diff --git a/init-host.py b/init-host.py index 38630ff9..1441822f 100755 --- a/init-host.py +++ b/init-host.py @@ -79,7 +79,7 @@ def main(): progress("Building host.json") # Build host.json json_configs = {} - json_configs["qemu"] = "panda-system-i386" + json_configs["qemu"] = "panda-system-x86_64" json_configs["qcow_dir"] = LAVA_DIR json_configs["output_dir"] = join(LAVA_DIR, "target_injections") json_configs["config_dir"] = join(LAVA_DIR, "target_configs") diff --git a/install.sh b/install.sh index fafa1c81..72ee0a3c 100755 --- a/install.sh +++ b/install.sh @@ -26,9 +26,13 @@ progress "Updates complete" # So take our major version, find the first match in dependencies directory and run with it. # This will give us "./panda/dependencies/ubuntu:20.04" where ubuntu:20.04_build.txt or 20.04_base.txt exists version=$(lsb_release -r | awk '{print $2}' | awk -F'.' '{print $1}') +ubuntu_version=$(lsb_release -r | awk '{print $2}') +PANDA_VERSION="v1.8.45" + # shellcheck disable=SC2086 dep_base=$(find ./dependencies/ubuntu_${version}.* -print -quit | sed -e "s/_build\.txt\|_base\.txt//") +$SUDO apt-get -qq update if [ -e "${dep_base}"_build.txt ] || [ -e "${dep_base}"_base.txt ]; then echo "Found dependency file(s) at ${dep_base}*.txt" # shellcheck disable=SC2046 @@ -39,9 +43,8 @@ else exit 1 fi -curl -LJO https://github.com/panda-re/panda/releases/download/v1.8.23/pandare_22.04.deb -mv *.deb /tmp -$SUDO apt-get -y install /tmp/pandare_22.04.deb +curl -LJ -o /tmp/pandare_${ubuntu_version}.deb https://github.com/panda-re/panda/releases/download/${PANDA_VERSION}/pandare_${ubuntu_version}.deb +$SUDO apt-get -y install /tmp/pandare_${ubuntu_version}.deb rm /tmp/*.deb progress "Installed build dependencies" diff --git a/requirements.txt b/requirements.txt index d2675377..e614d5e1 100644 --- a/requirements.txt +++ b/requirements.txt @@ -3,7 +3,7 @@ db ipython lockfile numpy -pandare +pandare>=1.8.39 PyYAML SQLAlchemy -tabulate +tabulate \ No newline at end of file diff --git a/scripts/add_queries.sh b/scripts/add_queries.sh index 6baf7970..3c8f13a2 100755 --- a/scripts/add_queries.sh +++ b/scripts/add_queries.sh @@ -35,7 +35,7 @@ USAGE() { } set -e # Exit on error -set -x # Debug mode +# set -x # Debug mode if [ $# -lt 1 ]; then USAGE $0 @@ -90,7 +90,7 @@ configure_file=${configure_cmd%% *} if [ -e "$configure_file" ]; then CC=$llvm/bin/clang \ CXX=$llvm/bin/clang++ \ - CFLAGS="-O0 -m32 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/" \ + CFLAGS="-O0 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/" \ $configure_cmd --prefix=$(pwd)/lava-install fi @@ -107,7 +107,7 @@ for i in "${MAKES[@]}"; do echo "$lava/tools/btrace/sw-btrace ${ARGS[@]}" CC=$llvm/bin/clang \ CXX=$llvm/bin/clang++ \ - CFLAGS="-O0 -m32 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/" \ + CFLAGS="-O0 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/" \ "$lava/tools/btrace/sw-btrace" "${ARGS[@]}" IFS='&&' done diff --git a/scripts/bug_mining.py b/scripts/bug_mining.py index 3c25ee20..64782612 100644 --- a/scripts/bug_mining.py +++ b/scripts/bug_mining.py @@ -171,49 +171,32 @@ def progress(msg): dwarfout = subprocess.check_output(dwarf_cmd) dwarfdump.parse_dwarfdump(dwarfout, binpath) -# Based on this example: -# https://github.com/panda-re/panda/blob/dev/panda/python/examples/file_taint/file_taint.py panda.set_pandalog(pandalog) -panda.load_plugin("pri") +panda.load_plugin("loaded", + args={ + 'debug': True, + }) panda.load_plugin("taint2", args={ - 'no_tp': True + 'no_tp': True, + 'enable_hypercalls' : False }) panda.load_plugin("tainted_branch") - panda.load_plugin("dwarf2", args={ 'proc': proc_name, 'g_debugpath': installdir, - 'h_debugpath': installdir + 'h_debugpath': installdir, + 'debug' : True }) - -if 'use_stdin' in project and project['use_stdin']: - print("Using stdin for taint analysis") - panda.load_plugin("file_taint", - args={ - 'filename': input_file_guest, - 'pos': True, - 'cache_process_details_on_basic_block': True, - 'first_instr': 1, - 'use_stdin': proc_name, - 'verbose': True - }) -else: - print("Using open for taint analysis") - panda.load_plugin("file_taint", - args={ - 'filename': input_file_guest, - 'pos': True, - 'cache_process_details_on_basic_block': True, - 'enable_taint_on_open': True, - 'verbose': True - }) - - +panda.load_plugin("file_taint", + args={ + 'filename': input_file_guest, + 'pos': True, + 'verbose': True + }) panda.load_plugin("pri_taint", args={ - 'hypercall': True, - 'chaff': False + 'debug' : True }) # Default name is 'recording' @@ -246,7 +229,7 @@ def progress(msg): fbi_args = [join(lavadir, 'tools', 'install', 'bin', 'fbi'), host_json, project_name, pandalog_json, input_file_base] -# Command line curtial argument takes priority, otherwise use project specific one +# Command line curtail argument takes priority, otherwise use project specific one # global curtail if curtail != 0: fbi_args.append(str(curtail)) diff --git a/scripts/lava.py b/scripts/lava.py index 44cf6dbd..91fea456 100644 --- a/scripts/lava.py +++ b/scripts/lava.py @@ -698,7 +698,7 @@ def run(args, **kwargs): run(shlex.split(project['configure']) + ['--prefix=' + lp.bugs_install]) envv = {'CC': '/usr/lib/llvm-11/bin/clang', 'CXX': '/usr/lib/llvm-11/bin/clang++', - 'CFLAGS': '-O0 -m32 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/'} + 'CFLAGS': '-O0 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/'} if project['configure']: run_cmd(' '.join(shlex.split(project['configure']) + ['--prefix=' + lp.bugs_install]), envv, 30, cwd=lp.bugs_build, shell=True) @@ -713,7 +713,7 @@ def run(args, **kwargs): # know that it's unsafe. envv = {'CC': '/usr/lib/llvm-11/bin/clang', 'CXX': '/usr/lib/llvm-11/bin/clang++', - 'CFLAGS': '-Wno-int-conversion -O0 -m32 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/'} + 'CFLAGS': '-Wno-int-conversion -O0 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/'} if competition: envv["CFLAGS"] += " -DLAVA_LOGGING" envv = {} @@ -893,7 +893,7 @@ def modify_source(dirname): make_cmd = project["make"] envv = {'CC': '/usr/lib/llvm-11/bin/clang', 'CXX': '/usr/lib/llvm-11/bin/clang++', - 'CFLAGS': '-Wno-int-conversion -O0 -m32 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/'} + 'CFLAGS': '-Wno-int-conversion -O0 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/'} if competition: envv["CFLAGS"] += " -DLAVA_LOGGING" (rv, outp) = run_cmd(make_cmd, envv, None, cwd=lp.bugs_build) diff --git a/scripts/lava.sh b/scripts/lava.sh index bc6c8fc6..0df92b9a 100755 --- a/scripts/lava.sh +++ b/scripts/lava.sh @@ -32,7 +32,8 @@ version="2.0.0" trap '' PIPE -set -ex # Exit on error +set -e # Exit on error +# set -x # debug mode USAGE() { echo "$0 version $version" @@ -184,7 +185,7 @@ if [ $make -eq 1 ]; then lf="$logs/make.log" truncate "$lf" # Note, adding the static flag is important. We are running the binaries on a PANDA VM, so we have no idea if it will have any libraries we need. - run_remote "$buildhost" "cd \"$sourcedir\" && CC=$llvm/bin/clang CXX=$llvm/bin/clang++ CFLAGS='-O0 -m32 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/ -static' $makecmd" "$lf" + run_remote "$buildhost" "cd \"$sourcedir\" && CC=$llvm/bin/clang CXX=$llvm/bin/clang++ CFLAGS='-O0 -DHAVE_CONFIG_H -g -gdwarf-2 -fno-stack-protector -D_FORTIFY_SOURCE=0 -I. -I.. -I../include -I./src/ -static' $makecmd" "$lf" run_remote "$buildhost" "cd \"$sourcedir\" && rm -rf lava-install" "$lf" if [ "$install_simple" == "null" ]; then diff --git a/scripts/vars.py b/scripts/vars.py index 66a69bf3..0965e2d6 100644 --- a/scripts/vars.py +++ b/scripts/vars.py @@ -39,10 +39,6 @@ def validate_project(project): assert 'name' in project # command line to run the target program (already instrumented with taint and attack queries) assert 'command' in project - # path to guest qcow - assert 'qcow' in project - # name of snapshot from which to revert which will be booted & logged in as root - assert 'snapshot' in project # path to tarfile for target (original source) assert 'tarfile' in project # namespace in db for prospective bugs @@ -72,8 +68,8 @@ def parse_vars(host_json, project_name): print("Your project config file is missing a required field:\n{}".format(e)) raise - for field, prefix in [("tarfile", "tar_dir"), ("qcow", "qcow_dir")]: - project[field] = host[prefix] + "/" + project[field] + for field, prefix in [("tarfile", "tar_dir")]: + project[field] = host[prefix] + os.path.sep + project[field] for field, suffix in [("db", "db_suffix")]: project[field] = project[field] + host[suffix] @@ -93,9 +89,9 @@ def parse_vars(host_json, project_name): name=project["name"], field=project[field])) project["qemu"] = host["qemu"] - project["output_dir"] = host["output_dir"] + "/" + project["name"] + project["output_dir"] = host["output_dir"] + os.path.sep + project["name"] project["directory"] = host["output_dir"] - project["config_dir"] = host["config_dir"] + "/" + project["name"] + project["config_dir"] = host["config_dir"] + os.path.sep + project["name"] # Replace format strings in project configs project["install"] = project["install"].format(config_dir=project["config_dir"]) diff --git a/target_configs/file/file.json b/target_configs/file/file.json index 797e91de..43356230 100644 --- a/target_configs/file/file.json +++ b/target_configs/file/file.json @@ -6,9 +6,7 @@ "tarfile": "file-5.22-pre.tar.gz", - "qcow": "wheezy_panda2.qcow2", - "snapshot": "root", - "expect_prompt": "root@debian-i386:~#", + "expect_prompt": "root@debian-amd64:~#", "make": "make", "clean": "make clean", diff --git a/target_configs/toy/toy.json b/target_configs/toy/toy.json index 8b2dbe63..7ccc7b62 100755 --- a/target_configs/toy/toy.json +++ b/target_configs/toy/toy.json @@ -2,11 +2,8 @@ "name": "toy", "db": "toy", "preprocessed": true, - "dataflow": "true", - "qcow": "wheezy_panda2.qcow2", - "snapshot": "root", - "expect_prompt": "root@debian-i386:~#", + "expect_prompt": "root@debian-amd64:~#", "tarfile": "toy-pre.tar.gz", @@ -18,7 +15,7 @@ "main_file": [ "toy.c" ], - "dataflow": "true", + "dataflow": true, "inputs": [ "inputs/testsmall.bin" ] }