How to taint file

45 views

Skip to first unread message

unread,

Mar 20, 2015, 9:47:31 AM3/20/15

to bitblaz...@googlegroups.com

Hi,

I write a very simple to test taint file. Source code is below, just read file and will overflow the stack to trigger a crash.

int main(int argc, char **argv)

{

if (!(detectioncond & DETECT_COND_TAINTEIP))

{

printf("hello\n");

}

char aaaa[8];

FILE *handle;

handle = fopen("input.txt", "r");

if (handle != NULL)

{

fgets(aaaa, 20, handle);

fclose(handle);

}

return 0;

}

After build it, I put the sample and input.txt into qemu. and run the command,

load_plugin tracecap/tracecap.so

enable_emulation

tracebyname taint_analysis_file.exe "/tmp/taint1.trace"

taint_file input.txt 0 1111

...

execute taint_analysis_file.exe in qemu,the sample will crash due to overflow

...

trace_stop

Number of instructions decoded: 10244944

Number of operands decoded: 23090406

Number of instructions written to trace: 0

Number of tainted instructions written to trace: 0

Processing time: 37.272 U: 37.152 S: 0.12

Generating file: /tmp/taint1.trace.functions

Does anybody could help to explain why the number of tainted instructions is 0, anything wrong about how to use TEMU tainting file?