Skip to content

shinian98/TaintEMU

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
accel
accel
 
 
audio
audio
 
 
authz
authz
 
 
backends
backends
 
 
block
block
 
 
bsd-user
bsd-user
 
 
chardev
chardev
 
 
common-user
common-user
 
 
configs
configs
 
 
contrib
contrib
 
 
crypto
crypto
 
 
disas
disas
 
 
docs
docs
 
 
dump
dump
 
 
ebpf
ebpf
 
 
fpu
fpu
 
 
fsdev
fsdev
 
 
gdb-xml
gdb-xml
 
 
gdbstub
gdbstub
 
 
host/include
host/include
 
 
hw
hw
 
 
include
include
 
 
io
io
 
 
libdecnumber
libdecnumber
 
 
linux-headers
linux-headers
 
 
linux-user
linux-user
 
 
migration
migration
 
 
monitor
monitor
 
 
nbd
nbd
 
 
net
net
 
 
pc-bios
pc-bios
 
 
plugins
plugins
 
 
po
po
 
 
python
python
 
 
qapi
qapi
 
 
qga
qga
 
 
qobject
qobject
 
 
qom
qom
 
 
replay
replay
 
 
roms
roms
 
 
scripts
scripts
 
 
scsi
scsi
 
 
semihosting
semihosting
 
 
stats
stats
 
 
storage-daemon
storage-daemon
 
 
stubs
stubs
 
 
subprojects
subprojects
 
 
system
system
 
 
taint
taint
 
 
target
target
 
 
tcg
tcg
 
 
tests
tests
 
 
tools
tools
 
 
trace
trace
 
 
ui
ui
 
 
util
util
 
 
x-ray
x-ray
 
 
COPYING
COPYING
 
 
COPYING.LIB
COPYING.LIB
 
 
Kconfig
Kconfig
 
 
Kconfig.host
Kconfig.host
 
 
LICENSE
LICENSE
 
 
MAINTAINERS
MAINTAINERS
 
 
Makefile
Makefile
 
 
QEMU_LICENSE
QEMU_LICENSE
 
 
QEMU_README.rst
QEMU_README.rst
 
 
README.md
README.md
 
 
VERSION
VERSION
 
 
block.c
block.c
 
 
blockdev-nbd.c
blockdev-nbd.c
 
 
blockdev.c
blockdev.c
 
 
blockjob.c
blockjob.c
 
 
configure
configure
 
 
cpu-common.c
cpu-common.c
 
 
cpu-target.c
cpu-target.c
 
 
event-loop-base.c
event-loop-base.c
 
 
gitdm.config
gitdm.config
 
 
hmp-commands-info.hx
hmp-commands-info.hx
 
 
hmp-commands.hx
hmp-commands.hx
 
 
iothread.c
iothread.c
 
 
job-qmp.c
job-qmp.c
 
 
job.c
job.c
 
 
memory_ldst.c.inc
memory_ldst.c.inc
 
 
meson.build
meson.build
 
 
meson_options.txt
meson_options.txt
 
 
module-common.c
module-common.c
 
 
os-posix.c
os-posix.c
 
 
os-win32.c
os-win32.c
 
 
page-vary-common.c
page-vary-common.c
 
 
page-vary-target.c
page-vary-target.c
 
 
pythondeps.toml
pythondeps.toml
 
 
qemu-bridge-helper.c
qemu-bridge-helper.c
 
 
qemu-edid.c
qemu-edid.c
 
 
qemu-img-cmds.hx
qemu-img-cmds.hx
 
 
qemu-img.c
qemu-img.c
 
 
qemu-io-cmds.c
qemu-io-cmds.c
 
 
qemu-io.c
qemu-io.c
 
 
qemu-keymap.c
qemu-keymap.c
 
 
qemu-nbd.c
qemu-nbd.c
 
 
qemu-options.hx
qemu-options.hx
 
 

Repository files navigation

TaintEMU - System-level Taint Tracking Engine

QEMU-based

Overview

TaintEMU is a system-level dynamic taint analysis tool based on QEMU, capable of tracking the propagation of labeled data across the entire system. By deeply integrating into QEMU's TCG (Tiny Code Generator) module, this tool achieves efficient taint propagation analysis while maintaining excellent compatibility with multiple instruction set architectures.

Key Features

Multi-architecture Support

  • Select target instruction sets via compile-time parameters (e.g., aarch64-softmmu/x86_64-softmmu)
  • Extend support for new instruction sets without modifying core code
  • The taint tracking feature currently supports: arm32, aarch64, i386, x86-64, mips, mips64, ppc, ppc64, s390x, riscv32, riscv64

🚀 High Performance

  • Taint tracking logic directly compiled into host machine code
  • Deep optimization during TCG dynamic binary translation phase
  • More efficient than traditional instrumentation methods

🔌 Seamless Integration

  • Independent taint tracking module design
  • Fully decoupled from QEMU's original features (virtual devices, memory management, etc.)
  • Supports standard QEMU command-line parameters

Compilation Guide

Requirements

  • x86-64 CPU with SIMD instruction support
  • Linux operating system
  • QEMU dependencies (ninja, glib2, pixman, etc.)

Build Steps

# 1. Get the source code
git clone https://github.com/shinian98/TaintEMU.git
cd TaintEMU

# 2. Configure build options
mkdir build && cd build
../configure \
    --target-list=aarch64-softmmu \  # Specify target architecture
    --enable-taint-engine            # Enable taint engine

# 3. Compile
make -j$(nproc)

📝 The complete user guide and quick examples can be found in the wiki.

Contributing

We welcome improvements through Issues or development contributions via PRs:

  1. Fork this repository
  2. Create a feature branch (git checkout -b feature/xxx)
  3. Commit your changes (git commit -m 'Add some feature')
  4. Push the branch (git push origin feature/xxx)
  5. Create a Pull Request

License

This project is open-sourced under the GNU General Public License v2.0. See the LICENSE file for details.

Note: This tool is suitable for security analysis, vulnerability discovery, and other research scenarios. Please comply with relevant laws and regulations when using it.
For technical questions, contact: lulongjin98@gmail.com

About

TaintEMU is a system-level dynamic taint analysis tool based on QEMU, capable of tracking the propagation of labeled data across the entire system.

Resources

Readme

License

GPL-2.0 and 2 other licenses found

Licenses found

GPL-2.0
LICENSE
GPL-2.0
COPYING
LGPL-2.1
COPYING.LIB
Activity

Stars

6 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages