You can download the source code of Privacy Scope from
http://appanalysis.org/privacyscope/privacyscope.tar.gz. To run the Privacy Scope, you need to install Pin version 25945 on Windows. You may download a copy from
http://pintool.org or
locally.
README PrivacyScope
[Last updated: Oct 26, 2010 by Jaeyeon Jung (jaeyeon.jung@intel.com) and David Zhu (yuzhu@eecs.berkeley.edu)]
0. Environment for testing:
IDE: Microsoft Visual Studio 2008 Professional Edition
Windows XP Service pack 3
Pin Kit Version 25945 (vc9): http://pintool.org
1. Installation
1.1. Install Pin by extracting it to a directory %PINROOT%
This step includes coping dbghelp.dll from ../../privacyscope/msdebugdll/
to ia32\bin directory.
1.2. Extract the source code to the following location:
%PINROOT%\source\tools (using windows backslash)
1.3. Open PrivacyScope.sln and build project using Visual Studio
1.4. The built library is at privacyscope\Release\PrivacyScope.dll
2. Run (see http://pintool.org for details of running a Pin tool)
2.1 After the tool dll is built as shown in the Installation section
2.1 1. Open command prompt cmd.exe
2.2 Go to the release directory mentioned above.
2.3. ..\..\..\..\pin.bat -t PrivacyScope -- [Path to application]
3. Logging
PrivacyScope generates logs in the privacyscope\Release directory
4.Usage:
4.1 See http://appanalysis.org/privacyscope/demo for demo
4.2 There are several hot keys designated to interact with PrivacyScope
Alt + < : starts the capturing of tainted input
Alt + >: stops the capturing of tainted input
Alt + `: resets the taint map
Note that Alt key combination does not work reliably. It is strongly re commanded that you
monitor the privacyscope log to make sure that the hotkey is received by the Privacy Scope. For instance,
Alt + < generates the following log message
[MSG] start tracking keyboard input
Alt + > generates the following log message
[MSG] stop tracking keyboard input
Alt + ' generates the following log message
[MSG] reset the taint map
4.3 Useful log messages
When a tainted data is written to a file:
[MSG] writeIns writes new tainted file ( \pin-2.6-25945-msvc9-ia32_intel64-windows\source\tools\
nsdi2010\Release\finally.txt )
[DBG] print tainted buffer at 0xf36c0 length 11
[TBF] hello [TS]taint[TE]
When a tainted data is sent to the network: (e.g., typing 000 (Alt + <) 01111 (Alt + >) in the form at
http://seattle.intel-research.net/~jjung/privacyscope/notsecure.html and clicking the "Submit" button)
[MSG] checkSend sends tainted data to 69.16.217.114 at port 0x50
[DBG] print tainted buffer at 0x13c2b780 length 938
[TBF] POST /cgi-bin/mycgi.pl HTTP/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml,
*/*..Referer: http://seattle.intel-research.net/~jjung/privacyscope/notsecure.html..Accept-Language: en-us..
Content-Type: application/x-www-form-urlencoded..UA-CPU: x86..Accept-Encoding: gzip, deflate..
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; EmbeddedWB 14.52 from: http://www.bsalsa.com/
EmbeddedWB 14.52; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.04506.648;
.NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)..Host: leiajung.org..Content-Length: 69..
Connection: Keep-Alive..Cache-Control: no-cache....paymentType=American+Express&
cardnumber=000[TS]01111[TE]&expmonth=8&expyear=1
[DBG] entered writeIns