Skip to content

Commit

Permalink
Update pri_taint hypercall for LAVA
Browse files Browse the repository at this point in the history
  • Loading branch information
@AndrewQuijano
AndrewQuijano committed Feb 21, 2025
1 parent 7cf4a51 commit ecced8c
Show file tree
Hide file tree
Showing 3 changed files with 58 additions and 61 deletions.
4 changes: 2 additions & 2 deletions panda/plugins/hypercaller/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ It's much easier to handle this from Python, but here's an example of how you mi
#include <panda/plugin.h>
#include <hypercaller/hypercaller.h>

hypercall_t* register_hypercall;
register_hypercall_t register_hypercall;

void my_hypercall(CPUState *cpu) {
printf("Hello from my hypercall!\n");
Expand All @@ -76,7 +76,7 @@ bool init_plugin(void *self) {
panda_require("hypercaller");
hypercaller = panda_get_plugin_by_name("hypercaller");
}
register_hypercall = (hypercall_t*)dlsym(hypercaller, "register_hypercall");
register_hypercall_t register_hypercall = (register_hypercall_t) dlsym(hypercaller, "register_hypercall");
register_hypercall(0x12345678, my_hypercall);
return true;
}
Expand Down
1 change: 1 addition & 0 deletions panda/plugins/hypercaller/hypercaller.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
// files in this directory that contain subsections like this one.

typedef void (*hypercall_t)(CPUState *cpu);
typedef void (*register_hypercall_t)(uint32_t, hypercall_t);
void register_hypercall(uint32_t magic, hypercall_t);
void unregister_hypercall(uint32_t magic);

Expand Down
114 changes: 55 additions & 59 deletions panda/plugins/pri_taint/pri_taint.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

#include "panda/plugin.h"
#include "panda/plugin_plugin.h"
#include <hypercaller/hypercaller.h>

// taint
#include "taint2/label_set.h"
Expand Down Expand Up @@ -37,10 +38,11 @@ extern "C" {
bool init_plugin(void *);
void uninit_plugin(void *);

int get_loglevel() ;
int get_loglevel();
void set_loglevel(int new_loglevel);
}

#define LAVA_MAGIC 0xabcd
const char *global_src_filename = NULL;
uint64_t global_src_linenum;
unsigned global_ast_loc_id;
Expand Down Expand Up @@ -308,6 +310,8 @@ void pfun(void *var_ty_void, const char *var_nm, LocType loc_t, target_ulong loc
}
// free(si);
}
#endif

/*
void on_line_change(CPUState *cpu, target_ulong pc, const char *file_Name, const char *funct_name, unsigned long long lno){
if (taint2_enabled()){
Expand All @@ -334,63 +338,69 @@ void hypercall_log_trace(unsigned ast_loc_id) {
*/
#ifdef TARGET_I386
// Support all features of label and query program
bool i386_hypercall_callback(CPUState *cpu) {
void i386_hypercall_callback(CPUState *cpu) {
if (debug) {
printf("[pri_taint] Calling i386 hypercall callback!\n");
}
bool ret = false;
CPUArchState *env = (CPUArchState*)cpu->env_ptr;
CPUArchState *env = (CPUArchState*) cpu->env_ptr;
if (taint2_enabled()) {
// LAVA Hypercall
target_ulong addr = panda_virt_to_phys(cpu, env->regs[R_EAX]);
if ((int)addr == -1) {
printf ("[pri_taint] panda hypercall with ptr to invalid PandaHypercallStruct: vaddr=0x%x paddr=0x%x\n",
(uint32_t) env->regs[R_EAX], (uint32_t) addr);
#ifdef TARGET_X86_64
target_ulong addr = panda_virt_to_phys(cpu, env->regs[R_EDI]);
#else
target_ulong addr = panda_virt_to_phys(cpu, env->regs[R_EBX]);
#endif

if ((int) addr == -1) {
#ifdef TARGET_X86_64
printf ("[pri_taint] panda hypercall with ptr to invalid PandaHypercallStruct: vaddr=0x%x paddr=0x%x\n",
(uint32_t) env->regs[R_EDI], (uint32_t) addr);
#else
printf ("[pri_taint] panda hypercall with ptr to invalid PandaHypercallStruct: vaddr=0x%x paddr=0x%x\n",
(uint32_t) env->regs[R_EBX], (uint32_t) addr);
#endif
}
else if (pandalog) {
if (debug) {
printf("[pri_taint] Hypercall is OK and Panda Log is set\n");
}
PandaHypercallStruct phs;
panda_virtual_memory_read(cpu, env->regs[R_EAX], (uint8_t *) &phs, sizeof(phs));
#ifdef TARGET_X86_64
panda_virtual_memory_read(cpu, env->regs[R_EDI], (uint8_t *) &phs, sizeof(phs));
#else
panda_virtual_memory_read(cpu, env->regs[R_EBX], (uint8_t *) &phs, sizeof(phs));
#endif

// To be used for chaff bugs?
uint64_t funcaddr = 0;
panda_virtual_memory_read(cpu, phs.info, (uint8_t*)&funcaddr, sizeof(target_ulong));

if (phs.magic == 0xabcd) {
// if the phs action is a pri_query point, see
// lava/include/pirate_mark_lava.h
if (phs.action == 13) {
target_ulong pc = panda_current_pc(cpu);
SrcInfo info;
int rc = pri_get_pc_source_info(cpu, pc, &info);
if (!rc) {
struct args args = {cpu, info.filename, info.line_number, phs.src_filename, funcaddr};
dprintf("[pri_taint] panda hypercall: [%s], "
"ln: %4ld, pc @ 0x" TARGET_FMT_lx "\n",
info.filename,
info.line_number,pc);
pri_funct_livevar_iter(cpu, pc, (liveVarCB) pfun, (void *)&args);
//lava_attack_point(phs);
}
else {
if (debug) {
printf("[pri_taint] pri_get_pc_src_info has failed: %d != 0.\n", rc);
}
}
ret = true;
// hypercall_log_trace(phs.src_filename);
// if the phs action is a pri_query point, see
// lava/include/pirate_mark_lava.h
if (phs.action == 13) {
target_ulong pc = panda_current_pc(cpu);
SrcInfo info;
int rc = pri_get_pc_source_info(cpu, pc, &info);
if (!rc) {
struct args args = {cpu, info.filename, info.line_number, phs.src_filename, funcaddr};
dprintf("[pri_taint] panda hypercall: [%s], "
"ln: %4ld, pc @ 0x" TARGET_FMT_lx "\n",
info.filename,
info.line_number,pc);
pri_funct_livevar_iter(cpu, pc, (liveVarCB) pfun, (void *)&args);
}
else {
if (debug) {
printf("[pri_taint] Invalid action value in PHS struct: %d != 13.\n", phs.action);
}
printf("[pri_taint] pri_get_pc_src_info has failed: %d != 0.\n", rc);
}
}
// hypercall_log_trace(phs.src_filename);
}
else {
printf("[pri_taint] Invalid magic value in PHS struct: %x != 0xabcd.\n", phs.magic);
}
if (debug) {
printf("[pri_taint] Invalid action value in PHS struct: %d != 13.\n", phs.action);
}
}
}
else {
if (debug) {
Expand All @@ -403,24 +413,9 @@ bool i386_hypercall_callback(CPUState *cpu) {
printf("[pri_taint] taint2 is not enabled (hypercall)\n");
}
}
return ret;
}
#endif // TARGET_I386


bool guest_hypercall_callback(CPUState *cpu) {
#ifdef TARGET_I386
return i386_hypercall_callback(cpu);
#endif

#ifdef TARGET_ARM
// not implemented for now
//arm_hypercall_callback(cpu);
#endif

return false;
}
#endif
/*
void on_taint_change(Addr a, uint64_t size){
uint32_t num_tainted = 0;
Expand Down Expand Up @@ -448,26 +443,27 @@ bool init_plugin(void *self) {
panda_require("taint2");
assert(init_taint2_api());

panda_cb pcb;
pcb.guest_hypercall = guest_hypercall_callback;
panda_register_callback(self, PANDA_CB_GUEST_HYPERCALL, pcb);
printf("[pri_taint] This plugin is activated!\n");

// If taint isn't already enabled, turn it on.
if (!taint2_enabled()) {
printf("[pri_taint] enabling taint now!\n");
taint2_enable_taint();
}

panda_require("hypercaller");
void * hypercaller = panda_get_plugin_by_name("hypercaller");
register_hypercall_t register_hypercall = (register_hypercall_t) dlsym(hypercaller, "register_hypercall");
register_hypercall(LAVA_MAGIC, i386_hypercall_callback);

printf("[pri_taint] This plugin is activated!\n");
return true;
#else
printf("[pri_taint] This plugin is only supported on x86\n");
return false;
//taint2_track_taint_state();
#endif
}



void uninit_plugin(void *self) {
unregister_hypercall(LAVA_MAGIC);
printf("[pri_taint] Unloading plugin\n");
}

0 comments on commit ecced8c

Please sign in to comment.