vuzzer64 icon indicating copy to clipboard operation
vuzzer64 copied to clipboard

Published 20 hours ago verified publisher icon vusec

libdft64 terminates early?

Open deekshadangwal opened this issue 5 years ago • 5 comments

I'm trying to use libdft-dta tool for taint tracking. But, I'm having issues with running it with flags. This is the command I'm using:

$PIN_HOME/pin -follow_execv -t $DFT_HOME/tools/libdft-dta.so -s 1 -- ./hw.o

Here is hw.c:

#include <stdio.h>

int main () {
   char str1[20], str2[30];

   printf("Enter name: ");
   scanf("%s", str1);

   printf("Enter your website name: ");
   scanf("%s", str2);

   printf("Entered Name: %s\n", str1);
   printf("Entered Website:%s", str2);
   
   return(0);
}

compiled with: gcc hw.c -o hw.o

However, cmp.out and lea.out are empty. pintool.log says "died":

Pin: pin-3.7-97619-0d0c92f4f
Copyright (c) 2003-2018, Intel Corporation. All rights reserved.
 died

It does not even prompt me for stdin as per hw.c.

However, when not using the -s 1 flag, it prompt me for stdin as expected and the pintool.log looks like it ran (?):

Pin: pin-3.7-97619-0d0c92f4f
Copyright (c) 2003-2018, Intel Corporation. All rights reserved.
 In open
 in_dtracker_whitelist /etc/ld.so.cache
 Info ignoring fd 3
 In mmap 3 0
 close 3
 In open
 in_dtracker_whitelist /lib/x86_64-linux-gnu/libc-2.27.so
 Info ignoring fd 3
 In mmap -1 0
 In mmap 3 0
 In mmap 3 1994752
 In mmap -1 0
 close 3

But, pin.log reports "missing application":

Pin: pin-3.7-97619-0d0c92f4f
Copyright (c) 2003-2018, Intel Corporation. All rights reserved.
E:  Missing application name

Also, cmp.out and lea.out are empty.

Any ideas? Thanks in advance!

deekshadangwal avatar Mar 20 '19 05:03 deekshadangwal

The libdft-dta.so from the vuzzer64 directory doesn't support the -s option - that is why it always dies. The pin.log is created when the PIN generates error. Before you run the application please delete the file. I'm also facing the same problem. Both files are empty and I don't know why.

marekzmyslowski avatar Mar 20 '19 11:03 marekzmyslowski

have a look at run_2.sh to understand how to call it separately.

tosanjay avatar Mar 20 '19 15:03 tosanjay

@tosanjay Thanks for your response! Is there a description of the -x flag somewhere? Is there some example usage for run_2.sh? I'm not sure what the inputs are here.

Also, if -s 1 is not supported, is there some other way to mark "tainted data" in this version of libdft64?

deekshadangwal avatar Mar 20 '19 17:03 deekshadangwal

$PIN_ROOT/pin -t libdft-dta.so -filename $2 -x $3 -- $1

If you look at the function execute2 in runfuzzer.py, you can derive that

$2= name of the file which is input to the program (taint source) $1= commandline to invoke your program $3= 0 (default but you can set some other value)

tosanjay avatar Mar 20 '19 17:03 tosanjay

Thanks @tosanjay, this works! I am trying to also print out the instruction trace with a tainted/not tainted tag alongside it. Is there a function I could use/expand to do that? If not, did you have some idea as to what part of the api I should start looking at first?

Thanks again!

deekshadangwal avatar Mar 20 '19 23:03 deekshadangwal