PyPANDA: Taming the PANDAmonium of Whole System Dynamic Analysis

IDA Pro1, and Ghidra2 all support conducting analyses from scripting languages, such functionality is rarely present in whole-system dynamic analysis platforms leading to cumbersome workflows. For example, consider the task of conducting a whole-system dynamic taint analysis on data sent to a custom kernel module that ultimately flow into a user space application. An analyst must approach this task through two distinct, but complementary, processes. First, they must drive the guest system’s behavior: boot the system, log in, obtain the relevant source code and toolchains, compile the code (or copy in a prebuilt binary), and load the kernel module. Then, once the system under test is properly configured, the actual analysis can begin by further driving the guest system’s behavior to send data into the kernel module and, at the same time, asking the analysis platform to apply taint labels to the data in the guest’s memory. After some indeterminate amount of time, the analyst would then need to query the analysis platform to identify where and how tainted data reached the userspace application. This workflow highlights a number of significant challenges largely related to user experience, as well as an active research problem. The research challenge lies in bridging the semantic gap [18] to extract meaning from the emulator’s view of guest memory (e.g., how the results from the taint analysis can be tied back to process names and non-randomized program counters). The user experience challenges are easier to tackle, but no less important from an end-user’s perspective. These include copying files into the guest, driving guest behavior, and synchronizing guest behavior with analysis tasks. To address these challenges, we designed and implemented PyPANDA: a Python 3 interface to the PANDA [10] whole system analysis platform. PyPANDA allows for driving a guest execution, running Python code at any PANDA callback (capable of reading or writing guest state), and interacting with PANDA plugins. Since Python has a large ecosystem of libraries, PyPANDA also enables novel combinations of existing libraries with a whole system dynamic analysis framework. The remainder of this paper is structured as follows. §II