbortProcessAction, &err)){
printf("%s\n", err.c_str());
exit(1);
}
//tcg_llvm_write_module(tcg_llvm_ctx, "/tmp/llvm-mod.bc");
printf("taint2: Done verifying module. Running...\n");
}
void enable_taint(){
panda_cb pcb;
pcb.before_block_exec = before_block_exec;
panda_register_callback(plugin_ptr, PANDA_CB_BEFORE_BLOCK_EXEC, pcb);
pcb.after_block_exec = after_block_exec;
panda_register_callback(plugin_ptr, PANDA_CB_AFTER_BLOCK_EXEC, pcb);
pcb.phys_mem_read = phys_mem_read_callback;
panda_register_callback(plugin_ptr, PANDA_CB_PHYS_MEM_READ, pcb);
pcb.phys_mem_write = phys_mem_write_callback;
panda_register_callback(plugin_ptr, PANDA_CB_PHYS_MEM_WRITE, pcb);
pcb.cb_cpu_restore_state = cb_cpu_restore_state;
panda_register_callback(plugin_ptr, PANDA_CB_CPU_RESTORE_STATE, pcb);
if (!execute_llvm){
panda_enable_llvm();
}
llvm::llvm_init();
panda_enable_llvm_helpers();
/*
* Run instrumentation pass over all helper functions that are now in the
* module, and verify module.
*/
llvm::Module *mod = tcg_llvm_ctx->getModule();
for (llvm::Module::iterator i = mod->begin(); i != mod->end(); i++){
if (i->isDeclaration()){
continue;
}
PIFP->runOnFunction(*i);
}
std::string err;
if(verifyModule(*mod, llvm::AbortProcessAction, &err)){
printf("%s\n", err.c_str());
exit(1);
}
/*
* Taint processor initialization
*/
//uint32_t ram_size = 536870912; // 500MB each
#ifdef TARGET_X86_64
// this is only for the fast bitmap which we currently aren't using for
// 64-bit, it only supports 32-bit
//XXX FIXME
uint64_t ram_size = 0;
#else
uint32_t ram_size = 0xffffffff; //guest address space -- QEMU user mode
#endif
uint64_t hd_size = 536870912;
uint64_t io_size = 536870912;
uint16_t num_vals = 2000; // LLVM virtual registers //XXX assert this
shadow = tp_init(hd_size, ram_size, io_size, num_vals);
if (shadow == NULL){
printf("Error initializing shadow memory...\n");
exit(1);
}
taintfpm = new llvm::FunctionPassManager(tcg_llvm_ctx->getModule());
// Add the taint analysis pass to our taint pass manager
llvm::FunctionPass *taintfp =
llvm::createPandaTaintFunctionPass(15*1048576/* global taint op buffer
size, 10MB */, NULL /* existing taint cache */);
PTFP = static_cast<llvm::PandaTaintFunctionPass*>(taintfp);
taintfpm->add(taintfp);
taintfpm->doInitialization();
// Populate taint cache with helper function taint ops
for (llvm::Module::iterator i = mod->begin(); i != mod->end(); i++){
if (i->isDeclaration()){
continue;
}
PTFP->runOnFunction(*i);
}
}
void __taint_enable_taint(void) {
if(taintEnabled) {return;}
printf ("__taint_enable_taint\n");
taintJustEnabled = true;
taintEnabled = true;
panda_cb pcb;
pcb.before_block_exec = before_block_exec;
panda_register_callback(plugin_ptr, PANDA_CB_BEFORE_BLOCK_EXEC, pcb);
pcb.after_block_exec = after_block_exec;
panda_register_callback(plugin_ptr, PANDA_CB_AFTER_BLOCK_EXEC, pcb);
pcb.phys_mem_read = phys_mem_read_callback;
panda_register_callback(plugin_ptr, PANDA_CB_PHYS_MEM_READ, pcb);
pcb.phys_mem_write = phys_mem_write_callback;
panda_register_callback(plugin_ptr, PANDA_CB_PHYS_MEM_WRITE, pcb);
pcb.cb_cpu_restore_state = cb_cpu_restore_state;
panda_register_callback(plugin_ptr, PANDA_CB_CPU_RESTORE_STATE, pcb);
// for hd and network taint
#ifdef CONFIG_SOFTMMU
pcb.replay_hd_transfer = cb_replay_hd_transfer_taint;
panda_register_callback(plugin_ptr, PANDA_CB_REPLAY_HD_TRANSFER, pcb);
pcb.replay_net_transfer = cb_replay_net_transfer_taint;
panda_register_callback(plugin_ptr, PANDA_CB_REPLAY_NET_TRANSFER, pcb);
pcb.replay_before_cpu_physical_mem_rw_ram = cb_replay_cpu_physical_mem_rw_ram;
panda_register_callback(plugin_ptr, PANDA_CB_REPLAY_BEFORE_CPU_PHYSICAL_MEM_RW_RAM, pcb);
#endif
panda_enable_precise_pc(); //before_block_exec requires precise_pc for panda_current_asid
if (!execute_llvm){
panda_enable_llvm();
}
llvm::llvm_init();
panda_enable_llvm_helpers();
/*
* Run instrumentation pass over all helper functions that are now in the
* module, and verify module.
*/
llvm::Module *mod = tcg_llvm_ctx->getModule();
for (llvm::Module::iterator i = mod->begin(); i != mod->end(); i++){
if (i->isDeclaration()){
continue;
}
#if defined(TARGET_ARM)
//TODO: Fix handling of ARM's cpu_reset() helper
// Currently, we skip instrumenting it, because we generate invalid LLVM bitcode if we try
std::string modname = i->getName().str();
if (modname == "cpu_reset_llvm"){
printf("Skipping instrumentation of cpu_reset\n");
continue;
}
#endif
PIFP->runOnFunction(*i);
}
std::string err;
if(verifyModule(*mod, llvm::AbortProcessAction, &err)){
printf("%s\n", err.c_str());
exit(1);
}
/*
* Taint processor initialization
*/
//uint32_t ram_size = 536870912; // 500MB each
#ifdef TARGET_X86_64
// this is only for the fast bitmap which we currently aren't using for
// 64-bit, it only supports 32-bit
//XXX FIXME
uint64_t ram_size = 0;
#else
uint32_t ram_size = 0xffffffff; //guest address space -- QEMU user mode
#endif
uint64_t hd_size = 536870912;
uint64_t io_size = 536870912;
uint16_t num_vals = 2000; // LLVM virtual registers //XXX assert this
shadow = tp_init(hd_size, ram_size, io_size, num_vals);
if (shadow == NULL){
printf("Error initializing shadow memory...\n");
exit(1);
}
taintfpm = new llvm::FunctionPassManager(tcg_llvm_ctx->getModule());
// Add the taint analysis pass to our taint pass manager
llvm::FunctionPass *taintfp =
llvm::createPandaTaintFunctionPass(15*1048576/* global taint op buffer
size, 10MB */, NULL /* existing taint cache */);
PTFP = static_cast<llvm::PandaTaintFunctionPass*>(taintfp);
taintfpm->add(taintfp);
taintfpm->doInitialization();
// Populate taint cache with helper function taint ops
for (llvm::Module::iterator i = mod->begin(); i != mod->end(); i++){
if (i->isDeclaration()){
continue;
}
PTFP->runOnFunction(*i);
}
}
