Erzhou Zhu,Feng Liu,Zuo Wang,Alei Liang,Yiwen Zhang,Xuejian Li,Xuejun Li

DOI: https://doi.org/10.1016/j.cose.2015.03.008

IF: 5.105

2015-01-01

Computers & Security

Abstract:By analyzing information flow at runtime, dynamic taint analysis can precisely detect a wide range of vulnerabilities of software. However, it suffers from substantial runtime overhead and is incapable of discovering potential threats. Yet, realistically, the interested analyst doesn't have access to the source code of the malware. Therefore, the task of software flaw tracking becomes rather complicated. In order to cope with these issues, this paper proposes Dytaint, a novel lightweight 3-state dynamic taint analysis framework, for diagnosing more software vulnerabilities with lower runtime overhead. The framework works for the x86 binary executables and requires no special hardware assistance. Besides the tainted and the untainted states that are discussed by many popularly used taint analysis tools, the third state, controlled-taint state, is proposed to detect more types of software vulnerabilities. The new Chaining Hash Table which reduces the space for storing taint information without increasing the accessing time is also incorporated in the framework. Furthermore, two mechanisms, namely, the irrelevant API filtering based on the function recognition method and basic block handling, are introduced to optimize the runtime performance of our framework. The testing results by running SPEC CINT2006 benchmarks and various popular software have demonstrated that Dytaint is efficient which incurs only 3.1 times overhead to the native on average and practical which is able to discover not only all the real threats but also most of the potential ones.

Ruoyu Zhang,Shan Huang,Zhengwei Qi

DOI: https://doi.org/10.1109/CMC.2011.76

2011-01-01

Abstract:Software security has drawn much attention recently. As an effective approach to detect software vulnerabilities and improve software security, dynamic taint analysis has been frequently researched in the last few years. In this paper, we implement a dynamic taint tracking system LTTS. In order to address the efficiency problem which exists in many of the current taint tracking systems, we also propose a taint behavior summary mechanism to optimize the system. According to our experiments, LTTS has achieved relative high efficiency compared to the existing techniques.

CHEN Yan-ling,ZHAO Jing

DOI: https://doi.org/10.3724/sp.j.1087.2011.02367

2011-01-01

Abstract:The record of the current taint analysis tool is not accurate.To solve this,dynamic taint analysis based on the virtual technology was studied and implemented.A virtualization based dynamic taint analysis framework was designed,and two kinds of taint signature models based on Hook technology and Hash-traversal technology were given respectively for memory taint and hard disk taint.A taint propagation strategy was put forward according to the instruction type which was classified by instruction encoding format of InterAMD,and a taint record strategy based on instruction filtering was given to solve the problem of redundant information records.The experimental results prove that the proposed method is effective,and can be well used in test case generation and vulnerability detection of fuzzy test.

Yiyu Zhang,Tianyi Liu,Yueyang Wang,Yun Qi,Kai Ji,Jian Tang,Xiaoliang Wang,Xuandong Li,Zhiqiang Zuo

2024-02-27

Abstract:Dynamic taint analysis (DTA), as a fundamental analysis technique, is widely used in security, privacy, and diagnosis, etc. As DTA demands to collect and analyze massive taint data online, it suffers extremely high runtime overhead. Over the past decades, numerous attempts have been made to lower the overhead of DTA. Unfortunately, the reductions they achieved are marginal, causing DTA only applicable to the debugging/testing scenarios. In this paper, we propose and implement HardTaint, a system that can realize production-run dynamic taint tracking. HardTaint adopts a hybrid and systematic design which combines static analysis, selective hardware tracing and parallel graph processing techniques. The comprehensive evaluations demonstrate that HardTaint introduces only around 9% runtime overhead which is an order of magnitude lower than the state-of-the-arts, while without sacrificing any taint detection capability.

Cryptography and Security,Programming Languages,Software Engineering

Xiajing Wang,Rui Ma,Bowen Dou,Zefeng Jian,Hongzhou Chen

DOI: https://doi.org/10.1155/2018/7693861

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Dynamic taint analysis is a powerful technique for tracking the flow of sensitive information. Different approaches have been proposed to accelerate this process in an online or offline manner. Unfortunately, most of these approaches still have performance bottlenecks and thus reduce analytical efficiency. To address this limitation, we present OFFDTAN, a new approach of offline dynamic taint analysis for binaries. OFFDTAN can be described in terms of four stages: dynamic information acquisition, vulnerability modeling, offline analysis, and backtrace analysis. It first records program runtime information and models the stack buffer overflow vulnerabilities and controlled jump vulnerabilities. Then it performs offline analysis and backtrace analysis to locate vulnerabilities. We implement OFFDTAN on the basis of QEMU virtual machine and apply it to off-the-shelf applications. In order to illustrate how our approach works, we first employ a case study. Furthermore, six applications have been verified so as to evaluate our approach. Experimental results demonstrate that our approach is correct and effective. Compared with other offline analysis tools, OFFDTAN has much lower application runtime overhead.

Erzhou Zhu,Xuejun Li,Feng Liu,Xuejian Li,Zhujuan Ma

DOI: https://doi.org/10.4304/jcp.9.3.566-575

2014-01-01

Journal of Computers

Abstract:For the purpose of discovering security flaws in software, many dynamic and static taint analyzing techniques have been proposed. By analyzing information flow at runtime, dynamic taint analysis can precisely find security flaws of software. However, on one hand, it suffers from substantial runtime overhead and is incapable of discovering the potential threats. On the other hand, static taint analysis analyzes program’s code without actually executing it which incurs no runtime overhead, and can cover all the code, but it is often not accurate enough. In addition, since the source code of most software is hard to acquire and intruders simply do not attach target program’s source code in practice, software flaw tracking becomes rather complicated. In order to cope with these issues, this paper proposes HYBit, a novel hybrid framework which integrates dynamic and static taint analysis to diagnose the flaws or vulnerabilities for binary programs. In the framework, the source binary is first analyzed by the dynamic taint analyzer. Then, with the runtime information provided by its dynamic counterpart, the static taint analyzer can process the unexecuted part of the target program easily. Furthermore, a taint behavior filtration mechanism is proposed to optimize the performance of the framework. We evaluate our framework from three perspectives: efficiency, coverage, and effectiveness. The results are encouraging.

Xiao Kan,Cong Sun,Shen Liu,Yongzhe Huang,Gang Tan,Siqi Ma,Yumei Zhang

DOI: https://doi.org/10.1109/qrs54544.2021.00080

2021-01-01

Abstract:Dynamic taint analysis (DTA) has been widely used in various security-relevant scenarios that need to track the runtime information flow of programs. Dynamic binary instrumentation (DBI) is a prevalent technique in achieving effective dynamic taint tracking on commodity hardware and systems. However, the significant performance overhead incurred by dynamic taint analysis restricts its usage in production systems. Previous efforts on mitigating the performance penalty fall into two categories, parallelizing taint tracking from program execution and abstracting the tainting logic to a higher granularity. Both approaches have only met with limited success. In this work, we propose Sdft, an efficient approach that combines the precision of DBI-based instruction-level taint tracking and the efficiency of function-level abstract taint propagation. First, we build the library function summaries automatically with reachability analysis on the program dependency graph (PDG) to specify the control- and data dependencies between the input parameters, output parameters, and global variables of the target library. Then we derive the taint rules for the target library functions and develop taint tracking for library function that is tightly integrated into the state-of-the-art DTA framework Libdft. By applying our approach to the core C library functions of glibc, we report an average of 1.58x speed up of the tracking performance compared with Libdft64. We also validate the effectiveness of the hybrid taint tracking and the ability on detecting real-world vulnerabilities.

Rulin Xu,Xiaoguang Mao,Luohui Chen

DOI: https://doi.org/10.1109/apsec60848.2023.00035

2023-01-01

Abstract:Taint analysis of value flows, as a static analysis technique, has gained widespread application in the fields of software security and vulnerability mining. However, when dealing with complex programs, it still faces challenges in terms of precision and performance. This research proposes P-DATA, a parallel framework implementing dependency-aware taint analysis. P-DATA employs modeling to capture data and control dependencies, reducing false positives over tools like Clang Static Analyzer and SVF. To accelerate the analysis, P-DATA leverages a task-level parallel framework introducing Preemption of Computational Resources (PCR) and Asynchronous Taint Source Registration, lead to impressive scalability and efficiency. Evaluations demonstrate P-DATA's ability to significantly expedite taint analysis for large programs using multi-core resources, achieving over 25X speedup on 32 cores. P-DATA makes notable contributions by boosting precision, efficiency and scalability of security-critical program analysis through advanced dependency modeling and paral-lelization techniques. It provides an extensible high-performance framework benefiting static analysis advancement.

Chenghua Tang,Xiaolong Guan,Mengmeng Yang,Baohua Qiang

DOI: https://doi.org/10.1109/icsess58500.2023.10293040

2023-01-01

Abstract:In order to solve the problem of under-tainting caused by insufficient coverage in dynamic taint analysis and the inability to perform fine-grained level analysis, a dynamic taint analysis method combining symbolic execution and constraint association is proposed. First, through code coverage to guide symbolic execution path exploration and test case generation, code coverage of dynamic taint analysis is improved. Next, perform constraint association based on the corresponding taint constraint transfer rules. Finally, the generation of taint summaries in dynamic taint analysis is completed based on constraint associations, reducing the time consumption in the analysis process. This paper designs and implements a dynamic taint analysis tool TaintSE based on the above methods. The experimental results show that TaintSE effectively improves the code coverage of dynamic taint analysis, and reduces the time required for analysis while ensuring the accuracy of analysis results. In the BugBench test set, TaintSE's analysis path coverage increased by 24% −35% compared to the dynamic taint analysis tool Libdft. In addition, based on the results of taint analysis, the accuracy and recall of taint markers calculated are better than those of Libdft, while reducing the analysis time consumption by about 20%.

Baojiang Cui,Fuwei Wang,Tao Guo,Guowei Dong,Bing Zhao

DOI: https://doi.org/10.1109/eidwt.2013.105

2013-01-01

Abstract:This paper presents Flow Walker, a new dynamic taint analysis framework which focuses on eliminating the bottlenecks of the existing tools. The framework proposes a multi-taint-tag assemble level taint propagation strategy. Flow Walker separates taint tracking operations from execution with an off-line structure, uses memory-mapped file to enhance IO efficiency and processes taint paths during execution playback. Based on tainted path information, this paper presents a file format cognition algorithm. According to test data, the average program execution slowdown is less than seven times as original while the speed enhancement is about 15% compared to other cognate tools on Windows, and simple file formats are correctly partitioned with all constant fields extracted. Due to its efficiency and scalability, Flow Walker can be used in further security-related researches.

Jin-Xin MA,Zhou-Jun LI,Tao ZHANG,Dong SHEN,Zhang-Kai ZHANG

DOI: https://doi.org/10.13328/j.cnki.jos.005179

2017-01-01

Abstract:Taint analysis method in binary code plays an important role in reverse engineering,malicious code detecting and vulnerabilities analysis.Currently,most of taint analysis methods fail to operate float point instruction,and they do not propagate taints accurately and efficiently enough.In the paper,a taint analysis method is implemented based on offline indices of instruction trace,which are byte-grained and utilize taint tags.A generation and query algorithm of offline indices is also presented.Instructions unrelated to taint data are skipped with offline indices,which improves the efficiency of taint analysis.The taint loss problem resulted from real time translation is described and solved for the first time.Taint tags are utilized to denote where the taint data is derived.A more complete taint propagation algorithm,which could operate float point instructions and insure the taint data flow from source operands into the destination operands precisely,is also presented.Flexible user-configuration mechanism is implemented to produce taint data on the fly with black list.The proposed method is applied in vulnerabilities detecting and evaluated with 12 vulnerabilities as test cases.The experimental result shows that this taint analysis method is able to detect more vulnerabilities than TEMU,and is 5 times faster in average.

Baojiang Cui,Fuwei Wang,Tao Guo,Guowei Dong

DOI: https://doi.org/10.1016/j.cose.2015.02.006

IF: 5.105

2015-01-01

Computers & Security

Abstract:This paper presents FlowWalker, a novel dynamic taint analysis framework that aims to extract the complete taint data flow while eliminating the bottlenecks that occur in existing tools, with applications to file-format reverse engineering. The framework proposes a multi-taint-tag assembly-level taint propagation strategy. FlowWalker separates taint tracking operations from execution with an off-line structure, utilizes memory-mapped files to enhance I/O efficiency, processes taint paths during virtual execution playback, and uses parallelization and pipelining mechanisms to achieve speedup. Based on the semantic correlations implied by the taint path information, this paper presents an algorithm for extracting the structures of unknown file formats. According to test data, the overall program runtime ranges from 92.98% to 208.01% of the length of the underlying instrumentation alone, while the speed enhancement is 60% compared to another well-featured tool in Windows. Medium-complexity file formats are correctly partitioned, and the constant fields are extracted. Due to its efficiency and scalability, FlowWalker can address the needs of further security-related research.

Dongming Xiang,Shuai Lin,Ke Huang,Zuohua Ding,Guanjun Liu,Xiaofeng Li

DOI: https://doi.org/10.1016/j.cose.2024.104162

IF: 5.105

2024-10-21

Computers & Security

Abstract:Static taint analysis is a widely used method to identify vulnerabilities in Android applications. However, the existing tools for static analysis often struggle with processing times, particularly when dealing with complex real-world programs. To reduce time consumption, some tools choose to sacrifice analytical precision, e.g., FastDroid sets an upper limit for analysis iterations in Android applications. In this paper, we propose a labeled taint value graph (LTVG) to store taint flows, and implement a fine-grained analysis tool called LabeledDroid . This graph is constructed based on the taint value graph (TVG) of FastDroid, and takes into account both precision and time consumption. That is, we decompile an Android app into Jimple statements, develop fine-grained propagation rules to handle List , and construct LTVGs according to these rules. Afterwards, we traverse LTVGs to obtain high-precision taint flows. An analysis of 39 apps from the TaintBench benchmark shows that LabeledDroid is 0.87 s faster than FastDroid on average. Furthermore, if some common accuracy parameters are adapted in both LabeledDroid and FastDroid, the experiment demonstrates that the former is more scalable. Moreover, the maximum analysis time of LabeledDroid is less than 200 s and its average time is 46.25 s, while FastDroid sometimes experiences timeouts with durations longer than 600 s. Additionally, LabeledDroid achieves a precision of 70% in handling lists, while FastDroid and TaintSA achieve precisions of 38.9% and 41.2%, respectively.

computer science, information systems

Pankaj Kohli

DOI: https://doi.org/10.48550/arXiv.0906.4481

2009-07-01

Abstract:Memory corruption attacks remain the primary threat for computer security. Information flow tracking or taint analysis has been proven to be effective against most memory corruption attacks. However, there are two shortcomings with current taint analysis based techniques. First, these techniques cause application slowdown by about 76% thereby limiting their practicality. Second, these techniques cannot handle non-control data attacks i.e., attacks that do not overwrite control data such as return address, but instead overwrite critical application configuration data or user identity data. In this work, to address these problems, we describe a coarse-grained taint analysis technique that uses information flow tracking at the level of application data objects. We propagate a one-bit taint over each application object that is modified by untrusted data thereby reducing the taint management overhead considerably. We performed extensive experimental evaluation of our approach and show that it can detect all critical attacks such as buffer overflows, and format string attacks, including non-control data attacks. Unlike the currently known approaches that can detect such a wide range of attacks, our approach does not require the source code or any hardware extensions. Run-time performance overhead evaluation shows that, on an average, our approach causes application slowdown by only 37% which is an order of magnitude improvement over existing approaches. Finally, since our approach performs run-time binary instrumentation, it is easier to integrate it with existing applications and systems.

Cryptography and Security

LIANG Bin,GONG Weigang,YOU Wei,LI Zan,SHI Wenchang

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2017.26.043

2017-01-01

Abstract:Mainstream JavaScript engines have introduced optimizing compilers. These compilers generate more efficient executable code for frequently functions run, but these optimizing compilers brings new challenges to the dynamic taint analysis (DTA) method implemented via dynamic instrumentation. This paper focuses on the HTML5-based hybrid android App and presents a dynamic taint analysis method for the optimizing compilers in the V8 JavaScript engine using dynamic instrumentation. In this method, the taint box object is used to store the taint tags and the taint tracking code is instrumented at the hydrogen level of the optimizing compiler. Tests show that this dynamic taint analysis technique effectively tracks the taint information flow in the optimizing compiler with acceptable performance overhead.

Jingling Zhao,Junxin Qi,Liang Zhou,Baojiang Cui

DOI: https://doi.org/10.1109/IMIS.2016.46

2016-01-01

Abstract:With the continuous development of J2EE technology, frequent attacks using security vulnerabilities in web applications have caused enormous economic loss to the users. Dynamic taint tracking is an important part to analyze the program dynamically. In this paper, we put forward a new dynamic solution in the Java virtual machine, warning external attacks and recording specific taint propagation path. This scheme combines static analysis techniques to collect reachable "source-derivation-sink" taint flow and reduce the runtime overhead. With the help of AOP (aspect-oriented programming) technology, we could only insert monitor codes to interested taint paths to improve the efficiency of instrumentation. Finally, we implemented this dynamic taint tracking approach to explore SQL injection and XSS vulnerabilities in web applications based on the Java Servlet Specification and proved practicality.

Erzhou Zhu,Haibing Guan,Alei Liang,Rongbin Xu,Xuejian Li,Feng Liu

DOI: https://doi.org/10.1007/978-3-642-38715-9_28

2013-01-01

Abstract:For the purpose of discovering security flaws in software, many dynamic and static taint analyzing techniques have been proposed. The dynamic techniques can precisely find the security flaws of the software; but it suffers from substantial runtime overhead. On the other hand, the static techniques require no runtime overhead; but it is often not accurate enough. In this paper, we propose HYBit, a novel hybrid framework which integrates dynamic and static taint analysis to diagnose the security flaws for binary programs. In the framework, the source binary is first analyzed by the dynamic taint analyzer; then, with the runtime information provided by its dynamic counterpart, the static taint analyzer can process the unexecuted part of the target program easily. Furthermore, a taint behavior filtration mechanism is proposed to optimize the performance of the framework. We evaluate our framework from three perspectives: efficiency, coverage, and effectiveness, and the results are encouraging. © 2013 Springer-Verlag Berlin Heidelberg.

Heping Tang,Shuguang Huang,Yongliang Li,Lei Bao

DOI: https://doi.org/10.1109/ICCET.2010.5485224

2010-01-01

Abstract:Untrusted Data originating from network input and configuration files, causes many software security problems. Keeping track of the propagation of untrusted data in program runtime is the main idea of dynamic taint analysis for vulnerability exploits detection. In this method data from network user input and configuration files were labeled as taint. In virtue of data flow analysis we design taint propagating algorithm, and define several taint detection policies for security-critical function which used taint data in dangerous ways that could cause vulnerability exploit. A vulnerability exploit detection prototype system was implemented. In contrast to other taint analysis systems, our prototype system has higher accuracy and vulnerability exploits coverage and low workloads.

Binbin Li,Rui Ma,Xuefei Wang,Xiajing Wang,Jinyuan He

DOI: https://doi.org/10.1145/3380625.3380642

2020-01-01

Abstract:Since static taint analysis is performed prior to execution by considering all possible execution paths, it can discover potential security issues before the program running. Currently, many taint analysis tools pay more attention to data dependence in the program. Whereas implicit flow analysis based on control dependence is generally not considered owning to its complexity. Therefore, this paper presents a static taint analysis method named DepTaint, which expands the static checkers of LLVM, focuses on program dependence including data and control dependence in the program. DepTaint analyzes the taint variables propagated along explicit flows and implicit flows, especially commendably handles the under-taint in explicit flow analysis. Our evaluations demonstrate that, for 8 programs containing data and control dependence and 8 programs injected different common vulnerabilities (i.e., array bounds, double free, format string vulnerability, heap overflow, integer overflow, stack overflow, and UAF), DepTaint significantly outperforms LLVM's static checker both at marking taint variables and achieving more finegrained taint propagation paths. Specially, for the programs containing branch selection and loop structure, DepTaint on average marks 2X and 3.6X taint variables than LLVM's static checker.

Chenghua Tang,Zheng Du,Mengmeng Yang,Baohua Qiang

DOI: https://doi.org/10.1016/j.cose.2023.103186

IF: 5.105

2023-01-01

Computers & Security

Abstract:Taint analysis is a method used to detect system security problems by tracking the flow of user input or information leakage through the system. In the taint analysis for Android applications, the complete taint propagation path is generally obtained by tracking the taint data. There is often a compromise between efficiency and analysis accuracy in the method of obtaining the taint propagation path, or false positives and false negatives due to the neglect of Android features. Given the problems, a novel multi-branch taint search association algorithm is proposed, which optimized the processing of Android component features in taint analysis. It directly finds taint related codes and associates them according to predefined rules. It has effective Android taint analysis ability including alias analysis and reduced the negative impact of taint unrelated codes on the performance of taint analysis. At the same time, the Android static taint analysis prototype tool TaintSA is implemented based on the multi-branch taint search association algorithm. The experimental results show that TaintSA can not only ensure the analysis results' accuracy but also reduce the time and space required for taint analysis. The accuracy rate of 91.5% and the recall rate of 75.6% on the DroidBench2.0 test set are better than the taint analysis tool FlowDroid. The time consumption and memory consumption of about 30% and 20% are reduced at the same time. In terms of the representation of taint propagation edges, compared with FlowDroid, the taint propagation path output by TaintSA does not contain intermediate variables, and the form is more concise. In addition, TaintSA can output the taint propagation path without taint leakage, which is helpful for further taint analysis.