Problem in reproducing the expected results of find_taint.py

[k-karakatsanis]

Hello and thank you for your research!

I have trouble reproducing the results of find_taint.py. I have IDA 7.5 and IDA python to work in compatibility mode because from the README.md it seems like Bootstomp was used with IDA 6.95 and python 2.7. I have also tried using IDA 7.5 and modified the code to work with compatibility mode disabled and python 3 but the the results I get are the same with the ones described below.

When opening IDA, in the “Load a new file” I use as architecture ARM Little-endian for the BootStomp sample binaries.

I was only able to reproduce - with slight differences though - the results of Qualcomm lk (latest and unpatched). (1) Do you know why the output is slightly different than the expected in https://github.com/ucsb-seclab/BootStomp/blob/master/evaluation/qualcomm_lk/latest/taint_info.txt and https://github.com/ucsb-seclab/BootStomp/blob/master/evaluation/qualcomm_lk/unpatched/taint_info.txt? You can find my results for the latest and the unpatched Qualcomm lk at https://github.com/k-karakatsanis/BootStomp/blob/master/bootloaders/qualcomm_lk/taint_source_sink_latest.txt and https://github.com/k-karakatsanis/BootStomp/blob/master/bootloaders/qualcomm_lk/taint_source_sink_unpatched.txt correspondingly. FYI, after opening the files in IDA, I have also tried to change the .rodata segment to read (from read & write) but I still get different output than the expected.

For Huawei I received the error shown in https://github.com/ucsb-seclab/BootStomp/issues/3 when running find_taint.py. (2) What should I use in the “disassembly memory organization” options of IDA Pro and what should the entry point be? I suspect that either the default options or the missing entry point are causing the problem.

When I tried using find_taint.py on the other files (Nexus_9 and Xperia lk) I did not receive any output. (3) Should I change the “disassembly memory organization” default options or set an entry point in order the analysis to be made?

I also tried using bootsplitter for the binaries that didn’t give results. Nonetheless, bootsplitter did not produce meaningful results for nexus_9 and xperia_xa that would help us in the importing of these binaries into IDA Pro. Specifically, the output for “IMAGE BASE + CODE SIZE” is smaller than the “IMAGE SIZE” alone, which does not seem reasonable. (4) Am I doing something wrong with bootsplitter? You can find my results from bootsplitter in https://github.com/k-karakatsanis/BootStomp/tree/master/output

I am new in reverse engineering, so I apologize if I am missing something obvious.

Thank you very much in advance!