170 likes | 518 Views
Taint Analysis Review. 王卓. Agenda. Overview People Tools. Overview. Taint analysis 主要原理 : 将来自于网络等不被信任的渠道的数据都会被标记为“被污染”的,由此产生的一系列算术和逻辑操作新生成的数据也会继承源数据的“是否被 污染”的属性。然后根据指令的操作数或者函数参数的污染状态查找软件漏洞。. 相关论文. Dawn Song.
E N D
Agenda • Overview • People • Tools
Overview • Taint analysis • 主要原理:将来自于网络等不被信任的渠道的数据都会被标记为“被污染”的,由此产生的一系列算术和逻辑操作新生成的数据也会继承源数据的“是否被 污染”的属性。然后根据指令的操作数或者函数参数的污染状态查找软件漏洞。
Dawn Song • Associate ProfessorComputer Science Division University of California, Berkeley • Panorama: capturing system-wide information flow for malware detection and analysis • Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software
Omer Tripp a PhD candidate at Tel-Aviv University TAJ: Effective Taint Analysis of Web Applications PLDI 09 Learning Minimal Abstractions POPL2011
James Clause • An assistant professor at the University of Delaware. • Research interests: software engineering with emphasis on debugging and program analysis • Penumbra: automatically identifying failure-relevant inputs using dynamic tainting ISSTA09 • Dytan ISSTA2007 • Effective memory protection using dynamic tainting ASE07
Tielei Wang • 北京大学计算机科学技术研究所 • TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability DetectionIEEE S&P • IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution NDSS2009
Taintcheck • Author: James Newsome, Dawn Song • Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software NDSS05 • The first practical taint tool. • Based on Valgrind.
LIFT • LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks • Feng Qin, Ohio State University Cheng Wang, Intel Corporation Zhenmin Li, University of Illinois at Urbana-Champaign • A low-overhead attack discoverer.: 1.Fast Path 2.Merged Check 3.Fast Switch
Dytan • Dytan: A Generic Dynamic Taint Analysis Framework ISSTA 2007 • James Clause, Wanchun (Paul) Li, and Alessandro Orso • Highlight: Control flow Taint
Buzzfuzz • Taint-based Directed Whitebox Fuzzing ICSE2009 • Vijay Ganesh and Tim Leek and Martin Rinard MIT • Using taint analysis to direct fuzzing.
TaintScope • TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection • Tielei Wang, Tao Wei1, Guofei Gu, Wei Zou • Key words: Fuzzing, Taint analysis, Symbolic execution • The approach: (1) byte analysis (2) checksum information