Skip to content
This repository was archived by the owner on Jun 12, 2023. It is now read-only.
/ vmtaint Public archive

Full-VM taint analysis with Xen, Intel(R) Processor Trace and Triton.

License

MIT license
39 stars 9 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

intel/vmtaint

BranchesTags

Repository files navigation

DISCONTINUATION OF PROJECT

This project will no longer be maintained by Intel.
Intel has ceased development and contributions including, but not limited to, maintenance, bug fixes, new releases, or updates, to this project.
Intel no longer accepts patches to this project.
If you have an ongoing need to use this project, are interested in independently developing it, or would like to maintain patches for the open source software community, please create your own fork of this project.

VMtaint for Xen Project*

Full-VM taint analysis with Xen, Intel(R) Processor Trace and Triton.

Install dependencies:

sudo apt-get install build-essential git cmake libboost-dev libtool automake autoconf pkg-config libstdc++-10-dev

Install Xen:

Follow setup instructions from https://github.com/intel/kernel-fuzzer-for-xen-project

Install Capstone:

git submodule update --init capstone
cd capstone
mkdir build
cd build
cmake ..
sudo make install
cd ../..

Install Triton:

git submodule update --init triton
cd triton
mkdir build
cd build
cmake ..
sudo make install
cd ../..

Install LibVMI:

git submodule update --init libvmi
cd libvmi
autoreconf -vif
./configure --disable-kvm --disable-bareflank
make
sudo make install
cd ..

Install libipt:

git submodule update --init libipt
cd libipt
mkdir build
cd build
cmake .. -DPTDUMP=on
make
sudo make install
cd ../..

Build vmtaint:

autoreconf -vif
./configure
make

Collect IPT log:

xl pause <domid>
vmtaint --save-state state.log --domid <domid>
xen-vmtrace <domid> 0 > vmtrace.log &
xl unpause <domid>

Run vmtaint:

vmtaint \
    --load-state state.log \
    --pt vmtrace.log \
    --domid <domid> \
    --taint-address <virtual address>:<taint size> \
    --json <kernel's debug info in json>

Example:

./vmtaint --load-state state.log --domid 96 --pt vmtrace.log --json 5.4.0-48.json --taint-address 0xffffffffc0367010:9
ffffffffc0365095        movsx edi, byte ptr [rip + 0x1f74]
         Tainted reg: rdi: 0
ffffffffc036509c        call 0xffffffffc036500b
         Tainted reg: rdi: 0
ffffffffc036500b        nop dword ptr [rax + rax]
         Tainted reg: rdi: 0
ffffffffc0365010        push rbp
         Tainted reg: rdi: 0
ffffffffc0365011        mov rax, qword ptr [rip + 0x1fe8]
         Tainted reg: rdi: 0
ffffffffc0365018        cmp qword ptr [rip + 0x1ff1], rax
         Tainted reg: rdi: 0
ffffffffc036501f        mov rbp, rsp
         Tainted reg: rdi: 0
ffffffffc0365022        jne 0xffffffffc0365032
         Tainted reg: rdi: 0
         Tainted reg: rip: ffffffffc0365024
ffffffffc0365032        mov rdi, -0x3fc99fbc
ffffffffc0365039        call 0xffffffff81114873
ffffffff81114873        nop dword ptr [rax + rax]

*Other names and brands may be claimed as the property of others

About

Full-VM taint analysis with Xen, Intel(R) Processor Trace and Triton.

Resources

Readme

License

MIT license

Security policy

Security policy
Activity
Custom properties

Stars

39 stars

Watchers

6 watching

Forks

9 forks
Report repository

Releases 1

Release d7cd31c Latest
May 31, 2022

Contributors 4

  •  
  •  
  •  
  •  

Languages