Tracecap is not logging taint instructions, trace reader not working

[T0m-Ph]

Hi !

I'm currently trying to log tainted instructions using tracecap plugin. I followed this document to proceed: https://github.com/decaf-project/DECAF/blob/master/decaf/plugins/tracecap/USAGE

Here is the command i use to launch the VM: ./DECAF/decaf/i386-softmmu/qemu-system-i386 -monitor stdio -m 4096 -netdev user,id=mynet,hostfwd=tcp::10080-:80 -device rtl8139,netdev=mynet /opt/images/windows.img

Whether I use the "taint_nic" (with a program that reads data from the net, here apache server) command or the "taint_sendkey" command (with a program that reads data input by user on command line), there is 0 tainted instruction written to the trace file.

Also, before performing any taint operation, I make sure to enable tainting using the command "enable_tainting"

Finally, I noticed that one command specified in the USAGE doc enable_emulation, is not present in the list of commands associated to this plugin: https://github.com/decaf-project/DECAF/blob/master/decaf/plugins/tracecap/plugin_cmds.h.

How can I proceed to get the tainted instructions reported on the trace file ?

Also, when trying to compile the trace_reader, I encounter 2 problems, while I'm following instructions provided here https://github.com/decaf-project/DECAF/blob/master/decaf/plugins/tracecap/trace_reader/INSTALL:

• First is that there is no configure file
• Second, when compiling with the provided makefile I encounter the following errors:

libdasm.o: In function 'get_operand':
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:320: undefined reference to 'MODE_CHECK_ADDR'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:464: undefined reference to 'FETCH8'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:470: undefined reference to 'FETCH16'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:473: undefined reference to 'FETCH32'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:504: undefined reference to 'MODE_CHECK_OPERAND'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:509: undefined reference to 'FETCH8'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:518: undefined reference to 'FETCH32'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:519: undefined reference to 'FETCH16'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:523: undefined reference to 'FETCH16'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:533: undefined reference to 'MODE_CHECK_OPERAND'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:537: undefined reference to 'FETCH32'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:537: undefined reference to 'FETCH16'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:538: undefined reference to 'FETCH16'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:550: undefined reference to 'FETCH8'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:555: undefined reference to 'FETCH32'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:555: undefined reference to 'FETCH16'
libdasm.o: In function 'get_operand_string':
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:602: undefined reference to 'MODE_CHECK_OPERAND'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:676: undefined reference to 'MODE_CHECK_ADDR'
libdasm.o: In function 'get_mnemonic_string':
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:1068: undefined reference to 'MODE_CHECK_OPERAND'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:1088: undefined reference to 'MODE_CHECK_OPERAND'
collect2: error: ld returned 1 exit status
Makefile:16: recipe for target 'trace_reader_cpp' failed
make: *** [trace_reader_cpp] Error 1

[hengyin]

Hi Zhenxiao,

Can you take a look?

Heng

On Wed, May 6, 2020 at 4:11 AM Tom PHILIPPE notifications@github.com wrote:

Hi !

I'm currently trying to log tainted instructions using tracecap plugin. I followed this document to proceed: https://github.com/decaf-project/DECAF/blob/master/decaf/plugins/tracecap/USAGE

Here is the command i use to launch the VM: ./DECAF/decaf/i386-softmmu/qemu-system-i386 -monitor stdio -m 4096 -netdev user,id=mynet,hostfwd=tcp::10080-:80 -device rtl8139,netdev=mynet /opt/images/windows.img

Whether I use the "taint_nic" (with a program that reads data from the net, here apache server) command or the "taint_sendkey" command (with a program that reads data input by user on command line), there is 0 tainted instruction written to the trace file.

Also, before performing any taint operation, I make sure to enable tainting using the command "enable_tainting"

Finally, I noticed that one command specified in the USAGE doc enable_emulation, is not present in the list of commands associated to this plugin: https://github.com/decaf-project/DECAF/blob/master/decaf/plugins/tracecap/plugin_cmds.h .

How can I proceed to get the tainted instructions reported on the trace file ?

Also, when trying to compile the trace_reader, I encounter 2 problems, while I'm following instructions provided here https://github.com/decaf-project/DECAF/blob/master/decaf/plugins/tracecap/trace_reader/INSTALL :

• First is that there is no configure file
• Second, when compiling with the provided makefile I encounter the following errors:

libdasm.o: In function 'get_operand': /opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:320: undefined reference to 'MODE_CHECK_ADDR' /opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:464: undefined reference to 'FETCH8' /opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:470: undefined reference to 'FETCH16' /opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:473: undefined reference to 'FETCH32' /opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:504: undefined reference to 'MODE_CHECK_OPERAND' /opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:509: undefined reference to 'FETCH8' /opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:518: undefined reference to 'FETCH32' /opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:519: undefined reference to 'FETCH16' /opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:523: undefined reference to 'FETCH16' /opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:533: undefined reference to 'MODE_CHECK_OPERAND' /opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:537: undefined reference to 'FETCH32' /opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:537: undefined reference to 'FETCH16' /opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:538: undefined reference to 'FETCH16' /opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:550: undefined reference to 'FETCH8' /opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:555: undefined reference to 'FETCH32' /opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:555: undefined reference to 'FETCH16' libdasm.o: In function 'get_operand_string': /opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:602: undefined reference to 'MODE_CHECK_OPERAND' /opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:676: undefined reference to 'MODE_CHECK_ADDR' libdasm.o: In function 'get_mnemonic_string': /opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:1068: undefined reference to 'MODE_CHECK_OPERAND' /opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:1088: undefined reference to 'MODE_CHECK_OPERAND' collect2: error: ld returned 1 exit status Makefile:16: recipe for target 'trace_reader_cpp' failed make: *** [trace_reader_cpp] Error 1

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/decaf-project/DECAF/issues/83, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAWJ2RWD2SJYYB3UUKM6OBTRQFAWTANCNFSM4M2LGQOA .

[enlighten5]

Hi,

Regarding your first question, I tested the tracecap plugin, it works on my machine. Here are the steps and results:

• launch VM: ./i386-softmmu/qemu-system-i386 -m 1024 ~/images/lubuntu14.qcow -monitor stdio.
• load_plugin ./plugin/tracecap/tracecap.so
• enable_tainting
• tracebyname PROCNAME "tmp.trace", replace the PROCNAME with the one to be tested.
• start the test binary
• taint_sendkey 1

Here are some statistics after the test:

• Number of instructions decoded: 104703
• Number of operands decoded: 239432
• Number of instructions written to trace: 104680
• Number of tainted instructions written to trace: 80

Please try the instructions above, if it's still not working, please provide the instructions you use during the process.

Zhenxiao

[T0m-Ph]

Hi Zhenxiao,

I tried the same commands as you did and wasn't successful. Here is what I did:

• launch VM ./DECAF/decaf/i386-softmmu/qemu-system-i386 -monitor stdio -m 1024 /opt/images/windows.img
• load_plugin DECAF/decaf/plugins/tracecap/tracecap.so
• enable_tainting
• tracebyname a.exe "tmp.trace"
• start a.exe on the VM
• taint_sendkey 1

After the test, I have the following:

Number of instructions decoded: 485444
Number of operands decoded: 1127172
Number of instructions written to trace: 485349
Number of tainted instructions written to trace: 0
Processing time: 7.41773 U: 6.85705 S: 0.560679

As you can see, no tainted instruction is written to the trace

[enlighten5]

Hi,

Just to make sure, does your a.exe take user input and further propagate it? I use taint_sendkey 1 because my test binary takes a number from input and does some calculation on it.

I will test it on windows image.

Zhenxiao

[T0m-Ph]

Hi,

Yes the program does some operations on the user input. It is designed to be a buffer overflow. Here is the source code used:

#include <stdio.h>
#include <string.h>

int func1(char * input) {
    char buffer[4];
    strcpy(buffer, input);
}

void main(void) {
    char buffer[16];
    scanf("%s", buffer);
    func1(buffer);
}

Thank you!

[T0m-Ph]

Good afternoon @enlighten5 . Do you have any update on this issue? Thanks!

[enlighten5]

Hi,

I think it's because the pointer tainting is not enabled. I set it to be on by default so I did not reproduce your result. To enable pointer tainting, run taint_pointers on on in the qemu console. I tried your test program and here are some numbers before and after pointer tainting is enabled.

• taint_pointer enabled: Stop tracing process 228 Number of instructions decoded: 288525 Number of operands decoded: 682218 Number of instructions written to trace: 288440 Number of tainted instructions written to trace: 68
• taint_pointer disabled: Number of instructions decoded: 288525 Number of operands decoded: 682218 Number of instructions written to trace: 288440 Number of tainted instructions written to trace: 0

Please try taint_pointers on on to enable pointer tainting and let me know if there is any further problem. Zhenxiao

[T0m-Ph]

Hi @enlighten5 ,

I did enable the pointer tainting, but still couldn't get any tainted instruction written to the trace even though there is a buffer overflow and the program crashes. However thanks to the tainted_bytes command I noticed that i have some bytes that are tainted.

Regards,

[hengyin]

What windows image are you using?

In order to have keystroke propagate properly for Windows, we have to patch a specific kernel function. In my Panorama paper, I described it in detail:

The situation outlined above occurs rarely in regular code. However, it does appear in the keystroke handling routines in Windows 2000 and later versions. In our experiments with Windows XP, we observed that the Unicode characters derived from keystrokes were not tainted as expected. After reviewing the raw taint propagation events and examining the Windows kernel code using IDA Pro [22], we determined that taint tracking stops at a keystroke Unicode conversion routine called _xxxInternalToUnicode (which is in part of the win32k.sys system file).

Check DECAF Code https://github.com/decaf-project/DECAF/blob/master/decaf/target-i386/op_helper.c#L5955

I instrument the "leave" instruction in _xxxInternalToUnicode, so you need to find where this function is located in your kernel, if you are using a different Windows kernel version than the ones DECAF already supported.

Hope it helps!

-Heng

On Tue, Jun 2, 2020 at 5:26 AM Tom PHILIPPE notifications@github.com wrote:

Hi @enlighten5 https://github.com/enlighten5 ,

I did enable the pointer tainting, but still couldn't get any tainted instruction written to the trace even though there is a buffer overflow and the program crashes. However thanks to the tainted_bytes command I noticed that i have some bytes that are tainted.

Regards,

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/decaf-project/DECAF/issues/83#issuecomment-637508281, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAWJ2RS3K3D7E4FHWT4TJWDRUTVYJANCNFSM4M2LGQOA .

[T0m-Ph]

Hi !

First of all sorry for this (very) late reply. Thanks for your help @hengyin ! However for the sake of simplicity, as well as compatibility with other tasks I pursue, I will switch to a ubuntu VM.

Thanks again!