Heping Tang,Shuguang Huang,Yongliang Li,Lei Bao

DOI: https://doi.org/10.1109/ICCET.2010.5485224

2010-01-01

Abstract:Untrusted Data originating from network input and configuration files, causes many software security problems. Keeping track of the propagation of untrusted data in program runtime is the main idea of dynamic taint analysis for vulnerability exploits detection. In this method data from network user input and configuration files were labeled as taint. In virtue of data flow analysis we design taint propagating algorithm, and define several taint detection policies for security-critical function which used taint data in dangerous ways that could cause vulnerability exploit. A vulnerability exploit detection prototype system was implemented. In contrast to other taint analysis systems, our prototype system has higher accuracy and vulnerability exploits coverage and low workloads.

TANG He-ping,HUANG Shu-guang,ZHANG Liang

2010-01-01

Abstract:Software vulnerabilities have become an omnipresent and dangerous threat to network security.Vulnerability Exploits Detection is proposed to take active defense measures to monitor system state and cut exploit data sources off or terminate program execution before exploitation.Taint analysis for vulnerability exploits detection is composed of taint propagation link,taint propagation,taint analysis and taint track.A Vulnerability exploits detection prototype system was implemented by emulator and many optimization mechanisms.In contrast to the experiment result of other taint analysis systems,our prototype system has higher accuracy and vulnerability exploits coverage.

唐和平,黄曙光,张亮

DOI: https://doi.org/10.3969/j.issn.1002-137x.2010.07.036

2010-01-01

Computer Science

Abstract:Untrusted data originating from network user input and configuration files,causes many software security problems,when operated by security-critical function without strict data validation.Keeping track of the propagation of untrusted data is the main idea of dynamic taint analysis for vulnerability exploits detection.Data derived from network user input and configuration files were labeled as taint.Executed taint propagating algorithm by virtue of data flow analysis,and carried out several taint detection policies for each security-critical function.A vulnerability exploits detection prototype system was implemented on open source emulator and many optimization mechanisms were deployed.

CHEN Yan-ling,ZHAO Jing

DOI: https://doi.org/10.3724/sp.j.1087.2011.02367

2011-01-01

Abstract:The record of the current taint analysis tool is not accurate.To solve this,dynamic taint analysis based on the virtual technology was studied and implemented.A virtualization based dynamic taint analysis framework was designed,and two kinds of taint signature models based on Hook technology and Hash-traversal technology were given respectively for memory taint and hard disk taint.A taint propagation strategy was put forward according to the instruction type which was classified by instruction encoding format of InterAMD,and a taint record strategy based on instruction filtering was given to solve the problem of redundant information records.The experimental results prove that the proposed method is effective,and can be well used in test case generation and vulnerability detection of fuzzy test.

Erzhou Zhu,Xuejun Li,Feng Liu,Xuejian Li,Zhujuan Ma

DOI: https://doi.org/10.4304/jcp.9.3.566-575

2014-01-01

Journal of Computers

Abstract:For the purpose of discovering security flaws in software, many dynamic and static taint analyzing techniques have been proposed. By analyzing information flow at runtime, dynamic taint analysis can precisely find security flaws of software. However, on one hand, it suffers from substantial runtime overhead and is incapable of discovering the potential threats. On the other hand, static taint analysis analyzes program’s code without actually executing it which incurs no runtime overhead, and can cover all the code, but it is often not accurate enough. In addition, since the source code of most software is hard to acquire and intruders simply do not attach target program’s source code in practice, software flaw tracking becomes rather complicated. In order to cope with these issues, this paper proposes HYBit, a novel hybrid framework which integrates dynamic and static taint analysis to diagnose the flaws or vulnerabilities for binary programs. In the framework, the source binary is first analyzed by the dynamic taint analyzer. Then, with the runtime information provided by its dynamic counterpart, the static taint analyzer can process the unexecuted part of the target program easily. Furthermore, a taint behavior filtration mechanism is proposed to optimize the performance of the framework. We evaluate our framework from three perspectives: efficiency, coverage, and effectiveness. The results are encouraging.

Ping Wang,Wen-Hui Lin,Wun Jie Chao,Kuo-Ming Chao,Chi-Chun Lo

DOI: https://doi.org/10.1109/icebe.2015.75

2015-01-01

Abstract:Most existing approaches focus on examining the values are dangerous for information flow within inter-suspicious modules of cloud applications (apps) in a host by using malware threat analysis, rather than the risk posed by suspicious apps were connected to the cloud computing server. Accordingly, this paper proposes a taint propagation analysis model incorporating a weighted spanning tree analysis scheme to track data with taint marking using several taint checking tools. In the proposed model, Android programs perform dynamic taint propagation to analyse the spread of and risks posed by suspicious apps were connected to the cloud computing server. In determining the risk of taint propagation, risk and defence capability are used for each taint path for assisting a defender in recognising the attack results against network threats caused by malware infection and estimate the losses of associated taint sources. Finally, a case of threat analysis of a typical cyber security attack is presented to demonstrate the proposed approach. Our approach verified the details of an attack sequence for malware infection by incorporating a finite state machine (FSM) to appropriately reflect the real situations at various configuration settings and safeguard deployment. The experimental results proved that the threat analysis model allows a defender to convert the spread of taint propagation to loss and practically estimate the risk of a specific threat by using behavioural analysis with real malware infection.

Jingling Zhao,Junxin Qi,Liang Zhou,Baojiang Cui

DOI: https://doi.org/10.1109/IMIS.2016.46

2016-01-01

Abstract:With the continuous development of J2EE technology, frequent attacks using security vulnerabilities in web applications have caused enormous economic loss to the users. Dynamic taint tracking is an important part to analyze the program dynamically. In this paper, we put forward a new dynamic solution in the Java virtual machine, warning external attacks and recording specific taint propagation path. This scheme combines static analysis techniques to collect reachable "source-derivation-sink" taint flow and reduce the runtime overhead. With the help of AOP (aspect-oriented programming) technology, we could only insert monitor codes to interested taint paths to improve the efficiency of instrumentation. Finally, we implemented this dynamic taint tracking approach to explore SQL injection and XSS vulnerabilities in web applications based on the Java Servlet Specification and proved practicality.

Liu Xingbo,Li Yuanlin,Yu mingjun,Zheng Yan,Yu Jinlong,Guo Yunfeng,Kong Huafeng,Qiang Weizhong

DOI: https://doi.org/10.3969/j.issn.1000-386x.2022.11.045

2022-01-01

Abstract:Taint analysis technology is an important technical means for vulnerability detection. Due to the lack of additional information at runtime, using static taint analysis technology to detect code will produce many false positives. Based on the taint analysis technology, this paper proposes a more fine-grained taint analysis method for Web vulnerabilities. A more accurate object status record was generated during code analysis. The execution path of the code was judged and the stain and sink transfer processes were accurately recorded, which effectively reduced over-pollution and under-pollution. The symbol execution tool was used to verify the reachability of the vulnerability location, and some false vulnerability warnings could be eliminated, which effectively reduced the false positive and false negative rates.

Ruoyu Zhang,Shiqiu Huang,Zhengwei Qi,Haibing Guan

DOI: https://doi.org/10.1016/j.camwa.2011.08.001

IF: 3.218

2012-01-01

Computers & Mathematics with Applications

Abstract:The evolution of computer science has exposed us to the growing gravity of security problems and threats. Dynamic taint analysis is a prevalent approach to protect a program from malicious behaviors, but fails to provide any information about the code which is not executed. This paper describes a novel approach to overcome the limitation of traditional dynamic taint analysis by integrating static analysis into the system and presents framework SDCF to detect software vulnerabilities with high code coverage. Our experiments show that SDCF is not only able to provide efficient runtime protection by introducing an overhead of 4.16× based on the taint tracing technique, but is also capable of discovering latent software vulnerabilities which have not been exploited, and achieve code coverage of more than 90%.

Erzhou Zhu,Feng Liu,Zuo Wang,Alei Liang,Yiwen Zhang,Xuejian Li,Xuejun Li

DOI: https://doi.org/10.1016/j.cose.2015.03.008

IF: 5.105

2015-01-01

Computers & Security

Abstract:By analyzing information flow at runtime, dynamic taint analysis can precisely detect a wide range of vulnerabilities of software. However, it suffers from substantial runtime overhead and is incapable of discovering potential threats. Yet, realistically, the interested analyst doesn't have access to the source code of the malware. Therefore, the task of software flaw tracking becomes rather complicated. In order to cope with these issues, this paper proposes Dytaint, a novel lightweight 3-state dynamic taint analysis framework, for diagnosing more software vulnerabilities with lower runtime overhead. The framework works for the x86 binary executables and requires no special hardware assistance. Besides the tainted and the untainted states that are discussed by many popularly used taint analysis tools, the third state, controlled-taint state, is proposed to detect more types of software vulnerabilities. The new Chaining Hash Table which reduces the space for storing taint information without increasing the accessing time is also incorporated in the framework. Furthermore, two mechanisms, namely, the irrelevant API filtering based on the function recognition method and basic block handling, are introduced to optimize the runtime performance of our framework. The testing results by running SPEC CINT2006 benchmarks and various popular software have demonstrated that Dytaint is efficient which incurs only 3.1 times overhead to the native on average and practical which is able to discover not only all the real threats but also most of the potential ones.

Pankaj Kohli

DOI: https://doi.org/10.48550/arXiv.0906.4481

2009-07-01

Abstract:Memory corruption attacks remain the primary threat for computer security. Information flow tracking or taint analysis has been proven to be effective against most memory corruption attacks. However, there are two shortcomings with current taint analysis based techniques. First, these techniques cause application slowdown by about 76% thereby limiting their practicality. Second, these techniques cannot handle non-control data attacks i.e., attacks that do not overwrite control data such as return address, but instead overwrite critical application configuration data or user identity data. In this work, to address these problems, we describe a coarse-grained taint analysis technique that uses information flow tracking at the level of application data objects. We propagate a one-bit taint over each application object that is modified by untrusted data thereby reducing the taint management overhead considerably. We performed extensive experimental evaluation of our approach and show that it can detect all critical attacks such as buffer overflows, and format string attacks, including non-control data attacks. Unlike the currently known approaches that can detect such a wide range of attacks, our approach does not require the source code or any hardware extensions. Run-time performance overhead evaluation shows that, on an average, our approach causes application slowdown by only 37% which is an order of magnitude improvement over existing approaches. Finally, since our approach performs run-time binary instrumentation, it is easier to integrate it with existing applications and systems.

Cryptography and Security

Li Fang Han,Ting,Kun Lun Gao,Nan Liu,Bao Jiang Cui

DOI: https://doi.org/10.4028/www.scientific.net/amm.602-605.3846

2014-01-01

Applied Mechanics and Materials

Abstract:Java applications have proliferated rapidly in recent years, and the security issue in the source code seems to bring a great threat which cannot be ignored. SQL injection and cross-site scripting vulnerabilities, path traversal, and so on are common Java security vulnerabilities. These vulnerabilities are usually caused by improper handling of user input and we call them input validation vulnerabilities [1].In this paper, we propose a Java source code analysis method based on the taint tracking. By means of vulnerability pattern match, we keep track of the introduction of tainted data and its propagation in different contexts, leading to comprehensive and accurate test results. Actually, we have applied this method to some of the open-source Java projects. Compared to other similar software, our technique presents good feasibility and superiority.

Lixin Li,Chao Wang

DOI: https://doi.org/10.1007/978-3-642-40787-1_31

2013-01-01

Abstract:Dynamic analysis techniques have made a significant impact in security practice, e.g. by automating some of the most tedious processes in detecting vulnerabilities. However, a significant gap remains between existing software tools and what many security applications demand. In this paper, we present our work on developing a cross-platform interactive analysis tool, which leverages techniques such as symbolic execution and taint tracking to analyze binary code on a range of platforms. The tool builds upon IDA, a popular reverse engineering platform, and provides a unified analysis engine to handle various instruction sets and operating systems. We have evaluated the tool on a set of real-world applications and shown that it can help identify the root causes of security vulnerabilities quickly.

Xiajing Wang,Rui Ma,Bowen Dou,Zefeng Jian,Hongzhou Chen

DOI: https://doi.org/10.1155/2018/7693861

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Dynamic taint analysis is a powerful technique for tracking the flow of sensitive information. Different approaches have been proposed to accelerate this process in an online or offline manner. Unfortunately, most of these approaches still have performance bottlenecks and thus reduce analytical efficiency. To address this limitation, we present OFFDTAN, a new approach of offline dynamic taint analysis for binaries. OFFDTAN can be described in terms of four stages: dynamic information acquisition, vulnerability modeling, offline analysis, and backtrace analysis. It first records program runtime information and models the stack buffer overflow vulnerabilities and controlled jump vulnerabilities. Then it performs offline analysis and backtrace analysis to locate vulnerabilities. We implement OFFDTAN on the basis of QEMU virtual machine and apply it to off-the-shelf applications. In order to illustrate how our approach works, we first employ a case study. Furthermore, six applications have been verified so as to evaluate our approach. Experimental results demonstrate that our approach is correct and effective. Compared with other offline analysis tools, OFFDTAN has much lower application runtime overhead.

Bin ZHANG,Meng-jun LI,bo WU,Chao-jing TANG

DOI: https://doi.org/10.3969/j.issn.1004-373X.2014.19.028

2014-01-01

Abstract:Since traditional fuzzy testing may test the same state space repeatedly due to the different input,and lead to a low efficiency,a binary oriented fuzzy testing technique based on dynamic taint analysis combined with input field classification technology is presented in this paper,which can perform the oriented fuzzy testing for typical security-sensitive operation and general module function,and serve as a good solution to the problem of low efficiency of the traditional fuzzy testing. The proto-type system TaintedFuzz was also realized for binary oriented fuzzy testing. The experiment proves that the method is capable of exploring the typical security vulnerabilities in the binary program efficiently.

Xiao-Song Zhang,Liu Zhi,Da-Peng Chen

DOI: https://doi.org/10.1109/icacia.2008.4769974

2008-01-01

Abstract:Malware has posted a great risk to the privacy of users and data. Unfortunately, current anomaly detection is both coarse-grained and ineffective to detect them, because some behaviors can only be triggered in specific circumstances, moreover, it is difficult to analyze and evaluate compromised data. In this paper, we address the two problems via taint-based analysis. First, we precisely characterize malware behaviors in virtual environments, where behaviors can be completely explored by tainting return values of security-related system calls in order to traverse multiple execution branches. Second, sensitive data are also tainted to track their propagation to determine whether they are transmitted maliciously. A supporting distributed architecture is presented to optimize efficiency. Our approach is an effective complement to current anomaly-based models. The initial experiment demonstrates our system can detect a variety of malware with high accuracy and low overhead.

Erzhou Zhu,Haibing Guan,Alei Liang,Rongbin Xu,Xuejian Li,Feng Liu

DOI: https://doi.org/10.1007/978-3-642-38715-9_28

2013-01-01

Abstract:For the purpose of discovering security flaws in software, many dynamic and static taint analyzing techniques have been proposed. The dynamic techniques can precisely find the security flaws of the software; but it suffers from substantial runtime overhead. On the other hand, the static techniques require no runtime overhead; but it is often not accurate enough. In this paper, we propose HYBit, a novel hybrid framework which integrates dynamic and static taint analysis to diagnose the security flaws for binary programs. In the framework, the source binary is first analyzed by the dynamic taint analyzer; then, with the runtime information provided by its dynamic counterpart, the static taint analyzer can process the unexecuted part of the target program easily. Furthermore, a taint behavior filtration mechanism is proposed to optimize the performance of the framework. We evaluate our framework from three perspectives: efficiency, coverage, and effectiveness, and the results are encouraging. © 2013 Springer-Verlag Berlin Heidelberg.

Yu Hao,Xiaodong Zhang,Zijiang Yang,Ting Liu

2017-01-01

Abstract:With the advent of multicore processors, there is a great need to write concurrency programs to take advantage of parallel computing resources. However, the undetermined execution of the concurrency programs poses a huge challenge to current dynamic malware analysis how to guarantee the program is secure under the same input. In our work, a dynamic taint analysis of concurrent program (DTAC) is proposed to systematically detect tainted instances on all possible executions under a given input, by introducing the symbolic execution to guide dynamic analysis. Symbolic analysis infers alternate interleavings of an executed trace and computes thread schedules that guide future executions. Dynamic analysis explores new execution traces that drive future symbolic analysis. Then, the analysis can identify whether there is abnormal behavior within these executions by tracing the data flow. A prototype is developed for multithreaded C programs, built upon LLVM, KLEE and Z3. The primary experiments show that our method can find all possible tainted instances in the demo case and can systematically analyze real concurrency programs in SPLASH2 and PARSEC.

孔德光,郑烇,帅建梅,陈超,葛瑶

2009-01-01

Abstract:Static analysis technology is a significant method to detect software vulnerabilities. To cope with the problem of untrusting data inputs leading to software vulnerabilities, presents a vulnerability detection method based on taint analysis. It tracks various kinds of input including program parameters and environment variables ,marks the type of input, after constructing the control flow graph, makes use of dataflow information, propagating the taint data to the vulnerability functions, to settle the problem of buffer overflow and format string. It utilizes the related information of control flow and dataflow during this process, thus improves the accuracy and decreases the false negatives. It is proved by experiment that this technology is an effective vulnerability analysis method.

Bo Wu,Bin Zhang,Sha Meng Wen,Meng Jun Li,Quan Zhang,Chao Jing Tang

DOI: https://doi.org/10.4028/www.scientific.net/amm.571-572.539

2014-01-01

Applied Mechanics and Materials

Abstract:Traditional Fuzzing is simple and easy to deploy but inefficient due to different inputs usually execute the redundant path. In this paper, we put forward a binary-oriented Fuzzing technique based on input format analysis and dynamic taint analysis, which can detect vulnerability more efficient than traditional Fuzzing method. We implemented a prototype system called Smart and Directed Fuzz (SDFuzz), which first searches the locations where interested functions are called, then uses dynamic taint analysis technique to classify input data into safety-related data and safety-unrelated data, finally mutates safety-related data to direct the test procedure. The evaluation shows that our method can be used to detect vulnerabilities in binary software efficiently.