Skip to content
/ panda Public
forked from panda-re/panda

Platform for Architecture-Neutral Dynamic Analysis

License

Unknown and 2 other licenses found

Licenses found

Unknown
LICENSE
GPL-2.0
COPYING
LGPL-2.1
COPYING.LIB
Notifications You must be signed in to change notification settings

tetrane/panda

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

PANDA

Build Status Autobuild Docker Container

PANDA is an open-source Platform for Architecture-Neutral Dynamic Analysis. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion instruction boot of FreeBSD, e.g., is represented by only a few hundred MB. PANDA leverages QEMU's support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugin architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development.

It is currently being developed in collaboration with MIT Lincoln Laboratory, NYU, and Northeastern University. PANDA is released under the GPLv2 license.


Building

Quickstart: Docker

The latest version of PANDA's master branch is automatically built as a docker image from both Ubuntu Bionic (18.04) and Xenial (16.04). These images are available here.

To pull the latest docker container and run PANDA

$ docker pull pandare/panda
$ docker run --rm panda -- /bin/panda-system-i386 --help

Debian, Ubuntu

Because PANDA has a few dependencies, we've encoded the build instructions into the install_ubuntu.sh. The script should work on the latest Debian stable/Ubuntu LTS versions. If you wish to build PANDA manually, you can also check the step-by-step instructions in the documentation directory.

We currently only vouch for buildability on the latest Debian stable/Ubuntu LTS, but we welcome pull requests to fix issues with other distros. For other distributions, it should be straightforward to translate the apt-get commands into whatever package manager your distribution uses.

Note that if you want to use our LLVM features (mainly the dynamic taint system), you will need to install LLVM 3.3 from OS packages or compiled from source. On Ubuntu this should happen automatically via install_ubuntu.sh. Additionally, it is strongly recommended that you only build PANDA as 64bit binary. Creating a 32bit build should be possible, but best avoided. See the limitations section for details.

Arch

The install_arch.sh has been contributed for building PANDA on Arch Linux. Currently, the script has only been tested on Arch Linux 4.17.5-1-MANJARO. You can also find step-by-step instructions for building on Arch in the documentation directory.

MacOS

Building on Mac is less well-tested, but has been known to work. There is a script, install_osx.sh to build under OS X. The script uses homebrew to install the PANDA dependencies. As homebrew is known to be very fast in deprecating support for older versions of OS X and supported packages, expect this to be broken.

Installation

After successfully building PANDA, you can copy the build to a system-wide location by running make install. The default installation path is /usr/local. You can specify an alternate installation path through the prefix configuration option. E.g. --prefix=/opt/panda. Note that your system must have chrpath installed in order for make install to succeed.

If the bin directory containing the PANDA binaries is in your PATH environment variable, then you can run PANDA similarly to QEMU:

panda-system-i386 -m 2G -hda guest.img -monitor stdio

Limitations

LLVM Support

PANDA uses the LLVM architecture from the S2E project. This allows translating the TCG intermediate code representation used by QEMU, to LLVM IR. The latter has the advantages of being easier to work with, as well as platform independent. This enables the implementation of complex analyses like the taint2 plugin. However, S2E is not actively updated to work with the latest LLVM toolchain. As a consequence, PANDA still requires specifically LLVM 3.3 in order to be built with taint analysis support. of the plugins.

Cross-architecture record/replay

Great effort is put to maintain the PANDA trace format stable so that existing traces remain replayable in the future. Changes that will break existing traces are avoided. However, currently, record/replay is only guaranteed between PANDA builds of the same address length. E.g. you can't replay a trace captured on a 32bit build of PANDA on a 64bit of PANDA. The reason for this is that some raw pointers managed to creep into the trace format (see headers in panda/rr).

Given the memory limitations of 32bit builds, almost all PANDA users use 64bit. As a result, this issue should affect only a tiny minority of users. This is also supported by the fact that the issue remained unreported for a long time (>3 years). Therefore, when a fix is to be implemented, it may be assessed that migrating existing recordings captured by 32bit builds is not worth the effort.

For this, it is strongly recommended that you only create and use 64bit builds of PANDA. If you happen to already have a dataset of traces captured by a 32bit build of PANDA, you should contact the community ASAP to discuss possible options.


Documentation and Support

PANDA manual

PANDA currently supports whole-system record/replay execution, as well as time-travel debugging, of x86, x86_64, and ARM guests. Details about the implementation and use of PANDA can be found in the PANDA manual. Some of the topics covered are:

Documentation for individual plugins is provided by the README.md file in the plugin directory. See panda/plugins directory.

Support

If you need help with PANDA, or want to discuss the project, you can join our IRC channel at #panda-re on Freenode, or join the PANDA mailing list.


Publications

  • [1] B. Dolan-Gavitt, T. Leek, J. Hodosh, W. Lee. Tappan Zee (North) Bridge: Mining Memory Accesses for Introspection. 20th ACM Conference on Computer and Communications Security (CCS), Berlin, Germany, November 2013.

  • [2] R. Whelan, T. Leek, D. Kaeli. Architecture-Independent Dynamic Information Flow Tracking. 22nd International Conference on Compiler Construction (CC), Rome, Italy, March 2013.

  • [3] B. Dolan-Gavitt, J. Hodosh, P. Hulin, T. Leek, R. Whelan. Repeatable Reverse Engineering with PANDA. 5th Program Protection and Reverse Engineering Workshop, Los Angeles, California, December 2015.

  • [4] M. Stamatogiannakis, P. Groth, H. Bos. Decoupling Provenance Capture and Analysis from Execution. 7th USENIX Workshop on the Theory and Practice of Provenance, Edinburgh, Scotland, July 2015.

  • [5] B. Dolan-Gavitt, P. Hulin, T. Leek, E. Kirda, A. Mambretti, W. Robertson, F. Ulrich, R. Whelan. LAVA: Large-scale Automated Vulnerability Addition. 37th IEEE Symposium on Security and Privacy, San Jose, California, May 2016.


Acknowledgements

This material is based upon work supported under Air Force Contract No. FA8721-05-C-0002 and/or FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the U.S. Air Force.

About

Platform for Architecture-Neutral Dynamic Analysis

Resources

License

Unknown and 2 other licenses found

Licenses found

Unknown
LICENSE
GPL-2.0
COPYING
LGPL-2.1
COPYING.LIB

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C 85.0%
  • C++ 7.9%
  • Python 4.7%
  • Shell 1.0%
  • Haxe 0.4%
  • Assembly 0.4%
  • Other 0.6%