How to use command "taint_file" in Temu?

[fisher_jiang]

Dear all:
I'm confused about how to set parameters of "taint_file" in temu,
"taint_file" calls fuction
"do_taint_file(char *filename, int dev_index, unit32_t taint_id)", my
test case is c:\img1.jpg, how to set the parameters "dev_index" and
"tiant_id"?

Looking forward to your reply
Thanks

[Chris]

Where did you get TEMU from?

[Heng Yin]

This function is a bit tricky to use. Here dev_index is an index to
the virtual disk array. So 0 means the first disk and 1 means the
second. If each disk has one partition, then disk 0 is c: and disk 1
is d:. taint_id is an ID to uniquely identify a taint source. You can
assign any number to it.

If you want to taint "c:\img1.jpg", you can do:
do_taint_file("/img1.jpg", 0, 100);

Another tricky thing is duo to the disk cache. If you want to taint a
small file in windows c:\. Quite often, this small file is already
cached into the memory, when Windows reads the data from the disk
nearby. As a result, even though the file has been tainted on disk,
when you read this file thereafter, you won't see tainted data,
because the cached data is fetched. The best practice is to put this
file into the second disk, to avoid this file being pre-fetched into
memory.

Heng

[Stephen McCamant]

CJ> On Oct 27, 8:03 am, fisher_jiang <mingjiang...@gmail.com> wrote:
JM> Dear all:
JM> I'm confused about how to set parameters of "taint_file" in
JM> temu,

>>>>> "CJ" == Chris <cjames...@googlemail.com> writes:
CJ> Where did you get TEMU from?

Sorry for the confusion; I believe Jiang is with a group of
collaborating researchers who are using an older but non-public
version of TEMU. The public release of TEMU isn't available yet, but
we're putting on the final touches, and if you stay subscribed here
you'll be sure to hear once we put it out.

Thanks for your patience,

-- Stephen

[fisher_jiang]

Thanks for Professor Heng yin and Stephen's help.
I'm working for Professor Debin Gao and we are really using an older
temu version.
I'm also looking forword to new TEMU release and more detailed
documents.

On Oct 28, 9:53 am, Stephen McCamant <s...@CS.Berkeley.EDU> wrote:
> CJ> On Oct 27, 8:03 am, fisher_jiang <mingjiang...@gmail.com> wrote:
> JM> Dear all:
> JM> I'm confused about how to set parameters of "taint_file" in
> JM> temu,
>

[fisher_jiang]

Now I have two partitions in my guest OS and I put test file in D disk
(D:\img.jpg), the
problem is when using command " do_taint_file("/img.jpg", 1, 1001);",
it returns "could not file disk_info"

(qemu) taint_file "/img.jpg" 1 1001
Tainting disk 1 file /img.jpg
Could not find disk_info

If I put img.jpg in C:\, Temu can identify it:

(qemu) taint_file "/img.jpg" 0 1001
Tainting disk 0 file /img.jpg
Tainted file /img.jpg
93ddc:4096[1001] 93ddd:4096[1001] 93dde:4096[1001] 93ddf:4096[1001]
93de0:4096[1001] 93de1:4096[1001] 93de2:4096[1001] 93de3:4092[1001]

But due to disk cache, Temu doesn't record any taint data.
I know Temu integrated a disk forensic tool called "The Sleuth Kit"
for gathing filesystem information and identify all data blocks that
belong
to the taint file. But I'm still a little confused . Did I miss
something?
Thanks for any guidance you can provide.

[Heng Yin]

It seems to me that your D disk is not on the second hard disk. You
just partitioned your only hard disk into C and D. We do not support
this case for now.

Heng