Platform for Architecture-Neutral Dynamic Analysis
Clone or download
moyix Merge pull request #391 from nathanjackson/word-taint-documentation
remove reference to word taint option
Latest commit 70f937f Dec 10, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
audio trace-events: fix first line comment in trace-events Aug 12, 2016
backends Add wctablet device Feb 20, 2017
block mirror: do not increase offset during initial zero_or_discard phase Feb 21, 2017
bsd-user translate-all: add DEBUG_LOCKING asserts Oct 31, 2016
chardev Add wctablet device Feb 20, 2017
contrib contrib: add libvhost-user Dec 15, 2016
crypto crypto: support HMAC algorithms based on nettle Dec 22, 2016
default-configs Revert "hw/mips: MIPS Boston board support" Feb 23, 2017
disas disas/ppc: Fix indefinite articles in comments Jan 30, 2017
docs docs: new design document multi-thread-tcg.txt Feb 24, 2017
dtc @ ec02b34 dtc: Update requirement to v1.4.2 Feb 21, 2017
fpu softfloat: Fix the default qNAN for target-ppc Jan 30, 2017
fsdev 9pfs: add cleanup operation in FileOperations Nov 23, 2016
gdb-xml Time-travel debugging support (#373) Nov 8, 2018
hw Forgot to update receive without FIFO recording Sep 21, 2018
include Reverse-execution on watchpoints, more GDB commands (#376) Nov 14, 2018
io io: make qio_channel_yield aware of AioContexts Feb 21, 2017
libdecnumber libdecnumber: Clean up includes Feb 16, 2016
linux-headers vhost: drop VHOST_F_DEVICE_IOTLB Jan 18, 2017
linux-user linux-user: Add FICLONE and FICLONERANGE ioctls Feb 16, 2017
migration Merge branch 'xp-working-qemu' into panda-xp-updates Mar 15, 2018
nbd nbd: convert to use qio_channel_yield Feb 21, 2017
net colo-compare: sort TCP packet queue by sequence number Feb 15, 2017
panda remove reference to word taint option Dec 10, 2018
pc-bios Merge remote-tracking branch 'upstream/master' Feb 6, 2017
pixman @ 87eea99 pixman: update internal copy to pixman-0.32.6 Sep 15, 2014
po po: add missing translations in de, fr, it, zh Dec 14, 2016
qapi QAPI: Fix blockdev-add example documentation Feb 21, 2017
qga qga: fix erroneous argument to strerror Jan 24, 2017
qobject qdict: implement a qdict_crumple method for un-flattening a dict Oct 25, 2016
qom Revert "tcg: drop global lock during TCG code execution" Apr 10, 2018
replay char: rename CharDriverState Chardev Jan 27, 2017
roms Update OpenBIOS images to ef8a14e built from submodule. Nov 24, 2016
scripts qapi2texi: replace quotation by bold section name Feb 20, 2017
slirp slirp: support dynamic block size for TFTP transfers Dec 20, 2016
stubs block: move AioContext, QEMUTimer, main-loop to libqemuutil Feb 21, 2017
target Reverse-execution on watchpoints, more GDB commands (#376) Nov 14, 2018
tcg Merge branch 'xp-working-qemu' into panda-xp-updates Mar 15, 2018
tests Merge branch 'xp-working-qemu' into panda-xp-updates Mar 15, 2018
trace trace: switch to modular code generation for sub-directories Jan 31, 2017
ui Merge branch 'xp-working-qemu' into panda-xp-updates Mar 15, 2018
util Merge remote-tracking branch 'upstream/master' into panda-xp-updates Apr 26, 2018
.dir-locals.el Add .dir-locals.el file to configure emacs coding style Oct 8, 2015
.exrc qemu: add .exrc Sep 7, 2012
.gitignore build.sh now checks for a local build options file build.inc.sh. Aug 31, 2018
.gitmodules ppc: add skiboot firmware for the pnv platform Oct 27, 2016
.mailmap Update mailmap Sep 5, 2013
.travis.yml remove extra builds Sep 21, 2018
CODING_STYLE CODING_STYLE: Fix a typo ("have" vs. "has") Oct 8, 2016
COPYING COPYING: update from FSF Oct 12, 2008
COPYING.LIB Update FSF address in GPL/LGPL boilerplate Jan 4, 2009
Changelog Use qemu-project.org domain name Oct 11, 2013
HACKING HACKING: document #include order Jan 3, 2017
LICENSE vfio: move hw/misc/vfio.c to hw/vfio/pci.c Move vfio.h into include/h… Dec 19, 2014
MAINTAINERS MAINTAINERS: Add odd fixer for the ColdFire boards Feb 18, 2017
Makefile Merge remote-tracking branch 'upstream/master' into panda-xp-updates Apr 26, 2018
Makefile.objs block: move AioContext, QEMUTimer, main-loop to libqemuutil Feb 21, 2017
Makefile.target Fix compile errors on make check. Feb 10, 2017
README README: Add linux to macOS build info Jan 24, 2017
README.md Time-travel debugging support (#373) Nov 8, 2018
VERSION Open 2.9 development tree Dec 20, 2016
accel.c clean-up: removed duplicate #includes Oct 28, 2016
arch_init.c nios2: Add support for Nios-II R1 Jan 24, 2017
atomic_template.h tcg: Add atomic128 helpers Oct 26, 2016
balloon.c trace: switch to modular code generation for sub-directories Jan 31, 2017
block.c block: bdrv_invalidate_cache: invalidate children first Feb 11, 2017
blockdev-nbd.c trace: switch to modular code generation for sub-directories Jan 31, 2017
blockdev.c blockdev: Make orphaned -drive fatal Feb 21, 2017
blockjob.c trace: switch to modular code generation for sub-directories Jan 31, 2017
bootdevice.c error: Remove NULL checks on error_propagate() calls Jun 20, 2016
bt-host.c all: Clean up includes Feb 4, 2016
bt-vhci.c all: Clean up includes Feb 4, 2016
build.sh build.sh now checks for a local build options file build.inc.sh. Aug 31, 2018
configure Time-travel debugging support (#373) Nov 8, 2018
cpu-exec-common.c tcg: remove global exit_request Feb 24, 2017
cpu-exec.c Time-travel debugging support (#373) Nov 8, 2018
cpus-common.c *_run_on_cpu: introduce run_on_cpu_data type Oct 31, 2016
cpus.c Removed extraneous printf. May 10, 2018
cputlb.c Reverse-execution on watchpoints, more GDB commands (#376) Nov 14, 2018
device-hotplug.c blockdev: Split monitor reference from BB creation Mar 17, 2016
device_tree.c qemu-common: stop including qemu/bswap.h from qemu-common.h May 19, 2016
disas.c Merge branch 'xp-working-qemu' into panda-xp-updates Mar 15, 2018
dma-helpers.c block: explicitly acquire aiocontext in bottom halves that need it Feb 21, 2017
dump.c error: Remove NULL checks on error_propagate() calls Jun 20, 2016
exec.c Reverse-execution on watchpoints, more GDB commands (#376) Nov 14, 2018
gdbstub.c Reverse-execution on watchpoints, more GDB commands (#376) Nov 14, 2018
hax-stub.c Plumb the HAXM-based hardware acceleration support Jan 19, 2017
hmp-commands-info.hx memory: hmp: add "-f" for "info mtree" Jan 27, 2017
hmp-commands.hx Making load/unload/list_plugin available to hmp May 9, 2017
hmp.c monitor: Fix crashes when using HMP commands without CPU Feb 21, 2017
hmp.h Making load/unload/list_plugin available to hmp May 9, 2017
ioport.c trace: switch to modular code generation for sub-directories Jan 31, 2017
iothread.c monitor: add poll-* properties into query-iothreads result Feb 21, 2017
kvm-all.c report guest crash information in GUEST_PANICKED event Feb 16, 2017
kvm-stub.c kvm-all: Pass requester ID to MSI routing functions Oct 4, 2016
memory.c Revert "tcg: drop global lock during TCG code execution" Apr 10, 2018
memory_ldst.inc.c revert changes to memory_ldst.inc.c Sep 21, 2018
memory_mapping.c memory: Replace skip_dump flag with "ram_device" Oct 31, 2016
module-common.c all: Clean up includes Feb 4, 2016
monitor.c monitor: Fix crashes when using HMP commands without CPU Feb 21, 2017
numa.c ramblock-notifier: new Jan 16, 2017
os-posix.c use g_path_get_dirname instead of dirname Jul 17, 2016
os-win32.c all: Clean up includes Feb 4, 2016
page_cache.c coccinelle: Remove unnecessary variables for function return value Jun 20, 2016
qapi-schema.json Merge branch 'xp-working-qemu' into panda-xp-updates Mar 15, 2018
qdev-monitor.c Introduce DEVICE_CATEGORY_CPU for CPU devices Jan 27, 2017
qdict-test-data.txt Introduce QDict test data file Sep 4, 2009
qemu-bridge-helper.c all: Remove unnecessary glib.h includes Jun 7, 2016
qemu-doc.texi Merge remote-tracking branch 'remotes/rth/tags/pull-nios-20170124' in… Jan 25, 2017
qemu-ga.texi qemu-ga: Remove stray 'q' in documentation Oct 28, 2016
qemu-img-cmds.hx qemu-img: add skip option to dd Sep 20, 2016
qemu-img.c qemu-img: Avoid setting ret to unused value in img_convert() Feb 11, 2017
qemu-img.texi qemu-img: add skip option to dd Sep 20, 2016
qemu-io-cmds.c qemu-io: don't allow I/O operations larger than BDRV_REQUEST_MAX_BYTES Feb 11, 2017
qemu-io.c qemu-io: Return non-zero exit code on failure Feb 11, 2017
qemu-nbd.c qemu-nbd: Implement socket activation. Feb 16, 2017
qemu-nbd.texi nbd: Add qemu-nbd -D for human-readable description Nov 2, 2016
qemu-option-trace.texi docs: update manpage for stderr->log rename Feb 13, 2017
qemu-options-wrapper.h hxtool: emit Texinfo headings as @subsection Jan 16, 2017
qemu-options.h Clean up ill-advised or unusual header guards Jul 12, 2016
qemu-options.hx Merge branch 'xp-working-qemu' into panda-xp-updates Mar 15, 2018
qemu-seccomp.c seccomp: adding getrusage to the whitelist Sep 21, 2016
qemu-tech.texi qemu-doc: merge qemu-tech and qemu-doc Oct 7, 2016
qemu.nsi qemu-doc: merge qemu-tech and qemu-doc Oct 7, 2016
qemu.sasl sasl: Avoid 'Could not find keytab file' in syslog Mar 15, 2014
qmp.c char: headers clean-up Jan 31, 2017
qtest.c char: rename CharDriverState Chardev Jan 27, 2017
replication.c replication: Introduce new APIs to do replication operation Sep 13, 2016
replication.h replication: Introduce new APIs to do replication operation Sep 13, 2016
rules.mak Merge branch 'master' of github.com:panda-re/panda into panda-xp-updates Apr 30, 2018
softmmu_template.h Revert "Revert "Optimize virtual/physical mem callbacks."" Mar 27, 2017
spice-qemu-char.c Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-requ… Feb 2, 2017
tcg-runtime.c tcg: Add opcode for ctpop Jan 10, 2017
tci.c tcg/tci: Add support for fence Sep 16, 2016
thunk.c thunk: Rename args and fields in host-target bitmask conversion code Jun 7, 2016
tpm.c qapi: Don't special-case simple union wrappers Mar 18, 2016
trace-events block: move AioContext, QEMUTimer, main-loop to libqemuutil Feb 21, 2017
translate-all.c Revert "tcg: drop global lock during TCG code execution" Apr 10, 2018
translate-all.h trace: Add per-vCPU tracing states for events with the 'vcpu' property Jul 18, 2016
translate-common.c Revert "tcg: drop global lock during TCG code execution" Apr 10, 2018
user-exec-stub.c stubs: group stubs for user-mode emulation Jan 16, 2017
user-exec.c tcg: Merge GETPC and GETRA Sep 16, 2016
version.rc Use qemu-project.org domain name Oct 11, 2013
vl.c Changed return type of tcg_llvm_initialize() to void. Aug 15, 2018
xen-common-stub.c char: rename CharDriverState Chardev Jan 27, 2017
xen-common.c char: rename CharDriverState Chardev Jan 27, 2017
xen-hvm-stub.c fix MSI injection on Xen Feb 6, 2016
xen-hvm.c trace: switch to modular code generation for sub-directories Jan 31, 2017
xen-mapcache.c trace: switch to modular code generation for sub-directories Jan 31, 2017

README.md

PANDA

Build Status

PANDA is an open-source Platform for Architecture-Neutral Dynamic Analysis. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion instruction boot of FreeBSD, e.g., is represented by only a few hundred MB. PANDA leverages QEMU's support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugin architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development.

It is currently being developed in collaboration with MIT Lincoln Laboratory, NYU, and Northeastern University.

Building

Debian 7/8, Ubuntu 14.04 / 16.04

Because PANDA has a few dependencies, we've encoded the build instructions into a script,, panda/scripts/install_ubuntu.sh. The script should actually work on Debian 7/8 and Ubuntu 14.04, and it shouldn't be hard to translate the apt-get commands into whatever package manager your distribution uses. We currently only vouch for buildability on Debian 7/8 and Ubuntu 14.04, but we welcome pull requests to fix issues with other distros.

Note that if you want to use our LLVM features (mainly the dynamic taint system), you will need to install LLVM 3.3 from OS packages or compiled from source. On Ubuntu 14.04 this will happen automatically via install_ubuntu.sh. Alternatively, we have created an Ubuntu PPA at ppa:phulin/panda. You can use the following commands to install all dependencies on 14.04 or 16.04:

sudo add-apt-repository ppa:phulin/panda
sudo apt-get update
sudo apt-get build-dep qemu
sudo apt-get install python-pip git protobuf-compiler protobuf-c-compiler \
  libprotobuf-c0-dev libprotoc-dev python-protobuf libelf-dev \
  libcapstone-dev libdwarf-dev python-pycparser llvm-3.3 clang-3.3 libc++-dev
git clone https://github.com/panda-re/panda
mkdir -p build-panda && cd build-panda
../panda/build.sh

Arch-linux

Because PANDA has a few dependencies, we've encoded the build instructions into a script, panda/scripts/install_arch.sh. The script has only been tested on Arch Linux 4.17.5-1-MANJARO

Dependencies

aur_install_pkg () {
	local FNAME=$1
	local FNAME_WEB=$(python2 -c "import urllib; print urllib.quote('''$FNAME''')")
	wget -O /tmp/$FNAME.tar.gz https://aur.archlinux.org/cgit/aur.git/snapshot/$FNAME_WEB.tar.gz
	cd /tmp
	tar -xvf $FNAME.tar.gz
	cd /tmp/$FNAME
	makepkg -s
	makepkg --install
}

gpg --receive-keys A2C794A986419D8A
aur_install_pkg "libc++"
aur_install_pkg "llvm33"
aur_install_pkg "libprotobuf2"

# Protobuf for C language
cd /tmp
git clone https://github.com/protobuf-c/protobuf-c.git protobuf-c
cd protobuf-c
./autogen.sh
./configure --prefix=/usr
make
sudo make install

# We need to use an older version of wireshark, since 2.5.1 breaks the network plugin
sudo pacman -U https://archive.archlinux.org/packages/w/wireshark-common/wireshark-common-2.4.4-1-x86_64.pkg.tar.xz
sudo pacman -U https://archive.archlinux.org/packages/w/wireshark-cli/wireshark-cli-2.4.4-1-x86_64.pkg.tar.xz

# Other dependencies
sudo pacman -S python2-protobuf libelf dtc capstone libdwarf python2-pycparser

Build

export PANDA_LLVM_ROOT=/opt/llvm33
export CFLAGS=-Wno-error
./build.sh

Building on Mac

Building on Mac is less well-tested, but has been known to work. There is a script, panda/scripts/install_osx.sh to build under OS X.

Docker Image

Finally, if you want to skip the build process altogether, there is a Docker image. You can get it by running:

docker pull pandare/panda

Alternatively, you can pull the latest build from an unofficial third party.

docker pull thawsystems/panda

Support

If you need help with PANDA, or want to discuss the project, you can join our IRC channel at #panda-re on Freenode, or join the PANDA mailing list.

We have a basic manual here.

PANDA Plugins

Details about the architecture-neutral plugin interface can be found in panda/docs/PANDA.md. Existing plugins and tools can be found in panda/plugins and panda.

Record/Replay

PANDA currently supports whole-system record/replay execution, as well as time-travel debugging, of x86, x86_64, and ARM guests. Documentation can be found in the manual.

Publications

  • [1] B. Dolan-Gavitt, T. Leek, J. Hodosh, W. Lee. Tappan Zee (North) Bridge: Mining Memory Accesses for Introspection. 20th ACM Conference on Computer and Communications Security (CCS), Berlin, Germany, November 2013.

  • [2] R. Whelan, T. Leek, D. Kaeli. Architecture-Independent Dynamic Information Flow Tracking. 22nd International Conference on Compiler Construction (CC), Rome, Italy, March 2013.

  • [3] B. Dolan-Gavitt, J. Hodosh, P. Hulin, T. Leek, R. Whelan. Repeatable Reverse Engineering with PANDA. 5th Program Protection and Reverse Engineering Workshop, Los Angeles, California, December 2015.

  • [4] M. Stamatogiannakis, P. Groth, H. Bos. Decoupling Provenance Capture and Analysis from Execution. 7th USENIX Workshop on the Theory and Practice of Provenance, Edinburgh, Scotland, July 2015.

  • [5] B. Dolan-Gavitt, P. Hulin, T. Leek, E. Kirda, A. Mambretti, W. Robertson, F. Ulrich, R. Whelan. LAVA: Large-scale Automated Vulnerability Addition. 37th IEEE Symposium on Security and Privacy, San Jose, California, May 2016.

License

GPLv2.

Acknowledgements

This material is based upon work supported under Air Force Contract No. FA8721-05-C-0002 and/or FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the U.S. Air Force.