[Scripts] Using PyPanda, so no QCow needed, also switching to 64-bits

panda-re · Dec 19, 2024 · 3c771b5 · 3c771b5
1 parent fcd6f32
commit 3c771b5
Show file tree

Hide file tree

Showing 10 changed files with 41 additions and 63 deletions.
diff --git a/init-host.py b/init-host.py
@@ -79,7 +79,7 @@ def main():
         progress("Building host.json")
         # Build host.json
         json_configs = {}
-        json_configs["qemu"] = "panda-system-i386"
+        json_configs["qemu"] = "panda-system-x86_64"
         json_configs["qcow_dir"] = LAVA_DIR
         json_configs["output_dir"] = join(LAVA_DIR, "target_injections")
         json_configs["config_dir"] = join(LAVA_DIR, "target_configs")

diff --git a/install.sh b/install.sh
@@ -26,9 +26,13 @@ progress "Updates complete"
 # So take our major version, find the first match in dependencies directory and run with it.
 # This will give us "./panda/dependencies/ubuntu:20.04" where ubuntu:20.04_build.txt or 20.04_base.txt exists
 version=$(lsb_release -r | awk '{print $2}' | awk -F'.' '{print $1}')
+ubuntu_version=$(lsb_release -r | awk '{print $2}')
+PANDA_VERSION="v1.8.45"
+
 # shellcheck disable=SC2086
 dep_base=$(find ./dependencies/ubuntu_${version}.* -print -quit | sed  -e "s/_build\.txt\|_base\.txt//")
 
+$SUDO apt-get -qq update
 if [ -e "${dep_base}"_build.txt ] || [ -e "${dep_base}"_base.txt ]; then
   echo "Found dependency file(s) at ${dep_base}*.txt"
   # shellcheck disable=SC2046
@@ -39,9 +43,8 @@ else
   exit 1
 fi
 
-curl -LJO https://github.com/panda-re/panda/releases/download/v1.8.23/pandare_22.04.deb
-mv *.deb /tmp
-$SUDO apt-get -y install /tmp/pandare_22.04.deb
+curl -LJ -o /tmp/pandare_${ubuntu_version}.deb https://github.com/panda-re/panda/releases/download/${PANDA_VERSION}/pandare_${ubuntu_version}.deb
+$SUDO apt-get -y install /tmp/pandare_${ubuntu_version}.deb
 rm /tmp/*.deb
 
 progress "Installed build dependencies"

diff --git a/requirements.txt b/requirements.txt
@@ -3,7 +3,7 @@ db
 ipython
 lockfile
 numpy
-pandare
+pandare>=1.8.39
 PyYAML
 SQLAlchemy
-tabulate
+tabulate
diff --git a/scripts/add_queries.sh b/scripts/add_queries.sh
@@ -35,7 +35,7 @@ USAGE() {
 }
 
 set -e # Exit on error
-set -x # Debug mode
+# set -x # Debug mode
 
 if [ $# -lt 1 ]; then
     USAGE $0
@@ -90,7 +90,7 @@ configure_file=${configure_cmd%% *}
 if [ -e "$configure_file" ]; then
     CC=$llvm/bin/clang \
         CXX=$llvm/bin/clang++ \
-        CFLAGS="-O0 -m32 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/" \
+        CFLAGS="-O0 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/" \
         $configure_cmd --prefix=$(pwd)/lava-install
 fi
 
@@ -107,7 +107,7 @@ for i in "${MAKES[@]}"; do
     echo "$lava/tools/btrace/sw-btrace ${ARGS[@]}"
     CC=$llvm/bin/clang \
         CXX=$llvm/bin/clang++ \
-        CFLAGS="-O0 -m32 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/" \
+        CFLAGS="-O0 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/" \
     "$lava/tools/btrace/sw-btrace" "${ARGS[@]}"
     IFS='&&'
 done

diff --git a/scripts/bug_mining.py b/scripts/bug_mining.py
@@ -171,49 +171,32 @@ def progress(msg):
 dwarfout = subprocess.check_output(dwarf_cmd)
 dwarfdump.parse_dwarfdump(dwarfout, binpath)
 
-# Based on this example:
-# https://github.com/panda-re/panda/blob/dev/panda/python/examples/file_taint/file_taint.py
 panda.set_pandalog(pandalog)
-panda.load_plugin("pri")
+panda.load_plugin("loaded",
+                  args={
+                      'debug': True,
+                  })
 panda.load_plugin("taint2",
                   args={
-                      'no_tp': True
+                      'no_tp': True,
+                      'enable_hypercalls' : False
                   })
 panda.load_plugin("tainted_branch")
-
 panda.load_plugin("dwarf2",
                   args={
                       'proc': proc_name,
                       'g_debugpath': installdir,
-                      'h_debugpath': installdir
+                      'h_debugpath': installdir,
+                      'debug' : True
                   })
-
-if 'use_stdin' in project and project['use_stdin']:
-    print("Using stdin for taint analysis")
-    panda.load_plugin("file_taint",
-                      args={
-                          'filename': input_file_guest,
-                          'pos': True,
-                          'cache_process_details_on_basic_block': True,
-                          'first_instr': 1,
-                          'use_stdin': proc_name,
-                          'verbose': True
-                      })
-else:
-    print("Using open for taint analysis")
-    panda.load_plugin("file_taint",
-                      args={
-                          'filename': input_file_guest,
-                          'pos': True,
-                          'cache_process_details_on_basic_block': True,
-                          'enable_taint_on_open': True,
-                          'verbose': True
-                      })
-
-
+panda.load_plugin("file_taint",
+                    args={
+                        'filename': input_file_guest,
+                        'pos': True,
+                        'verbose': True
+                    })
 panda.load_plugin("pri_taint", args={
-    'hypercall': True,
-    'chaff': False
+    'debug' : True
 })
 
 # Default name is 'recording'
@@ -246,7 +229,7 @@ def progress(msg):
 fbi_args = [join(lavadir, 'tools', 'install', 'bin', 'fbi'), host_json,
             project_name, pandalog_json, input_file_base]
 
-# Command line curtial argument takes priority, otherwise use project specific one
+# Command line curtail argument takes priority, otherwise use project specific one
 # global curtail
 if curtail != 0:
     fbi_args.append(str(curtail))

diff --git a/scripts/lava.py b/scripts/lava.py
@@ -698,7 +698,7 @@ def run(args, **kwargs):
         run(shlex.split(project['configure']) + ['--prefix=' + lp.bugs_install])
         envv = {'CC': '/usr/lib/llvm-11/bin/clang',
                 'CXX': '/usr/lib/llvm-11/bin/clang++',
-                'CFLAGS': '-O0 -m32 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/'}
+                'CFLAGS': '-O0 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/'}
         if project['configure']:
             run_cmd(' '.join(shlex.split(project['configure']) + ['--prefix=' + lp.bugs_install]),
                     envv, 30, cwd=lp.bugs_build, shell=True)
@@ -713,7 +713,7 @@ def run(args, **kwargs):
         # know that it's unsafe.
         envv = {'CC': '/usr/lib/llvm-11/bin/clang',
                 'CXX': '/usr/lib/llvm-11/bin/clang++',
-                'CFLAGS': '-Wno-int-conversion -O0 -m32 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/'}
+                'CFLAGS': '-Wno-int-conversion -O0 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/'}
         if competition:
             envv["CFLAGS"] += " -DLAVA_LOGGING"
         envv = {}
@@ -893,7 +893,7 @@ def modify_source(dirname):
     make_cmd = project["make"]
     envv = {'CC': '/usr/lib/llvm-11/bin/clang',
             'CXX': '/usr/lib/llvm-11/bin/clang++',
-            'CFLAGS': '-Wno-int-conversion -O0 -m32 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/'}
+            'CFLAGS': '-Wno-int-conversion -O0 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/'}
     if competition:
         envv["CFLAGS"] += " -DLAVA_LOGGING"
     (rv, outp) = run_cmd(make_cmd, envv, None, cwd=lp.bugs_build)

diff --git a/scripts/lava.sh b/scripts/lava.sh
@@ -32,7 +32,8 @@
 
 version="2.0.0"
 trap '' PIPE
-set -ex # Exit on error
+set -e # Exit on error
+# set -x # debug mode
 
 USAGE() {
   echo "$0 version $version"
@@ -184,7 +185,7 @@ if [ $make -eq 1 ]; then
     lf="$logs/make.log"
     truncate "$lf"
     # Note, adding the static flag is important. We are running the binaries on a PANDA VM, so we have no idea if it will have any libraries we need.
-    run_remote "$buildhost" "cd \"$sourcedir\" && CC=$llvm/bin/clang CXX=$llvm/bin/clang++ CFLAGS='-O0 -m32 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/ -static' $makecmd" "$lf"
+    run_remote "$buildhost" "cd \"$sourcedir\" && CC=$llvm/bin/clang CXX=$llvm/bin/clang++ CFLAGS='-O0 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/ -static' $makecmd" "$lf"
     run_remote "$buildhost" "cd \"$sourcedir\" && rm -rf lava-install" "$lf"
 
     if [ "$install_simple" == "null" ]; then

diff --git a/scripts/vars.py b/scripts/vars.py
@@ -39,10 +39,6 @@ def validate_project(project):
     assert 'name' in project
     # command line to run the target program (already instrumented with taint and attack queries)
     assert 'command' in project
-    # path to guest qcow
-    assert 'qcow' in project
-    # name of snapshot from which to revert which will be booted & logged in as root
-    assert 'snapshot' in project
     # path to tarfile for target (original source)
     assert 'tarfile' in project
     # namespace in db for prospective bugs
@@ -72,8 +68,8 @@ def parse_vars(host_json, project_name):
         print("Your project config file is missing a required field:\n{}".format(e))
         raise
 
-    for field, prefix in [("tarfile", "tar_dir"), ("qcow", "qcow_dir")]:
-        project[field] = host[prefix] + "/" + project[field]
+    for field, prefix in [("tarfile", "tar_dir")]:
+        project[field] = host[prefix] + os.path.sep + project[field]
 
     for field, suffix in [("db", "db_suffix")]:
         project[field] = project[field] + host[suffix]
@@ -93,9 +89,9 @@ def parse_vars(host_json, project_name):
                                                                name=project["name"], field=project[field]))
 
     project["qemu"] = host["qemu"]
-    project["output_dir"] = host["output_dir"] + "/" + project["name"]
+    project["output_dir"] = host["output_dir"] + os.path.sep + project["name"]
     project["directory"] = host["output_dir"]
-    project["config_dir"] = host["config_dir"] + "/" + project["name"]
+    project["config_dir"] = host["config_dir"] + os.path.sep + project["name"]
 
     # Replace format strings in project configs
     project["install"] = project["install"].format(config_dir=project["config_dir"])

diff --git a/target_configs/file/file.json b/target_configs/file/file.json
@@ -6,9 +6,7 @@
 
     "tarfile": "file-5.22-pre.tar.gz",
 
-    "qcow": "wheezy_panda2.qcow2",
-    "snapshot": "root",
-    "expect_prompt": "root@debian-i386:~#",
+    "expect_prompt": "root@debian-amd64:~#",
 
     "make": "make",
     "clean": "make clean",

diff --git a/target_configs/toy/toy.json b/target_configs/toy/toy.json
@@ -2,11 +2,8 @@
     "name": "toy",
     "db": "toy",
     "preprocessed": true,
-    "dataflow": "true",
 
-    "qcow": "wheezy_panda2.qcow2",
-    "snapshot": "root",
-    "expect_prompt": "root@debian-i386:~#",
+    "expect_prompt": "root@debian-amd64:~#",
 
     "tarfile": "toy-pre.tar.gz",
 
@@ -18,7 +15,7 @@
 
     "main_file": [ "toy.c" ],
 
-    "dataflow": "true",
+    "dataflow": true,
 
     "inputs": [ "inputs/testsmall.bin" ]
 }