Baojiang Cui,Fuwei Wang,Tao Guo,Guowei Dong

DOI: https://doi.org/10.1016/j.cose.2015.02.006

IF: 5.105

2015-01-01

Computers & Security

Abstract:This paper presents FlowWalker, a novel dynamic taint analysis framework that aims to extract the complete taint data flow while eliminating the bottlenecks that occur in existing tools, with applications to file-format reverse engineering. The framework proposes a multi-taint-tag assembly-level taint propagation strategy. FlowWalker separates taint tracking operations from execution with an off-line structure, utilizes memory-mapped files to enhance I/O efficiency, processes taint paths during virtual execution playback, and uses parallelization and pipelining mechanisms to achieve speedup. Based on the semantic correlations implied by the taint path information, this paper presents an algorithm for extracting the structures of unknown file formats. According to test data, the overall program runtime ranges from 92.98% to 208.01% of the length of the underlying instrumentation alone, while the speed enhancement is 60% compared to another well-featured tool in Windows. Medium-complexity file formats are correctly partitioned, and the constant fields are extracted. Due to its efficiency and scalability, FlowWalker can address the needs of further security-related research.

Xiajing Wang,Rui Ma,Bowen Dou,Zefeng Jian,Hongzhou Chen

DOI: https://doi.org/10.1155/2018/7693861

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Dynamic taint analysis is a powerful technique for tracking the flow of sensitive information. Different approaches have been proposed to accelerate this process in an online or offline manner. Unfortunately, most of these approaches still have performance bottlenecks and thus reduce analytical efficiency. To address this limitation, we present OFFDTAN, a new approach of offline dynamic taint analysis for binaries. OFFDTAN can be described in terms of four stages: dynamic information acquisition, vulnerability modeling, offline analysis, and backtrace analysis. It first records program runtime information and models the stack buffer overflow vulnerabilities and controlled jump vulnerabilities. Then it performs offline analysis and backtrace analysis to locate vulnerabilities. We implement OFFDTAN on the basis of QEMU virtual machine and apply it to off-the-shelf applications. In order to illustrate how our approach works, we first employ a case study. Furthermore, six applications have been verified so as to evaluate our approach. Experimental results demonstrate that our approach is correct and effective. Compared with other offline analysis tools, OFFDTAN has much lower application runtime overhead.

Erzhou Zhu,Feng Liu,Zuo Wang,Alei Liang,Yiwen Zhang,Xuejian Li,Xuejun Li

DOI: https://doi.org/10.1016/j.cose.2015.03.008

IF: 5.105

2015-01-01

Computers & Security

Abstract:By analyzing information flow at runtime, dynamic taint analysis can precisely detect a wide range of vulnerabilities of software. However, it suffers from substantial runtime overhead and is incapable of discovering potential threats. Yet, realistically, the interested analyst doesn't have access to the source code of the malware. Therefore, the task of software flaw tracking becomes rather complicated. In order to cope with these issues, this paper proposes Dytaint, a novel lightweight 3-state dynamic taint analysis framework, for diagnosing more software vulnerabilities with lower runtime overhead. The framework works for the x86 binary executables and requires no special hardware assistance. Besides the tainted and the untainted states that are discussed by many popularly used taint analysis tools, the third state, controlled-taint state, is proposed to detect more types of software vulnerabilities. The new Chaining Hash Table which reduces the space for storing taint information without increasing the accessing time is also incorporated in the framework. Furthermore, two mechanisms, namely, the irrelevant API filtering based on the function recognition method and basic block handling, are introduced to optimize the runtime performance of our framework. The testing results by running SPEC CINT2006 benchmarks and various popular software have demonstrated that Dytaint is efficient which incurs only 3.1 times overhead to the native on average and practical which is able to discover not only all the real threats but also most of the potential ones.

Rulin Xu,Xiaoguang Mao,Luohui Chen

DOI: https://doi.org/10.1109/apsec60848.2023.00035

2023-01-01

Abstract:Taint analysis of value flows, as a static analysis technique, has gained widespread application in the fields of software security and vulnerability mining. However, when dealing with complex programs, it still faces challenges in terms of precision and performance. This research proposes P-DATA, a parallel framework implementing dependency-aware taint analysis. P-DATA employs modeling to capture data and control dependencies, reducing false positives over tools like Clang Static Analyzer and SVF. To accelerate the analysis, P-DATA leverages a task-level parallel framework introducing Preemption of Computational Resources (PCR) and Asynchronous Taint Source Registration, lead to impressive scalability and efficiency. Evaluations demonstrate P-DATA's ability to significantly expedite taint analysis for large programs using multi-core resources, achieving over 25X speedup on 32 cores. P-DATA makes notable contributions by boosting precision, efficiency and scalability of security-critical program analysis through advanced dependency modeling and paral-lelization techniques. It provides an extensible high-performance framework benefiting static analysis advancement.

Jie Zhang,Cong Tian,Zhenhua Duan

DOI: https://doi.org/10.1109/icse-companion.2019.00092

2019-01-01

Abstract:In recent years, sensitive data leaks of Android system attracted significant attention. The traditional tools for detecting leaks usually focus on the precision and recall with few of them addressing the importance of the efficiency. The high costs of these tools often make them fail in analyzing apps in large scale and thus block them from wide usage in practice. In this paper, we propose FastDroid, an efficient and precise tool for detecting sensitive data leaks in Android apps. First, a flow-insensitive taint analysis is conducted to construct the taint value graph (TVG) which is defined to describe the process of taint propagation. Then, potential taint flows (PTFs) are extracted from TVG. Finally, the PTFs are checked on the control flow graph (CFG) to acquire the real taint flows. FastDroid is evaluated on three test suites. The results show that FastDroid maintains a high precision and recall; meanwhile it improves the efficiency significantly.

Jie Zhang,Cong Tian,Zhenhua Duan

DOI: https://doi.org/10.1016/j.cose.2020.102161

IF: 5.105

2021-01-01

Computers & Security

Abstract:In recent years, sensitive data leaks of Android system attracted significant attention. The traditional facilities proposed for detecting these leaks, i.e. taint analysis, mostly focus on the precision and recall of the result with few of them addressing the importance of the cost and efficiency. As a matter of fact, the high costs of these tools often make them fail in analyzing large-scale apps and thus block them from wide usage in practice. In this paper, we propose FastDroid, an efficient and precise approach for taint analysis in Android apps with flow and context-sensitivity. First, upon groups of taint rules, a preliminary flow-insensitive taint analysis is conducted to construct the taint value graph which is an abstraction defined to describe the process of taint propagation in an app. Then, potential taint flows are extracted from the taint value graphs and further checked on the control flow graph to acquire the real taint flows. FastDroid is evaluated on the benchmark DroidBench, 1517 apps from Google Play store and 1022 apps from AndroZoo. The results show that the F-measure scores of FastDroid on DroidBench 2.0 and 3.0 are 0.89 and 0.75 respectively, the performance is better than the state-of-the-art tool FlowDroid. Further, a comparison on runtime with FlowDroid shows that FastDroid improves the efficiency significantly.

Zhizhuang Jia,Chao Yang,Xiaoyun Zhao,Xinghua Li,Jianfeng Ma

DOI: https://doi.org/10.1016/j.cose.2023.103528

IF: 5.105

2023-01-01

Computers & Security

Abstract:Dynamic taint analysis is a commonly used technique in software security. By tracking the processing of tainted data in the program, dynamic taint analysis can provide users with information on how the variables they are interested in are affected by the program input. The information is stored in tags corresponding to the variables, and the type of the tag determines the level of detail it can store. While integer tags can only indicate whether the taint exists, container tags provide knowledge of which part of the input the taint originated from. This knowledge is crucial for fields such as protocol reverse engineering and fuzzing. Despite their advantages, container tags suffer from low execution efficiency. In some applications, the execution time can increase by thousands of times as compared to the use of integer tags. In this paper, we propose an efficient container tag scheme based on the Reduced Ordered Binary Decision Diagram. The test results indicate that our container tag scheme achieves average speedups of 7.53x and 100.96x compared to the two container tag schemes utilized in libdft64.

Baojiang Cui,Fuwei Wang,Yongle Hao,Xiaofeng Chen

DOI: https://doi.org/10.1007/s00500-015-2017-6

2016-01-01

Abstract:Fuzz testing is widely used as an automatic solution for discovering vulnerabilities in binary programs that process files. Restricted by their high blindness and low code path coverage, fuzzing tests typically provide quite low efficiencies. In this paper, a novel API in-memory fuzz testing technique for eliminating the blindness of existing techniques is discussed. This technique employs dynamic taint analyses to locate the routines and instructions that belong to the target binary executables, and it consists of parsing and processing the input data. Within the testing phase, binary instrumentation is used to construct loops around such routines, in which the contained taint memory values are mutated in each loop. According to experiments using the prototype tool, this technique could effectively detect defects such as stack overflows. Compared with traditional fuzzing tools, this API in-memory fuzzing eliminated the bottleneck of interrupting execution paths and gained a greater than 95 % enhancement in execution speed.

Yiyu Zhang,Tianyi Liu,Yueyang Wang,Yun Qi,Kai Ji,Jian Tang,Xiaoliang Wang,Xuandong Li,Zhiqiang Zuo

2024-02-27

Abstract:Dynamic taint analysis (DTA), as a fundamental analysis technique, is widely used in security, privacy, and diagnosis, etc. As DTA demands to collect and analyze massive taint data online, it suffers extremely high runtime overhead. Over the past decades, numerous attempts have been made to lower the overhead of DTA. Unfortunately, the reductions they achieved are marginal, causing DTA only applicable to the debugging/testing scenarios. In this paper, we propose and implement HardTaint, a system that can realize production-run dynamic taint tracking. HardTaint adopts a hybrid and systematic design which combines static analysis, selective hardware tracing and parallel graph processing techniques. The comprehensive evaluations demonstrate that HardTaint introduces only around 9% runtime overhead which is an order of magnitude lower than the state-of-the-arts, while without sacrificing any taint detection capability.

Cryptography and Security,Programming Languages,Software Engineering

Pankaj Kohli

DOI: https://doi.org/10.48550/arXiv.0906.4481

2009-07-01

Abstract:Memory corruption attacks remain the primary threat for computer security. Information flow tracking or taint analysis has been proven to be effective against most memory corruption attacks. However, there are two shortcomings with current taint analysis based techniques. First, these techniques cause application slowdown by about 76% thereby limiting their practicality. Second, these techniques cannot handle non-control data attacks i.e., attacks that do not overwrite control data such as return address, but instead overwrite critical application configuration data or user identity data. In this work, to address these problems, we describe a coarse-grained taint analysis technique that uses information flow tracking at the level of application data objects. We propagate a one-bit taint over each application object that is modified by untrusted data thereby reducing the taint management overhead considerably. We performed extensive experimental evaluation of our approach and show that it can detect all critical attacks such as buffer overflows, and format string attacks, including non-control data attacks. Unlike the currently known approaches that can detect such a wide range of attacks, our approach does not require the source code or any hardware extensions. Run-time performance overhead evaluation shows that, on an average, our approach causes application slowdown by only 37% which is an order of magnitude improvement over existing approaches. Finally, since our approach performs run-time binary instrumentation, it is easier to integrate it with existing applications and systems.

Cryptography and Security

Jin-Xin MA,Zhou-Jun LI,Tao ZHANG,Dong SHEN,Zhang-Kai ZHANG

DOI: https://doi.org/10.13328/j.cnki.jos.005179

2017-01-01

Abstract:Taint analysis method in binary code plays an important role in reverse engineering,malicious code detecting and vulnerabilities analysis.Currently,most of taint analysis methods fail to operate float point instruction,and they do not propagate taints accurately and efficiently enough.In the paper,a taint analysis method is implemented based on offline indices of instruction trace,which are byte-grained and utilize taint tags.A generation and query algorithm of offline indices is also presented.Instructions unrelated to taint data are skipped with offline indices,which improves the efficiency of taint analysis.The taint loss problem resulted from real time translation is described and solved for the first time.Taint tags are utilized to denote where the taint data is derived.A more complete taint propagation algorithm,which could operate float point instructions and insure the taint data flow from source operands into the destination operands precisely,is also presented.Flexible user-configuration mechanism is implemented to produce taint data on the fly with black list.The proposed method is applied in vulnerabilities detecting and evaluated with 12 vulnerabilities as test cases.The experimental result shows that this taint analysis method is able to detect more vulnerabilities than TEMU,and is 5 times faster in average.

Wei You,Bin Liang,Wenchang Shi,Peng Wang,Xiangyu Zhang

DOI: https://doi.org/10.1109/tdsc.2017.2740169

2020-01-01

Abstract:Dynamic taint analysis (DTA), as a mainstream information flow tracking technique, has been widely used in mobile security. On the Android platform, the existing DTA approaches are typically implemented by instrumenting the Dalvik virtual machine (DVM) interpreter or the Android emulator with taint enforcement code. The most prominent problem of the interpreter-based approaches is that they cannot work in the new Android RunTime (ART) environment introduced since the 5.0 release. For the emulator-based approaches, the most prominent problem is that they cannot be deployed on real devices. In addition, almost all the existing Android DTA approaches only concern the explicit information flow caused by data dependence, while completely ignore the impact of implicit information flow caused by control dependence. These problems limit their adoption in the latest Android system and make them ineffective in detecting the state-of-the-art malware whose privacy-breaching behaviors are inactivated in the analyzed environment (e.g., the emulator) or conducted via implicit information flow. In this paper, we present TaintMan, an ART-compatible DTA framework that can be deployed on unmodified and non-rooted Android devices. In TaintMan, the taint enforcement code is statically instrumented into both the target application and the system class libraries to track data flow and common control flow. A specially designed execution environment reconstruction technique, named reference hijacking, is proposed to force the target application to reference the instrumented system class libraries. By enforcing on-demand instrumentation and on-demand tracking, the performance overhead is significantly reduced. We have developed TaintMan and deployed it on two popular stock smartphones (HTC One S equipped with Android-4.0 and Motorola MOTO G equipped with Android-5.0). The evaluation with malware samples and real-world applications shows that TaintMan can effectively detect privacy leakage behaviors with an acceptable performance overhead.

Binbin Li,Rui Ma,Xuefei Wang,Xiajing Wang,Jinyuan He

DOI: https://doi.org/10.1145/3380625.3380642

2020-01-01

Abstract:Since static taint analysis is performed prior to execution by considering all possible execution paths, it can discover potential security issues before the program running. Currently, many taint analysis tools pay more attention to data dependence in the program. Whereas implicit flow analysis based on control dependence is generally not considered owning to its complexity. Therefore, this paper presents a static taint analysis method named DepTaint, which expands the static checkers of LLVM, focuses on program dependence including data and control dependence in the program. DepTaint analyzes the taint variables propagated along explicit flows and implicit flows, especially commendably handles the under-taint in explicit flow analysis. Our evaluations demonstrate that, for 8 programs containing data and control dependence and 8 programs injected different common vulnerabilities (i.e., array bounds, double free, format string vulnerability, heap overflow, integer overflow, stack overflow, and UAF), DepTaint significantly outperforms LLVM's static checker both at marking taint variables and achieving more finegrained taint propagation paths. Specially, for the programs containing branch selection and loop structure, DepTaint on average marks 2X and 3.6X taint variables than LLVM's static checker.

Chenghua Tang,Zheng Du,Mengmeng Yang,Baohua Qiang

DOI: https://doi.org/10.1016/j.cose.2023.103186

IF: 5.105

2023-01-01

Computers & Security

Abstract:Taint analysis is a method used to detect system security problems by tracking the flow of user input or information leakage through the system. In the taint analysis for Android applications, the complete taint propagation path is generally obtained by tracking the taint data. There is often a compromise between efficiency and analysis accuracy in the method of obtaining the taint propagation path, or false positives and false negatives due to the neglect of Android features. Given the problems, a novel multi-branch taint search association algorithm is proposed, which optimized the processing of Android component features in taint analysis. It directly finds taint related codes and associates them according to predefined rules. It has effective Android taint analysis ability including alias analysis and reduced the negative impact of taint unrelated codes on the performance of taint analysis. At the same time, the Android static taint analysis prototype tool TaintSA is implemented based on the multi-branch taint search association algorithm. The experimental results show that TaintSA can not only ensure the analysis results' accuracy but also reduce the time and space required for taint analysis. The accuracy rate of 91.5% and the recall rate of 75.6% on the DroidBench2.0 test set are better than the taint analysis tool FlowDroid. The time consumption and memory consumption of about 30% and 20% are reduced at the same time. In terms of the representation of taint propagation edges, compared with FlowDroid, the taint propagation path output by TaintSA does not contain intermediate variables, and the form is more concise. In addition, TaintSA can output the taint propagation path without taint leakage, which is helpful for further taint analysis.

Erzhou Zhu,Xuejun Li,Feng Liu,Xuejian Li,Zhujuan Ma

DOI: https://doi.org/10.4304/jcp.9.3.566-575

2014-01-01

Journal of Computers

Abstract:For the purpose of discovering security flaws in software, many dynamic and static taint analyzing techniques have been proposed. By analyzing information flow at runtime, dynamic taint analysis can precisely find security flaws of software. However, on one hand, it suffers from substantial runtime overhead and is incapable of discovering the potential threats. On the other hand, static taint analysis analyzes program’s code without actually executing it which incurs no runtime overhead, and can cover all the code, but it is often not accurate enough. In addition, since the source code of most software is hard to acquire and intruders simply do not attach target program’s source code in practice, software flaw tracking becomes rather complicated. In order to cope with these issues, this paper proposes HYBit, a novel hybrid framework which integrates dynamic and static taint analysis to diagnose the flaws or vulnerabilities for binary programs. In the framework, the source binary is first analyzed by the dynamic taint analyzer. Then, with the runtime information provided by its dynamic counterpart, the static taint analyzer can process the unexecuted part of the target program easily. Furthermore, a taint behavior filtration mechanism is proposed to optimize the performance of the framework. We evaluate our framework from three perspectives: efficiency, coverage, and effectiveness. The results are encouraging.

Haibo Chen,Liwei Yuan,Xi Wu,Binyu Zang,Bo Huang,Pen-Chung Yew

DOI: https://doi.org/10.1145/1669112.1669162

2009-01-01

Abstract:Recent micro-architectural research has proposed various schemes to enhance processors with additional tags to track various properties of a program. Such a technique, which is usually referred to as information flow tracking, has been widely applied to secure software execution (e.g., taint tracking), protect software privacy and improve performance (e.g., control speculation). In this paper, we propose a novel use of information flow tracking to obfuscate the whole control flow of a program with only modest performance degradation, to defeat malicious code injection, discourage software piracy and impede malware analysis. Specifically, we exploit two common features in information flow tracking: the architectural support for automatic propagation of tags and violation handling of tag misuses. Unlike other schemes that use tags as oracles to catch attacks (e.g., taint tracking) or speculation failures, we use the tags as flow-sensitive predicates to hide normal control flow transfers: the tags are used as predicates for control flow transfers to the violation handler, where the real control flow transfer happens. We have implemented a working prototype based on Itanium processors, by leveraging the hardware support for control speculation. Experimental results show that BOSH can obfuscate the whole control flow with only a mean of 26.7% (ranging from 4% to 59%) overhead on SPECINT2006. The increase in code size and compilation time is also modest.

Jie Wang,Yunguang Wu,Gang Zhou,Yiming Yu,Zhenyu Guo,Yingfei Xiong

DOI: https://doi.org/10.1145/3368089.3417059

2020-11-07

Abstract:In Alibaba, we have seen a growing demand for tracing data flow for scenarios such as data leak detection, change governance, and data consistency checking. Static taint analysis is a technique for such problems, and many approaches are proposed for high scalability and precision. This paper shares our experience in applying taint analysis in Alibaba. In particular, we find that the state-of-the-art taint analysis tool, FlowDroid, does not work well in our cases because our applications make heavy use of libraries, native methods and enterprise-specific frameworks, which impose two major challenges, scalability and implicit dependency, to FlowDroid. This paper presents ANTaint to address these problems. ANTaint improves scalability by expanding the call graph and applying taint propagation on demand for libraries, which account for majority of the program execution but only a small fraction propagates taints. To improve accuracy, we ensure to build a sound call graph with its core part having certain accuracy, and providing a more precise taint propagation model. The practice of applying ANTaint in the company workload validates the idea. According to an experiment on 60 production cases, ANTaint is correct for 95% of the cases (precision: 95%, recall: 98%) while FlowDroid is 13%. ANTaint takes 65% less time and none of the cases run out of memory with 32 GB limitation.

Mingshen Sun,Tao Wei,John C. S. Lui

DOI: https://doi.org/10.1145/2976749.2978343

2016-01-01

Abstract:ABSTRACTMobile operating systems like Android failed to provide sufficient protection on personal data, and privacy leakage becomes a major concern. To understand the security risks and privacy leakage, analysts have to carry out data-flow analysis. In 2014, Android upgraded with a fundamentally new design known as Android RunTime (ART) environment in Android 5.0. ART adopts ahead-of-time compilation strategy and replaces previous virtual-machine-based Dalvik. Unfortunately, many data-flow analysis systems like TaintDroid were designed for the legacy Dalvik environment. This makes data-flow analysis of new apps and malware infeasible. We design a multi-level information-flow tracking system for the new Android system called TaintART. TaintART employs a multi-level taint analysis technique to minimize the taint tag storage. Therefore, taint tags can be stored in processor registers to provide efficient taint propagation operations. We also customize the ART compiler to maximize performance gains of the ahead-of-time compilation optimizations. Based on the general design of TaintART, we also implement a multi-level privacy enforcement to prevent sensitive data leakage. We demonstrate that TaintART only incurs less than 15% overheads on a CPU-bound microbenchmark and negligible overhead on built-in or third-party applications. Compared to legacy Dalvik environment in Android 4.4, TaintART achieves about 99.7% faster performance for Java runtime benchmark.

Yutao Liu,Peitao Shi,Xinran Wang,Haibo Chen,Binyu Zang,Haibing Guan

DOI: https://doi.org/10.1109/hpca.2017.18

2017-01-01

Abstract:Current control flow integrity (CFI) enforcement approaches either require instrumenting application executables and even shared libraries, or are unable to defend against sophisticated attacks due to relaxed security policies, or both, many of them also incur high runtime overhead. This paper observes that the main obstacle of providing transparent and strong defense against sophisticated adversaries is the lack of sufficient runtime control flow information. To this end, this paper describes FlowGuard, a lightweight, transparent CFI enforcement approach by a novel reuse of Intel Processor Trace (IPT), a recent hardware feature that efficiently captures the entire runtime control flow. The main challenge is that IPT is designed for offline performance analysis and software debugging such that decoding collected control flow traces is prohibitively slow on the fly. FlowGuard addresses this challenge by reconstructing applications' conservative control flow graphs (CFG) to be compatible with the compressed encoding format of IPT, and labeling the CFG edges with credits in the help of fuzzing-like dynamic training. At runtime, FlowGuard separates fast and slow paths such that the fast path compares the labeled CFGs with the IPT traces for fast filtering, while the slow path decodes necessary IPT traces for strong security. We have implemented and evaluated FlowGuard on a commodity Intel Skylake machine with IPT support. Evaluation results show that FlowGuard is effective in enforcing CFI for several applications, while introducing only small performance overhead. We also show that, with minor hardware extensions, the performance overhead can be further reduced.

Jinkun Pan,Xiaoguang Mao,Weishi Li

DOI: https://doi.org/10.1109/icsess.2015.7339024

2015-01-01

Abstract:Taint analysis determines whether values from untrusted or private sources may flow into security-sensitive or public sinks, and can discover many common security vulnerabilities in both Web and mobile applications. Static taint analysis detects suspicious data flows without running the application and achieves a good coverage. However, most existing static taint analysis tools only focus on discovering taint paths from sources to sinks and do not concern about the requirements of analysts for sanitization check and exploration. The sanitization can make a taint path no more dangerous but should be checked or explored by analysts manually in many cases and the process is very costly. During our preliminary study, we found that many statements along taint paths are not relevant to the sanitization and there are a lot of redundancies among taint paths with the same source or sink. Based on these two observations, we have designed and implemented the taint path slicing and aggregation algorithms, aiming at mitigating the workload of the analysts and helping them get a better comprehension of the taint behaviors of target applications. Experimental evaluations on real-world applications show that our proposed algorithms can reduce the taint paths effectively and efficiently.