Bit-Level Taint Analysis

Yadegari, Babak; Debray, Saumya

doi:10.1109/scam.2014.43

Cited by 26 publications

(18 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In order to do this, we use a taint propagation technique which is a well-known and useful analysis tool in the fields of static and dynamic analysis. It turns out that a conventional bytelevel taint analysis is not precise enough for our needs, so we use an enhanced bit-level taint-analysis [17]. This initial computation captures explicit information flow from input to output, but does not capture implicit flows, i.e., associations between data values that arise due to control dependencies rather than data dependencies.…”

Section: A Overviewmentioning

confidence: 99%

“…First, in order to deal with obfuscated code-including obfuscations that scramble together the bits from different words-we maintain and propagate taint information at the level of individual bits. Second, instead of simply indicating taintedness via a single bit, indicating whether or not a location is tainted or not, we keep track of the source of each distinct taint value [17]. Keeping track of taint sources turns out to be very helpful for reasoning about the taint of the result of an operation where both inputs originate from the same value; it turns out that such operations are often used in obfuscated code to construct opaque predicates or constants [23].…”

Section: B Identifying Input-to-output Flowsmentioning

confidence: 99%

See 1 more Smart Citation

A Generic Approach to Automatic Deobfuscation of Executable Code

Yadegari

Johannesmeyer

Whitely

et al. 2015

2015 IEEE Symposium on Security and Privacy

Self Cite

150

140

View full text Add to dashboard Cite

Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed ("deobfuscated") in order to understand the internal logic of the code and devise countermeasures. This paper discusses a generic approach for deobfuscation of obfuscated executable code. Our approach does not make any assumptions about the nature of the obfuscations used, but instead uses semantics-preserving program transformations to simplify away obfuscation code. We have applied a prototype implementation of our ideas to a variety of different kinds of obfuscation, including emulation-based obfuscation, emulation-based obfuscation with runtime code unpacking, and return-oriented programming. Our experimental results are encouraging and suggest that this approach can be effective in extracting the internal logic from code obfuscated using a variety of obfuscation techniques, including tools such as Themida that previous approaches could not handle.

show abstract

Section: A Overviewmentioning

confidence: 99%

Section: B Identifying Input-to-output Flowsmentioning

confidence: 99%

A Generic Approach to Automatic Deobfuscation of Executable Code

Yadegari

Johannesmeyer

Whitely

et al. 2015

2015 IEEE Symposium on Security and Privacy

Self Cite

150

140

View full text Add to dashboard Cite

show abstract

“…Rather than observe the program values that are dependent upon the taint sources, backward tainting observes the values which the sinks are dependent upon. [43] introduces a technique of combining forward and backward tainting approaches in order to eliminate program obfuscations and in turn simplify an execution trace. Their approach utilizes different levels of granularity during the taint in order to bypass devious defenses such as those used in [37].…”

Section: Taint Analysismentioning

confidence: 99%

A Framework for Understanding Dynamic Anti-Analysis Defenses

Qiu

Yadegari

Johannesmeyer

et al. 2014

Proceedings of the 4th Program Protection and Reverse Engineering Workshop

Self Cite

View full text Add to dashboard Cite

Malicious code often use a variety of anti-analysis and antitampering defenses to hinder analysis. Researchers trying to understand the internal logic of the malware have to penetrate these defenses. Existing research on such anti-analysis defenses tend to study them in isolation, thereby failing to see underlying conceptual similarities between different kinds of anti-analysis defenses. This paper proposes an information-flow-based framework that encompasses a wide variety of anti-analysis defenses. We illustrate the utility of our approach using two different instances of this framework: self-checksumming-based anti-tampering defenses and timing-based emulator detection. Our approach can provide insights into the underlying structure of various anti-analysis defenses and thereby help devise techniques for neutralizing them.

show abstract

“…However, since taint analysis has strong serial data and control dependencies on the program execution, the parallelized taint analysis need to be frequently synchronized for data communication (e.g., control flow directions and memory addresses), either through customized hardware [31,40] or shared memory [18,19]. The second category first records the application execution and then replay the taint analysis on a different CPU [15,42,45,48]. Similar to the limitation of the first category, the large online logging data is also a barrier to achieving the expected performance gains.…”

Section: Introductionmentioning

confidence: 99%

StraightTaint: decoupled offline symbolic taint analysis

Jiang

Wang

et al. 2016

Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering

View full text Add to dashboard Cite

Taint analysis has been widely applied in ex post facto security applications, such as attack provenance investigation, computer forensic analysis, and reverse engineering. Unfortunately, the high runtime overhead imposed by dynamic taint analysis makes it impractical in many scenarios. The key obstacle is the strict coupling of program execution and taint tracking logic code. To alleviate this performance bottleneck, recent work seeks to offload taint analysis from program execution and run it on a spare core or a different CPU. However, since the taint analysis has heavy data and control dependencies on the program execution, the massive data in recording and transformation overshadow the benefit of decoupling. In this paper, we propose a novel technique to allow very lightweight logging, resulting in much lower execution slowdown, while still permitting us to perform full-featured offline taint analysis. We develop StraightTaint, a hybrid taint analysis tool that completely decouples the program execution and taint analysis. StraightTaint relies on very lightweight logging of the execution information to reconstruct a straight-line code, enabling an offline symbolic taint analysis without frequent data communication with the application. While StraightTaint does not log complete runtime or input values, it is able to precisely identify the causal relationships between sources and sinks, for example. Compared with traditional dynamic taint analysis tools, StraightTaint has much lower application runtime overhead. CCS Concepts •Security and privacy → Software security engineering; Information flow control; Software reverse engineering;

show abstract

Bit-Level Taint Analysis

Cited by 26 publications

References 12 publications

A Generic Approach to Automatic Deobfuscation of Executable Code

A Generic Approach to Automatic Deobfuscation of Executable Code

A Framework for Understanding Dynamic Anti-Analysis Defenses

StraightTaint: decoupled offline symbolic taint analysis

Contact Info

Product

Resources

About