taintcheck_taint_disk/taintcheck_disk_check does not get called in file operations via DMA in Qemu?

[M Chen]

Hello, 

Thanks for your great works for building Decaf and your time for answering questions. I've been trying to figure out how to use Decaf to do disk tainting, but I have some questions about it.  

I understand that 

    - taintcheck_taint_disk() is used to taint disk when writing a file to disk

    - taintcheck_disk_check() is to check disk taint when reading a file from disk

Further, both taintcheck_taint_disk/taintcheck_disk_check are called in both PIO and DMA in Qemu, such that:

    - taintcheck_taint_disk() called by:

        - taintcheck_chk_hdout() - file write via PIO

        - taintcheck_chk_hdwrite() - file write via DMA, further called by

            - bmdma_rw_buf()

    - taintcheck_disk_check() called by:

        - taintcheck_chk_hdin() - file read via PIO

        - taintcheck_chk_hdread() - file read via DMA, further called by

            - bmdma_rw_buf()

I want to verify if taintcheck_disk_check get called during file opening via the DMA, so I did a simple test:

    1. gdb loads Decaf, and sets a breakpoint in bmdma_rw_buf()

    2. runs a ubuntu guest OS

    3. after login, I read a pre-make test file from disk

Since I know the test file will be open via DMA as ground truth, I expect that during reading the test file, the breakpoint bmdma_rw_buf() will be caught, then I can further step into the taintcheck_chk_hdread() and  taintcheck_disk_check(). 

However, during the whole test, the bp: bmdma_rw_buf() never get caught, thus taintcheck_chk_hdread() and taintcheck_disk_check() didn't get call as well. 

To make sure it is not a linux guest OS issue, I switch to a WinXP as guest OS and repeat the test, but the result is same. 

It confuses me in the sense that even file operations are done via DMA, but due to the function bmdma_rw_buf() does not get called, in which the taintcheck_chk_hdread() instruments doesn't get called as well. Which seem the disk tainting for DMA do not function properly in the test. 

I'm not suer if it's I did something wrong or other reasons?

Thanks,

Michael Chen