[DECAF] Taints does not propagate(Losing taints?) when using taintcheck_taint_virtmem?

[M Chen]

Hi all,

There is a new function in DECAF1.9, taintcheck_taint_virtmem, which enable to introduce taints given start virtual addr and size. I tried to use this function to taint a memory range, and see how taints propagates. 

However, based on the test result, the taints either get lost or doesn't propagate, I'm not sure where I might did wrong. My test is as follow:

1. To be able to use the taintcheck_taint_virtmem more convenient, I develop a command of it, which could be called at run time.

    The cmd:

        {

         .name       = "taint_vir_mem",

         .args_type  = "addr:l,val:l",

         .params     = "addr val",

         .help       = "Taint virtual mem addr via start addr & size",

         .mhandler.cmd = do_taint_vir_mem,

        }

    The corresponding function:

        int do_taint_vir_mem(Monitor *mon, const QDict *qdict,

QObject **ret_data) {

         target_long gva_taint = qdict_get_int(qdict, "addr");

         uint32_t size = qdict_get_int(qdict, "val");

         uint8_t taint_ary[size];

         int i;

         if (!taint_tracking_enabled) {

         monitor_printf(default_mon, "Ignored, taint tracking is disabled\n");

         return 0;

         } else {

         for (i = 0; i < size; i++) {

         taint_ary[i] = 0xff;

         }

         DECAF_stop_vm();

         taintcheck_taint_virtmem(gva_taint, size, taint_ary);

         DECAF_start_vm();

         }

         return 0;

        }

    The idea is straightforward, the cmd will accept virtual addr and size as parameters and pass to the function, which creates uint8_t array based 

    on the size and filled with value 0xff (tainted). Then it calls the function taintcheck_taint_virtmem.

2. The test program

        void main(void) {

            char buf1[4] = "abc";

            char buf2[4];

            strcpy(buf2, buf1);

            printf("buf2: %s\n", buf2);

        }

    The idea is that I will taint the buf1 via the cmd above, and after the strcpy, buf2 should be tainted too.

3. The Test Procedure

        a. Test Environment

            - DECAF1.9

            - Guest OS: ubuntu 10.04 server i386 (Disabled ASLR)

            - Host OS: ubuntu 10.04 desktop i386

        b. Test Step

            1) Start the program above via gdb, set bp to main, but haven't run the it yet

            2) Use the cmd above with vaddr as start address of buf1, and set size 0x4 to taint the buf1

                via cmd tainted_bytes shows as below, which indicates the tainting successes. 

                    (qemu) tainted_bytes 

                    Tainted memory: 4 bytes

            3) run the program, however after this, the tainted_bytes becomes 0 (losing taints?)

                    (qemu) tainted_bytes 

                    Tainted memory: 0 bytes

            4) so I tried to taint buf1 again with the same cmd, the tainted_byte shows:

                    (qemu) tainted_bytes 

                    Tainted memory: 4 bytes

            5) continue run the program step by step, after strcpy is executed; at this point, I expect to see buf2 is tainted too, so the tainted bytes 

                should becomes 8 bytes. However, the tainted_bytes is still:

                    (qemu) tainted_bytes 

                    Tainted memory: 4 bytes

                So I guess the taints does not propagate?

To make a comparison, I modified the code above to accept input from stdin, and introduced taints via tainted keystroke, with the same procedure, I observed that taints got propagating as expected. 

So I wonder where I might did incorrect, if anyone could help? Thank you!

Best,

MChen

[yanjun...@gmail.com]

Hi Michael, 

did you solve that problem?

I have the same problem...

Hope you can tell me.

Thank you!

Best regards,

Yanjun

在 2015年1月22日星期四 UTC-5下午12:11:26，M Chen写道：

[M Chen]

Not yet. 

I found it works when target memory size is relatively small, but still having issues for larger buffers. There maybe bugs in the code I show.

Currently I'm not using this plugin. 

Thanks,

Michael

[Yanjun Lin]

Dear Michael:

Thank u so much for replying.

Can I ask did u implement mem taint propagation on Linux machine or windows machine?

Because i saw your another post that you didn't enable mem taint on Linux but successfully did it in window machine. 

Thank you.

Best regards,

Yanjun

Sent from my iPhone

--
You received this message because you are subscribed to a topic in the Google Groups "decaf-platform-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/decaf-platform-discuss/5k7bL8SZ0LE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to decaf-platform-di...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[M Chen]

The illustration code simply calls the tainting memory api provided by Decaf, so it doesn't matter if it's linux or windows. 

I've tried it on both. 

Regards,

Michael

To unsubscribe from this group and all its topics, send an email to decaf-platform-discuss+unsub...@googlegroups.com.