Presentation is loading. Please wait.

Presentation is loading. Please wait.

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

Published byYahir Arnett Modified over 9 years ago

Similar presentations

Presentation on theme: "Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell."— Presentation transcript:

1 Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell

2 Taint Analysis ▫Used to track flow of data through program ▫Security Applications:  Malware Analysis  Finding Unknown Vulnerabilities ▫Static  Proves whether it is possible for taint to reach ▫Dynamic  Track flow dynamically through single execution

3 Dynamic Taint Analysis Taint Policies ▫Taint Rules specify three things  Sources of taint  Sinks of taint  How taint spreads for different instructions ▫OR based policy is simplest  C = A, B, …;  t C = t A ∨ t B ∨ …;

4 Considerations Time of Attack vs. Time of Detection Overtainting Undertainting Tainted Addresses All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask), Edward J. Schwartz, Thanassis Avgerinos, David Brumley

5 Previous Work Xu et. Al (2006) ▫Proposed source-to-source transformation for performing vulnerability analysis Newsome and Song (2005) ▫Performed Taint analysis on compiled binaries through Valgrind to detect buffer overflow attacks Yin and Song (2009) ▫Performed dynamic taint analysis on VEX/Vine IR

6 Motivation Binary Analysis - Drawbacks ▫Taint Analysis is slow  Binary analysis can be 1.5X to 40X slower  Few optimizations ▫Can be difficult to specify fine-grained policies  More instruction based Source Code Analysis – Drawbacks ▫Need access to the source code ▫Might be language specific

7 Dynamic Analysis in LLVM Add dynamic instrumentation into LLVM IR Provide configurable policies based on ▫Functions ▫Instructions ▫Variables Benefit from LLVM optimization passes Middle ground of LLVM IR

8 Approach Enforce instruction policies using LLVM’s InstVisitor ▫OR based taint policy for majority of instructions Specify sources and sinks at compile time

9 Implementation Approach Used InstVisitor to handle different instructions Basic Idea: each regular instruction has parallel taint instruction Can also copy PHI nodes using taint counterparts r1 = r2 * r3 t r1 = t r2 ∨ t r3

10 Sources and Sinks Sources ▫Functions ▫Variables Sinks ▫Functions ▫Instructions

11 Sinks

12 Memory Perform basic tracking of simple memory ops ▫Stores ▫Loads Store(raddr, rvalue) t address = t value r4 = Load(r2) t r4 = t r2

13 Parameter Passing For each function ▫Allocate 1 byte of memory per operand ▫Insert instructions to load taint from memory For each call instruction ▫Assign bytes to corresponding function’s memory based on current operands taint Downside ▫Doesn’t handle recursive calls

14 Evaluation Compiled bzip2 with taint pass Achieved 20.37% overhead over compiling without pass Code expansion ▫65% in binary code size ▫87% in LLVM LOC

15 Difficulties Resolving taint values at PHI nodes Parameter Passing Difficult to parallelize work %1 = phi %2,… BB2 %2 = phi %1,… BB3

16 Future Work Fine-Grained Memory Tracking ▫Bitmap of memory’s address space Better Function Parameter Passing Implementation of more policies Further Testing

17 Conclusion Implementing dynamic taint analysis in LLVM is difficult ▫Vine has 7 instructions Performance overhead is acceptable for most applications Code expansion is reasonable for lightweight applications DEMO

Download ppt "Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell."

Similar presentations

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,
Comparison and Evaluation of Back Translation Algorithms for Static Single Assignment Form Masataka Sassa #, Masaki Kohama + and Yo Ito # # Dept. of Mathematical.

Comparison and Evaluation of Back Translation Algorithms for Static Single Assignment Form Masataka Sassa #, Masaki Kohama + and Yo Ito # # Dept. of Mathematical.
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Programmability Issues

Programmability Issues
Dynamic Branch PredictionCS510 Computer ArchitecturesLecture 10 - 1 Lecture 10 Dynamic Branch Prediction, Superscalar, VLIW, and Software Pipelining.

Dynamic Branch PredictionCS510 Computer ArchitecturesLecture Lecture 10 Dynamic Branch Prediction, Superscalar, VLIW, and Software Pipelining.
2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking.

2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Chapter 8. Pipelining. Instruction Hazards Overview Whenever the stream of instructions supplied by the instruction fetch unit is interrupted, the pipeline.

Chapter 8. Pipelining. Instruction Hazards Overview Whenever the stream of instructions supplied by the instruction fetch unit is interrupted, the pipeline.
Program Representations. Representing programs Goals.

Program Representations. Representing programs Goals.
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
CS412/413 Introduction to Compilers Radu Rugina Lecture 16: Efficient Translation to Low IR 25 Feb 02.

CS412/413 Introduction to Compilers Radu Rugina Lecture 16: Efficient Translation to Low IR 25 Feb 02.
Design of a Framework for Testing Security Mechanisms for Program-Based Attacks Ben “Security” Breech and Lori Pollock University of Delaware.

Design of a Framework for Testing Security Mechanisms for Program-Based Attacks Ben “Security” Breech and Lori Pollock University of Delaware.
Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.

Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.
Representing programs Goals. Representing programs Primary goals –analysis is easy and effective just a few cases to handle directly link related things.

Representing programs Goals. Representing programs Primary goals –analysis is easy and effective just a few cases to handle directly link related things.
Assemblers Dr. Monther Aldwairi 10/21/20071Dr. Monther Aldwairi.

Assemblers Dr. Monther Aldwairi 10/21/20071Dr. Monther Aldwairi.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Dynamic Tainting for Deployed Java Programs Du Li Advisor: Witawas Srisa-an University of Nebraska-Lincoln 1.

Dynamic Tainting for Deployed Java Programs Du Li Advisor: Witawas Srisa-an University of Nebraska-Lincoln 1.

Similar presentations

Ads by Google