Transcript Taint Analysis Review
王卓
Agenda
Overview People Tools
Overview
Taint analysis 主要原理 : 将来自于网络等不被信任的渠道的数据都会被标 记为“被污染”的,由此产生的一系列算术和逻辑操作新 生成的数据也会继承源数据的“是否被 污染”的属性。然 后根据指令的操作数或者函数参数的污染状态查找软件漏 洞。
相关 论文
Dawn Song
Associate Professor Computer Science Division University of California, Berkeley Panorama: capturing system-wide information flow for malware detection and analysis Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software
Omer Tripp
a PhD candidate at Tel-Aviv University
TAJ: Effective Taint Analysis of Web Applications
PLDI 09
Learning Minimal Abstractions POPL2011
James Clause
An assistant professor at the University of Delaware.
Research interests: software engineering with emphasis on debugging and program analysis
Penumbra: automatically identifying failure relevant inputs using dynamic tainting ISSTA09
Dytan ISSTA2007
Effective memory protection using dynamic tainting ASE07
Tielei Wang
北京大学计算机科学技术研究所 TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection IEEE S&P IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution NDSS2009
Taintcheck
Author: James Newsome, Dawn Song Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software NDSS05 The first practical taint tool.
Based on Valgrind.
LIFT
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Ohio State University Cheng Wang, Intel Corporation Zhenmin Li, University of Illinois at Urbana-Champaign A low-overhead attack discoverer.: 1.Fast Path 2.Merged Check 3.Fast Switch
Dytan
Dytan: A Generic Dynamic Taint Analysis Framework ISSTA 2007 James Clause, Wanchun (Paul) Li, and Alessandro Orso Highlight: Control flow Taint
Buzzfuzz
Taint-based Directed Whitebox Fuzzing ICSE2009
Vijay Ganesh and Tim Leek and Martin Rinard MIT Using taint analysis to direct fuzzing.
TaintScope
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang, Tao Wei1, Guofei Gu, Wei Zou
Key words: Fuzzing, Taint analysis, Symbolic execution
The approach: (1) byte analysis (2) checksum information