From: Ben Pfaff <blp@cs.stanford.edu>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] Re: valgrind functionality in qemu?
Date: Mon, 22 Nov 2004 11:17:12 -0800 [thread overview]
Message-ID: <87is7x4rt3.fsf@benpfaff.org> (raw)
In-Reply-To: Pine.LNX.4.58.0411221944200.11549@wgmdd8.biozentrum.uni-wuerzburg.de
Johannes Schindelin <Johannes.Schindelin@gmx.de> writes:
> Unfortunately, you didn't publish the source code for TaintBochs.
It's not very pretty. We're working on a nicer version that we
might release later.
> So how did you tackle following problems:
>
> - when deciding what to taint, you want to be as specific as possible. How
> did you tell bochs what was tainted, and what not?
This isn't really relevant for the purpose of doing valgrind-like
functionality, for what it's worth. However, we used various
methods. For example, for tainting passwords input from the
keyboard we added a toggle switch to the Bochs interface that
determined whether keypressed were considered tainted, and for
tainting network input we did a simple string search in network
packets (which is not very smart but worked okay for the simple
case we wanted to try).
> - when you tested inside bochs, you didn't have control over loading of
> programs. How did bochs know where the code came from?
We used Mission Critical's "crash" utility as a kernel debugger.
We added a module to it that allowed us to generate a core dump
of any process in the guest. When you combine a core dump with
the program binary and the program source, gdb and addr2line can
tell you everything you want to know.
> - even more importantly, when you analyzed where tainting data was
> propagated or freed, how did you find out which *source code* was
> responsible for that?
gdb and addr2line as above.
I think all this is in the paper actually. We included a fair
number of details of our implementation there.
> I would do tha "just write some code" part, but I still look for
> elegant solutions to those problems.
--
"The road to hell is paved with convenient shortcuts."
--Peter da Silva
next prev parent reply other threads:[~2004-11-22 19:26 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-18 21:34 [Qemu-devel] Downloaded files are corrupt Aaron McDonald
2004-11-18 21:45 ` Magnus Damm
2004-11-18 22:28 ` [Qemu-devel] " Ronald
2004-11-18 23:09 ` Ronald
2004-11-21 3:20 ` [Qemu-devel] " Julian Seward
2004-11-21 3:32 ` [Qemu-devel] valgrind functionality in qemu? Marc E. Fiuczynski
2004-11-22 12:05 ` Johannes Schindelin
2004-11-22 16:30 ` Sylvain Petreolle
2004-11-22 18:14 ` [Qemu-devel] " Ben Pfaff
2004-11-22 18:50 ` Johannes Schindelin
2004-11-22 19:17 ` Ben Pfaff [this message]
2004-11-21 16:46 ` [Qemu-devel] Downloaded files are corrupt Martin Jansa
2004-11-21 18:30 ` Julian Seward
2004-11-21 18:41 ` [Qemu-devel] " Ronald
2004-11-21 19:59 ` [Qemu-devel] " Fabrice Bellard
2004-11-21 20:32 ` Martin Jansa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87is7x4rt3.fsf@benpfaff.org \
--to=blp@cs.stanford.edu \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.