Taint Analysis Review

Download Report

Transcript Taint Analysis Review

王卓

Agenda

 Overview  People  Tools

Overview

 Taint analysis  主要原理 : 将来自于网络等不被信任的渠道的数据都会被标 记为“被污染”的,由此产生的一系列算术和逻辑操作新 生成的数据也会继承源数据的“是否被 污染”的属性。然 后根据指令的操作数或者函数参数的污染状态查找软件漏 洞。

相关 论文

Dawn Song

 Associate Professor Computer Science Division University of California, Berkeley  Panorama: capturing system-wide information flow for malware detection and analysis  Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software

Omer Tripp

a PhD candidate at Tel-Aviv University

TAJ: Effective Taint Analysis of Web Applications

PLDI 09

Learning Minimal Abstractions POPL2011

James Clause

 An assistant professor at the University of Delaware.

 Research interests: software engineering with emphasis on debugging and program analysis 

Penumbra: automatically identifying failure relevant inputs using dynamic tainting ISSTA09

Dytan ISSTA2007

Effective memory protection using dynamic tainting ASE07

Tielei Wang

 北京大学计算机科学技术研究所  TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection IEEE S&P  IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution NDSS2009

Taintcheck

 Author: James Newsome, Dawn Song  Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software NDSS05  The first practical taint tool.

 Based on Valgrind.

LIFT

  LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Ohio State University Cheng Wang, Intel Corporation  Zhenmin Li, University of Illinois at Urbana-Champaign A low-overhead attack discoverer.: 1.Fast Path 2.Merged Check 3.Fast Switch

Dytan

 Dytan: A Generic Dynamic Taint Analysis Framework ISSTA 2007  James Clause, Wanchun (Paul) Li, and Alessandro Orso  Highlight: Control flow Taint

Buzzfuzz

Taint-based Directed Whitebox Fuzzing ICSE2009

 Vijay Ganesh and Tim Leek and Martin Rinard MIT  Using taint analysis to direct fuzzing.

TaintScope

 TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection  Tielei Wang, Tao Wei1, Guofei Gu, Wei Zou

Key words: Fuzzing, Taint analysis, Symbolic execution

 The approach: (1) byte analysis (2) checksum information