LauraLMann
commented
4 months ago That warning is due to a deficiency in the taint2 plugin, in the taint_mix function when an LLVM shift instruction is encountered where the amount to shift is a variable. There's a long comment there explaining what is going on. It would take code changes to taint2 to fix it, if it is fixable. Maybe in some of the simpler cases something sensible could be done to the controlled bits masks, but I doubt there is a logical thing to do to the controlled bits masks in all cases where the shift amount is a variable whose bits are only PARTIALLY controlled.
I fixed the taint.py in example/taint2, however I got the warnning and I don't know how to fix it. I am running panda in a virtualBox virtual machine, Ubuntu 22.04 Is there any way to fix this problem?
Here is my code:
from pandare import Panda
panda = Panda(generic='x86_64')
@panda.queue_blocking def driver(): panda.revert_sync('root') print(panda.run_serial_cmd("grep root /etc/passwd")) panda.end_analysis()
@panda.cb_after_machine_init def setup(cpu): print("===>taint enabled<===")
Enable tainting
''' require was deprecated ''' panda.load_plugin("osi") panda.load_plugin("osi_linux") panda.load_plugin("taint2")
def fd_to_fname(cpu, fd): proc = panda.plugins['osi'].get_current_process(cpu) procname = panda.ffi.string(proc.name) if proc != panda.ffi.NULL else "error" fname_ptr = panda.plugins['osi_linux'].osi_linux_fd_to_filename(cpu, proc, fd) fname = panda.ffi.string(fname_ptr) if fname_ptr != panda.ffi.NULL else "error" return fname
@panda.ppp("syscalls2", "on_sys_read_return") def read(cpu, tb, fd, buf, cnt): fname = fd_to_fname(cpu, fd) fnamestr = fname.decode('utf-8', 'ignore') print(f"read {fnamestr}") if fnamestr == "/etc/passwd": label = 1 for idx in range(cnt): panda.taint_label_ram(buf + idx, label) label = label + 1
@panda.queue_blocking @panda.ppp("taint2", "on_branch2") def something(addr, size, from_helper, tainted): print("Tainted branch")
panda.run()