Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What is the purpose of taint engine vreg blacklist? #45

Open
moralismercatus opened this issue May 22, 2018 · 0 comments
Open

What is the purpose of taint engine vreg blacklist? #45

moralismercatus opened this issue May 22, 2018 · 0 comments
Labels
question

Comments

@moralismercatus
Copy link
Collaborator

Hi @likebreath ,

I'm curious what is the purpose of the Analyzer::guest_vcpu_regs_black_list_? Defined here https://github.com/SVL-PSU/crete-dev/blob/master/front-end/qemu-2.3/runtime-dump/tci_analyzer.cpp#L854

The inquiry stems from an observation that, with single-step enabled (where one TB represents a single guest instruction), conditional branch TBs (jb, ja, je, jne, etc.) were never marked as tainted.

Here's a concrete example of what I mean:

cmp edx, ebx ; Marked as tainted.
jae 0xdeadbeef ; Not marked as tainted.

As the jae uses flags based on the tainted cmp, logically jae should be tainted as well.

In root causing, the situation seems related to the fact that the various virtual CPU registers responsible for tracking flag status (e.g., CPUX86State::cc_src) are blacklisted, or removed from the taint equation.

PS.
Unsurprisingly, disabling the blacklist lead to an assertion: https://github.com/SVL-PSU/crete-dev/blob/master/front-end/qemu-2.3/runtime-dump/runtime-dump.cpp#L118

Thanks,
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@moralismercatus