Neutaint: Efficient Dynamic Taint Analysis with Neural Networks

She, Dongdong; Chen, Yizheng; Shah, Abhishek; Ray, Baishakhi; Jana, Suman

doi:10.1109/sp40000.2020.00022

Cited by 42 publications

(21 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Because the bytes related to a path constraint are usually a small portion of an input, some other fuzzers utilize taint analysis to build the relationships between input bytes and path constraints [8,17,20,27,36]. Taint tracking can identify promising input bytes that affect program's certain operations [10,14,16,26,29,33]. When resolving a path constraint, fuzzing only needs to mutate the related bytes so that they improve the efficiency of passing raodrocks.…”

Section: Path Constraintsmentioning

confidence: 99%

Path Transitions Tell More:Optimizing Fuzzing Schedules via Runtime Program States

Zhang¹,

Xiao²,

Zhu³

et al. 2022

Preprint

View full text Add to dashboard Cite

Coverage-guided Greybox Fuzzing (CGF) is one of the most successful and widely-used techniques for bug hunting. Two major approaches are adopted to optimize CGF: (i) to reduce search space of inputs by inferring relationships between input bytes and path constraints; (ii) to formulate fuzzing processes (e.g., path transitions) and build up probability distributions to optimize power schedules, i.e., the number of inputs generated per seed. However, the former is subjective to the inference results which may include extra bytes for a path constraint, thereby limiting the efficiency of path constraints resolution, code coverage discovery, and bugs exposure; the latter formalization, concentrating on power schedules for seeds alone, is inattentive to the schedule for bytes in a seed.In this paper, we propose a lightweight fuzzing approach, Truzz, to optimize existing Coverage-guided Greybox Fuzzers (CGFs). To address two aforementioned challenges, Truzz identifies the bytes related to the validation checks (i.e., the checks guarding errorhandling code), and protects those bytes from being frequently mutated, making most generated inputs examine the functionalities of programs, in lieu of being rejected by validation checks. The byte-wise relationship determination mitigates the problem of loading extra bytes when fuzzers infer the byte-constraint relation. Furthermore, the proposed path transition within Truzz can efficiently prioritize the seed as the new path, harvesting many new edges, and the new path likely belongs to a code region with many undiscovered code lines. To evaluate our approach, we implemented 6 state-of-the-art fuzzers, AFL, AFLFast, NEUZZ, MOPT, FuzzFactory and GreyOne, in Truzz. The experimental results show that on average, Truzz can generate 16.14% more inputs flowing into functional code, in addition to 24.75% more new edges than the vanilla fuzzers. Finally, our approach exposes 13 bugs in 8 target programs, and 6 of them have not been identified by the vanilla fuzzers.

show abstract

Section: Path Constraintsmentioning

confidence: 99%

Path Transitions Tell More:Optimizing Fuzzing Schedules via Runtime Program States

Zhang¹,

Xiao²,

Zhu³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…The most closely related work has used deep learning to analyze the information flow in programs for more efficient taint tracking [37] or vulnerability detection [24] in C. In these projects, ML models must identify key points in the program to analyze the information flow, relying on the highly static nature of C programs. In our work, we focus on DOM XSS vulnerabilities in the browser, which predominantly executes dynamic JavaScript code.…”

Section: Machine Learning In Program Analysismentioning

confidence: 99%

Towards a Lightweight, Hybrid Approach for Detecting DOM XSS Vulnerabilities with Machine Learning

Melicher

Fung

Bauer

et al. 2021

Proceedings of the Web Conference 2021

View full text Add to dashboard Cite

Client-side cross-site scripting (DOM XSS) vulnerabilities in web applications are common, hard to identify, and difficult to prevent. Taint tracking is the most promising approach for detecting DOM XSS with high precision and recall, but is too computationally expensive for many practical uses.We investigate whether machine learning (ML) classifiers can replace or augment taint tracking when detecting DOM XSS vulnerabilities. Through a large-scale web crawl, we collect over 18 billion JavaScript functions and use taint tracking to label over 180,000 functions as potentially vulnerable. With this data, we train a deep neural network (DNN) to analyze a JavaScript function and predict if it is vulnerable to DOM XSS. We experiment with a range of hyperparameters and present a low-latency, high-recall classifier that could serve as a pre-filter to taint tracking, reducing the cost of stand-alone taint tracking by 3.43× while detecting 94.5% of unique vulnerabilities. We argue that this combination of a DNN and taint tracking is efficient enough for a range of use cases for which taint tracking by itself is not, including in-browser run-time DOM XSS detection and analyzing large codebases. CCS CONCEPTS• Security and privacy → Web application security; • Information systems → World Wide Web; • Computing methodologies → Machine learning.

show abstract

“…Inspired by advances in program neural smoothing [94,95] and SCA based on neural networks [54,85,118,123], we seek to overcome question "which program point leaks side channel information" by answering the following question:…”

Section: Fault Localization With Neural Attentionmentioning

confidence: 99%

Automated Side Channel Analysis of Media Software with Manifold Learning

Yuan¹,

Pang²,

Wang³

2021

Preprint

View full text Add to dashboard Cite

The prosperous development of cloud computing and machine learning as a service has led to the widespread use of media software to process confidential media data. This paper explores an adversary's ability to launch side channel analyses (SCA) against media software to reconstruct confidential media inputs. Recent advances in representation learning and perceptual learning inspired us to consider the reconstruction of media inputs from side channel traces as a cross-modality manifold learning task that can be addressed in a unified manner with an autoencoder framework trained to learn the mapping between media inputs and side channel observations. We further enhance the autoencoder with attention to localize the program points that make the primary contribution to SCA, thus automatically pinpointing information-leakage points in media software. We also propose a novel and highly effective defensive technique called perception blinding that can perturb media inputs with perception masks and mitigate manifold learning-based SCA.Our evaluation exploits three popular media software to reconstruct inputs in image, audio, and text formats. We analyze three common side channels -cache bank, cache line, and page tables -and userspace-only cache set accesses logged by standard Prime+Probe. Our framework successfully reconstructs high-quality confidential inputs from the assessed media software and automatically pinpoint their vulnerable program points, many of which are unknown to the public. We further show that perception blinding can mitigate manifold learning-based SCA with negligible extra cost.

show abstract

Neutaint: Efficient Dynamic Taint Analysis with Neural Networks

Cited by 42 publications

References 27 publications

Path Transitions Tell More:Optimizing Fuzzing Schedules via Runtime Program States

Path Transitions Tell More:Optimizing Fuzzing Schedules via Runtime Program States

Towards a Lightweight, Hybrid Approach for Detecting DOM XSS Vulnerabilities with Machine Learning

Automated Side Channel Analysis of Media Software with Manifold Learning

Contact Info

Product

Resources

About