Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
-
Upload
james-clause -
Category
Technology
-
view
486 -
download
0
description
Transcript of Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
![Page 1: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/1.jpg)
Dytan: A Generic Dynamic Taint Analysis
FrameworkJames Clause, Wanchun (Paul) Li,
and Alessandro OrsoCollege of Computing
Georgia Institute of Technology
Partially supported by:NSF awards CCF-0541080 and CCR-0205422 to Georgia Tech,
DHS and US Air Force Contract No. FA8750-05-2-0214
![Page 2: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/2.jpg)
C
A
B Z
Dynamic taint analysis(aka dynamic information-flow analysis)
![Page 3: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/3.jpg)
C
A
B
31
2
Z
Dynamic taint analysis(aka dynamic information-flow analysis)
![Page 4: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/4.jpg)
C
A
B
31
2
Z
Dynamic taint analysis(aka dynamic information-flow analysis)
![Page 5: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/5.jpg)
C
A
B
31
2
Z
3
Dynamic taint analysis(aka dynamic information-flow analysis)
![Page 6: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/6.jpg)
Dynamic tainting applications
Information policy enforcement
Attack detection / prevention
Testing
Data lifetime / scope
![Page 7: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/7.jpg)
Dynamic tainting applications
Information policy enforcement
Attack detection / prevention
Testing
Data lifetime / scope
Attack detection / preventionDetect / prevent attacks such as SQL injection, buffer overruns,
stack smashing, cross site scriptinge.g., Suh et al. 04, Newsome and Song 05,
Halfond et al. 06, Kong et al. 06, Qin et al. 06
![Page 8: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/8.jpg)
Dynamic tainting applications
Information policy enforcement
Attack detection / prevention
Testing
Data lifetime / scope
Information policy enforcementensure classified information does not leak outside the system
e.g.,Vachharajani et al. 04, McCamant and Ernst 06
![Page 9: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/9.jpg)
Dynamic tainting applications
Information policy enforcement
Attack detection / prevention
Testing
Data lifetime / scope
TestingCoverage metrics, test data generation heuristic, ...
e.g., Masri et al 05, Leek et al. 07
![Page 10: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/10.jpg)
Dynamic tainting applications
Information policy enforcement
Attack detection / prevention
Testing
Data lifetime / scopeData lifetime / scopetrack how long sensitive data, such as passwords or account
numbers, remain in the applicatione.g., Chow et al. 04
![Page 11: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/11.jpg)
Dynamic tainting applications
Information policy enforcement
Attack detection / prevention
Testing
Data lifetime / scope
![Page 12: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/12.jpg)
MotivationAd-hoc taint analysis
implementationResults
Ad-hoc taint analysis implementation
Ad-hoc taint analysis implementation
Results
Results
![Page 13: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/13.jpg)
MotivationAd-hoc taint analysis
implementationResults
Ad-hoc taint analysis implementation
Ad-hoc taint analysis implementation
Results
Results
Ad-hoc taint analysis implementation
Results
![Page 14: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/14.jpg)
MotivationAd-hoc taint analysis
implementationResults
Ad-hoc taint analysis implementation
Ad-hoc taint analysis implementation
Results
Results
Ad-hoc taint analysis implementation
Results
![Page 15: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/15.jpg)
Motivation
Configuration
Dytan Generic Framework
Custom Dynamic Taint Analysis Results
![Page 16: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/16.jpg)
Motivation
•Flexible
Configuration
Dytan Generic Framework
Custom Dynamic Taint Analysis Results
![Page 17: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/17.jpg)
Motivation
•Flexible•Easy to use
Configuration
Dytan Generic Framework
Custom Dynamic Taint Analysis Results
![Page 18: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/18.jpg)
Motivation
•Flexible•Easy to use•Accurate
Configuration
Dytan Generic Framework
Custom Dynamic Taint Analysis Results
![Page 19: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/19.jpg)
Outline
✓Motivation & overview
• Framework (Dytan)
• flexibility• ease of use• accuracy
• Empirical evaluation
• Conclusions
![Page 20: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/20.jpg)
Framework: flexibility
Taint
sources
Propagation
policy
Taint
sinksConfiguration
![Page 21: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/21.jpg)
Framework: flexibility
Taint
sources
Propagation
policy
Taint
sinks
![Page 22: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/22.jpg)
Framework: flexibility
Taint
sources
Taint
sources
Propagation
policy
Taint
sinks
Which data to tag, and how to tag it
![Page 23: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/23.jpg)
Framework: flexibility
Propagation
policy
Taint
sources
Propagation
policy
Taint
sinks
How tags should be propagated at runtime
![Page 24: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/24.jpg)
Framework: flexibility
Taint
sinks
Taint
sources
Propagation
policy
Taint
sinks
Where and how tags should be checked
![Page 25: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/25.jpg)
Framework: flexibility
Taint
sources
Propagation
policy
Taint
sinks
![Page 26: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/26.jpg)
Taint sources
What to tag How to tag
![Page 27: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/27.jpg)
Taint sources
What to tag How to tagIdentify what program data should be assigned tags
![Page 28: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/28.jpg)
Taint sources
What to tag How to tagIdentify what program data should be assigned tags
• Variables (local or global)• Function parameters• Function return values• Data from an input stream
network, filesystem, keyboard, ...
• Specific input stream141.195.121.134:80, a.txt,...
![Page 29: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/29.jpg)
Taint sources
What to tag How to tagIdentify what program data should be assigned tags
• Variables (local or global)• Function parameters• Function return values• Data from an input stream
network, filesystem, keyboard, ...
• Specific input stream141.195.121.134:80, a.txt,...
Describe how tags should be assigned for identified data
![Page 30: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/30.jpg)
Taint sources
What to tag How to tagIdentify what program data should be assigned tags
• Variables (local or global)• Function parameters• Function return values• Data from an input stream
network, filesystem, keyboard, ...
• Specific input stream141.195.121.134:80, a.txt,...
Describe how tags should be assigned for identified data
• Single tag• One tag per source• Multiple tags per source
![Page 31: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/31.jpg)
Taint sources
What to tag How to tagIdentify what program data should be assigned tags
• Variables (local or global)• Function parameters• Function return values• Data from an input stream
network, filesystem, keyboard, ...
• Specific input stream141.195.121.134:80, a.txt,...
Describe how tags should be assigned for identified data
• Single tag• One tag per source• Multiple tags per source• ...
![Page 32: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/32.jpg)
a.txt
Taint sourcesWhat to tag: a.txtHow to tag: single tag
![Page 33: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/33.jpg)
a.txt
Taint sourcesWhat to tag: a.txtHow to tag: single tag
![Page 34: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/34.jpg)
Taint sourcesWhat to tag: a.txtHow to tag: single tag
a.txt
![Page 35: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/35.jpg)
Taint sourcesWhat to tag: a.txtHow to tag: single tag
a.txt
1 1 1 1 1 1
![Page 36: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/36.jpg)
Taint sourcesWhat to tag: a.txtHow to tag: single tag
a.txt
![Page 37: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/37.jpg)
Taint sourcesWhat to tag: a.txt
a.txt
How to tag: multiple tags
![Page 38: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/38.jpg)
Taint sourcesWhat to tag: a.txt
a.txt
2 31 4 5 n
How to tag: multiple tags
![Page 39: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/39.jpg)
Propagation policy
3
B
A
12
3C
![Page 40: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/40.jpg)
Affecting data Mapping function
Propagation policy
3
B
A
12
3C
![Page 41: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/41.jpg)
Affecting data Mapping functionData that affects the outcome of a statement through
Propagation policy
3
B
A
12
3C
![Page 42: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/42.jpg)
Affecting data Mapping functionData that affects the outcome of a statement through
• Data dependencies
Propagation policy
3
B
A
12
3C
![Page 43: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/43.jpg)
Affecting data Mapping functionData that affects the outcome of a statement through
• Data dependencies• Control dependencies
Propagation policy
3
B
A
12
3C
![Page 44: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/44.jpg)
Affecting data Mapping functionData that affects the outcome of a statement through
• Data dependencies• Control dependencies
A policy can consider both or only data dependencies
Propagation policy
3
B
A
12
3C
![Page 45: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/45.jpg)
Affecting data Mapping functionData that affects the outcome of a statement through
• Data dependencies• Control dependencies
A policy can consider both or only data dependencies
Define how tags associated with affecting data should be combined
Propagation policy
3
B
A
12
3C
![Page 46: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/46.jpg)
Affecting data Mapping functionData that affects the outcome of a statement through
• Data dependencies• Control dependencies
A policy can consider both or only data dependencies
Define how tags associated with affecting data should be combined
• Union
Propagation policy
3
B
A
12
3C
![Page 47: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/47.jpg)
Affecting data Mapping functionData that affects the outcome of a statement through
• Data dependencies• Control dependencies
A policy can consider both or only data dependencies
Define how tags associated with affecting data should be combined
• Union• Max
Propagation policy
3
B
A
12
3C
![Page 48: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/48.jpg)
Affecting data Mapping functionData that affects the outcome of a statement through
• Data dependencies• Control dependencies
A policy can consider both or only data dependencies
Define how tags associated with affecting data should be combined
• Union• Max• ...
Propagation policy
3
B
A
12
3C
![Page 49: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/49.jpg)
if(X) {
C = A + B;}
Propagation policy
![Page 50: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/50.jpg)
3
if(X) {
C = A + B;}
1 2
Propagation policy
![Page 51: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/51.jpg)
3
if(X) {
C = A + B;}
1 2
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence
unionmax
![Page 52: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/52.jpg)
3
if(X) {
C = A + B;}
1 2
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence✔
unionmax
![Page 53: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/53.jpg)
3
if(X) {
C = A + B;}
1 2
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence✔
unionmax
✔
![Page 54: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/54.jpg)
3
if(X) {
C = A + B;}
1 2
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence✔
unionmax
✔
![Page 55: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/55.jpg)
3
if(X) {
C = A + B;}
1 2
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence✔
unionmax
✔
1 2
![Page 56: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/56.jpg)
3
if(X) {
C = A + B;}
1 2
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence
unionmax
![Page 57: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/57.jpg)
3
if(X) {
C = A + B;}
1 2
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence
unionmax
✔
✔
![Page 58: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/58.jpg)
3
if(X) {
C = A + B;}
1 2
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence
unionmax
✔
✔
✔
![Page 59: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/59.jpg)
3
if(X) {
C = A + B;}
1 2
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence
unionmax
✔
✔
✔
![Page 60: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/60.jpg)
3
if(X) {
C = A + B;}
1 2
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence
unionmax
✔
✔
✔
3
![Page 61: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/61.jpg)
Where to check What to check
Taint Sinks
How to check
![Page 62: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/62.jpg)
Where to check What to checkLocation in the program to perform a check
Taint Sinks
How to check
![Page 63: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/63.jpg)
Where to check What to checkLocation in the program to perform a check
• Function entry / exit• Statement type• Specific program point
Taint Sinks
How to check
![Page 64: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/64.jpg)
Where to check What to checkLocation in the program to perform a check
• Function entry / exit• Statement type• Specific program point
The data whose tags should be checked
Taint Sinks
How to check
![Page 65: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/65.jpg)
Where to check What to checkLocation in the program to perform a check
• Function entry / exit• Statement type• Specific program point
The data whose tags should be checked
• Variables• Function parameters• Function return value
Taint Sinks
How to check
![Page 66: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/66.jpg)
Where to check What to checkLocation in the program to perform a check
• Function entry / exit• Statement type• Specific program point
The data whose tags should be checked
• Variables• Function parameters• Function return value
Taint Sinks
How to checkSet of conditions to check and a set of actions to perform if the conditions are not met.
![Page 67: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/67.jpg)
Where to check What to checkLocation in the program to perform a check
• Function entry / exit• Statement type• Specific program point
The data whose tags should be checked
• Variables• Function parameters• Function return value
Taint Sinks
How to checkSet of conditions to check and a set of actions to perform if the conditions are not met.• validate presence of tags (exit or log)• ensure absence of tags (exit or log)• ...
![Page 68: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/68.jpg)
Taint Sinks
cmd = read(file);args = read(socket);cmd = trim(cmd + args);...tok[] = parse(cmd);exec(tok[0], tok[1]);
![Page 69: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/69.jpg)
Taint Sinks
cmd = read(file);args = read(socket);cmd = trim(cmd + args);...tok[] = parse(cmd);exec(tok[0], tok[1]);
2
![Page 70: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/70.jpg)
Taint Sinks
cmd = read(file);args = read(socket);cmd = trim(cmd + args);...tok[] = parse(cmd);exec(tok[0], tok[1]);
2
3
![Page 71: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/71.jpg)
validate presence of:
validate absence of:
Taint Sinks
function: exec, param: 0Where / what to check:
How to check:
Result:
cmd = read(file);args = read(socket);cmd = trim(cmd + args);...tok[] = parse(cmd);exec(tok[0], tok[1]);
23
2
3
![Page 72: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/72.jpg)
validate presence of:
validate absence of:
Taint Sinks
function: exec, param: 0Where / what to check:
How to check:
Result:
cmd = read(file);args = read(socket);cmd = trim(cmd + args);...tok[] = parse(cmd);exec(tok[0], tok[1]);
23
2
3
2 3
![Page 73: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/73.jpg)
validate presence of:
validate absence of:
Taint Sinks
function: exec, param: 0Where / what to check:
How to check:
Result:
cmd = read(file);args = read(socket);cmd = trim(cmd + args);...tok[] = parse(cmd);exec(tok[0], tok[1]);
✘
23
2
3
2 3
![Page 74: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/74.jpg)
Framework: ease of useProvide two ways to configure the framework
![Page 75: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/75.jpg)
Framework: ease of use
• Basic
• Select sources, propagation policies, and sinks from a set of predefined options
• XML based configuration
Provide two ways to configure the framework
![Page 76: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/76.jpg)
Framework: ease of use
• Basic
• Select sources, propagation policies, and sinks from a set of predefined options
• XML based configuration
• Advanced
• Suitable for more esoteric applications
• Extend OO implementation
Provide two ways to configure the framework
![Page 77: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/77.jpg)
Framework: accuracy
• Dytan operates at the binary level
• consider the actual program semantics
• transparently handle libraries
• Dytan accounts for both data- and control-flow dependencies
![Page 78: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/78.jpg)
Framework: accuracyThe most common source of inaccuracy is
incorrectly identifying the informationproduced and consumed by a statement
![Page 79: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/79.jpg)
Two common examples:
Framework: accuracyThe most common source of inaccuracy is
incorrectly identifying the informationproduced and consumed by a statement
![Page 80: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/80.jpg)
Two common examples:
• Implicit operandsadd %eax, %ebx // A = A + B
Framework: accuracyThe most common source of inaccuracy is
incorrectly identifying the informationproduced and consumed by a statement
![Page 81: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/81.jpg)
Two common examples:
• Implicit operandsadd %eax, %ebx // A = A + Bproduced: %eax
Framework: accuracyThe most common source of inaccuracy is
incorrectly identifying the informationproduced and consumed by a statement
![Page 82: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/82.jpg)
Two common examples:
• Implicit operandsadd %eax, %ebx // A = A + Bproduced: %eax , %eflags
Framework: accuracyThe most common source of inaccuracy is
incorrectly identifying the informationproduced and consumed by a statement
![Page 83: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/83.jpg)
• Address Generatorsadd %eax, %ebx // A = A + B
Two common examples:
• Implicit operandsadd %eax, %ebx // A = A + Bproduced: %eax , %eflags
Framework: accuracyThe most common source of inaccuracy is
incorrectly identifying the informationproduced and consumed by a statement
![Page 84: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/84.jpg)
• Address Generatorsadd %eax, %ebx // A = A + B
Two common examples:
• Implicit operandsadd %eax, %ebx // A = A + Bproduced: %eax , %eflags
Framework: accuracyThe most common source of inaccuracy is
incorrectly identifying the informationproduced and consumed by a statement
[ ] *
![Page 85: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/85.jpg)
• Address Generatorsadd %eax, %ebx // A = A + Bconsumed: %eax, [%ebx]
Two common examples:
• Implicit operandsadd %eax, %ebx // A = A + Bproduced: %eax , %eflags
Framework: accuracyThe most common source of inaccuracy is
incorrectly identifying the informationproduced and consumed by a statement
[ ] *
![Page 86: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/86.jpg)
• Address Generatorsadd %eax, %ebx // A = A + Bconsumed: %eax, [%ebx] , %ebx
Two common examples:
• Implicit operandsadd %eax, %ebx // A = A + Bproduced: %eax , %eflags
Framework: accuracyThe most common source of inaccuracy is
incorrectly identifying the informationproduced and consumed by a statement
[ ] *
![Page 87: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/87.jpg)
Outline
✓Motivation & overview
✓ Framework
✓ flexibility✓ ease of use✓ accuracy
• Empirical evaluation
• Conclusions
![Page 88: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/88.jpg)
Empirical evaluation
• RQ1: Can Dytan be used to (easily) implement existing dynamic taint analyses?
• RQ2: How do inaccurate propagation policies affect the analysis results?
• In addition: discussion on performance
![Page 89: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/89.jpg)
RQ1: flexibility
• Selected two techniques:
• Overwrite attack detection [Qin et al. 04]
• SQL injection detection [Halfond et al. 06]
• Used Dytan to re-implement both techniques
• Measure implementation time
• Validate against the original implementation
Goal: show that Dytan can be used to (easily) implement existing dynamic taint analyses
![Page 90: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/90.jpg)
RQ1: results
• Implementation time:
• Overwrite attack detection: < 1 hour
• SQL injection detection: < 1 day
• Comparison with original implementations:
• Successfully stopped same attacks as the original implementations
![Page 91: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/91.jpg)
RQ2: accuracy impactGoal: measure the effect of inaccurate propagation policies on analysis results
![Page 92: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/92.jpg)
RQ2: accuracy impact
• Selected two subjects:• Gzip (75kb w/o libraries)• Firefox (850kb w/o libraries)
Goal: measure the effect of inaccurate propagation policies on analysis results
![Page 93: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/93.jpg)
RQ2: accuracy impact
• Selected two subjects:• Gzip (75kb w/o libraries)• Firefox (850kb w/o libraries)
• Use Dytan to taint program inputs and measure the amount of heap data tainted at program exit
Goal: measure the effect of inaccurate propagation policies on analysis results
![Page 94: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/94.jpg)
RQ2: accuracy impact
• Selected two subjects:• Gzip (75kb w/o libraries)• Firefox (850kb w/o libraries)
• Use Dytan to taint program inputs and measure the amount of heap data tainted at program exit
• Compare Dytan against inaccurate policies• no implicit operands (no IM)• no address generators (no AG)• no implicit operands, no address generators (no
IM, no AG)
Goal: measure the effect of inaccurate propagation policies on analysis results
![Page 95: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/95.jpg)
RQ2: results
0%
25%
50%
75%
100%
Firefox (1 page) Firefox (3 pages) Gzip
Dytan No IM No AG No IM, no IG
![Page 96: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/96.jpg)
Performance• Measured for gzip:
≈30x for data flow
≈50x for data and control flow
• High overhead, but...
![Page 97: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/97.jpg)
Performance
• In line with existing implementations
• Measured for gzip:
≈30x for data flow
≈50x for data and control flow
• High overhead, but...
![Page 98: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/98.jpg)
Performance
• In line with existing implementations
• Designed for experimentation
• Favors flexibility over performance
• Measured for gzip:
≈30x for data flow
≈50x for data and control flow
• High overhead, but...
![Page 99: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/99.jpg)
Performance
• In line with existing implementations
• Designed for experimentation
• Favors flexibility over performance
• Implementation can be further optimized
• Measured for gzip:
≈30x for data flow
≈50x for data and control flow
• High overhead, but...
![Page 100: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/100.jpg)
Related work
• Existing dynamic tainting approaches [Suh et al. 04, Newsome and Song 05, Halfond et al. 06, Kong et al. 06, ...]• Ad-hoc
• Other dynamic taint analysis frameworks [Xu et al. 06 and Lam and Chiueh 06]• Focused on security applications• Single taint mark• No control-flow propagation
• Operate at the source code level
![Page 101: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/101.jpg)
Conclusions
• Dytan
• a general framework for dynamic tainting
• allows for instantiating and experimenting with different dynamic taint analysis approaches
• Initial evaluation
• flexible• easy to use• accurate
![Page 102: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/102.jpg)
Future directions
• Tool release (documentation, code cleanup)http://www.cc.gatech.edu/~clause/dytan/
(pre-release on request)
• Optimization (general and specific)
• Applications
• Memory protection
• Debugging
![Page 103: Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)](https://reader034.fdocuments.net/reader034/viewer/2022051820/553894924a79590a7f8b477b/html5/thumbnails/103.jpg)
Questions?
http://www.cc.gatech.edu/~clause/dytan/