One Engine To Serve 'em All: Inferring Taint Rules Without Architectural Semantics

Chua, Zheng Leong; Wang, Yanhao; Baluta, Teodora; Saxena, Prateek; Liang, Zhenkai; Su, Purui

doi:10.14722/ndss.2019.23339

Cited by 22 publications

(17 citation statements)

References 42 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This process requires tremendous engineering effort and thus, many researchers consider it too costly to investigate. TaintInduce (by the National University of Singapore and the Chinese Academy of Sciences) 5 is a project to automatically generate taint rules (or data-flow properties) without manual specifications; it infers taint rules based on observations of instruction executions. In addition, TaintInduce proposes a common definition and API for taint rules, enabling follow-up work to be built on a common knowledge base.…”

Section: Discussionmentioning

confidence: 99%

Asia's surging interest in binary analysis

Kil¹,

Liang

2020

Commun. ACM

Self Cite

View full text Add to dashboard Cite

Section: Discussionmentioning

confidence: 99%

Asia's surging interest in binary analysis

Kil¹,

Liang

2020

Commun. ACM

Self Cite

View full text Add to dashboard Cite

“…There has been some encouraging recent work on automated synthesis of semantic specifications for specific ISAs such as x86 [34,39]. TaintInduce [14] shows that higher level semantics (i.e., taint propagation rules) can be dynamically inferred for an ISA. However, these approaches focus on simple instructions, such as arithmetic and basic logical operations.…”

Section: Creating Virtual Execution Enginesmentioning

confidence: 99%

SoK: Enabling Security Analyses of Embedded Systems via Rehosting

Fasano

Ballo

Muench

et al. 2021

Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Closely monitoring the behavior of a software system during its execution enables developers and analysts to observe, and ultimately understand, how it works. This kind of dynamic analysis can be instrumental to reverse engineering, vulnerability discovery, exploit development, and debugging. While these analyses are typically wellsupported for homogeneous desktop platforms (e.g., x86 desktop PCs), they can rarely be applied in the heterogeneous world of embedded systems. One approach to enable dynamic analyses of embedded systems is to move software stacks from physical systems into virtual environments that sufficiently model hardware behavior. This process which we call "rehosting" poses a significant research challenge with major implications for security analyses. Although rehosting has traditionally been an unscientific and ad-hoc endeavor undertaken by domain experts with varying time and resources at their disposal, researchers are beginning to address rehosting challenges systematically and in earnest. In this paper, we establish that emulation is insufficient to conduct large-scale dynamic analysis of real-world hardware systems and present rehosting as a firmwarecentric alternative. Furthermore, we taxonomize preliminary rehosting efforts, identify the fundamental components of the rehosting process, and propose directions for future research.

show abstract

“…These limitations of taint severely affect its applicability to real-world programs. A recent work TaintInduce [18] has proposed to learn the taint propagation rules instead of manually specifying them. This can increase the accuracy of individual rules, but the error accumulation and large overhead issues still remain, due to propagation-based design.…”

Section: Dynamic Taint Analysis (Dta)mentioning

confidence: 99%

“…However, it incurs large overhead and suffers from overtaint and undertaint issues. To address these issues, TaintInduce [18] proposes to learn platform-specific taint propagation rules from (input, output) pairs of instructions. Their approach learns propagation rules based on a template, and uses an algorithm to reduce the task to learning different input sets and pre-conditions for propagating the taint tags.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Neutaint: Efficient Dynamic Taint Analysis with Neural Networks

She

Chen

Shah

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Dynamic taint analysis (DTA) is widely used by various applications to track information flow during runtime execution. Existing DTA techniques use rule-based taint-propagation, which is neither accurate (i.e., high false positive rate) nor efficient (i.e., large runtime overhead). It is hard to specify taint rules for each operation while covering all corner cases correctly. Moreover, the overtaint and undertaint errors can accumulate during the propagation of taint information across multiple operations. Finally, rule-based propagation requires each operation to be inspected before applying the appropriate rules resulting in prohibitive performance overhead on large real-world applications.In this work, we propose NEUTAINT, a novel end-to-end approach to track information flow using neural program embeddings. The neural program embeddings model the target's programs computations taking place between taint sources and sinks, which automatically learns the information flow by observing a diverse set of execution traces. To perform lightweight and precise information flow analysis, we utilize saliency maps to reason about most influential sources for different sinks. NEUTAINT constructs two saliency maps, a popular machine learning approach to influence analysis, to summarize both coarse-grained and finegrained information flow in the neural program embeddings.We compare NEUTAINT with 3 state-of-the-art dynamic taint analysis tools. The evaluation results show that NEUTAINT can achieve 68% accuracy, on average, which is 10% improvement while reducing 40× runtime overhead over the second-best taint tool Libdft on 6 real world programs. NEUTAINT also achieves 61% more edge coverage when used for taint-guided fuzzing indicating the effectiveness of the identified influential bytes. We also evaluate NEUTAINT's ability to detect real world software attacks. The results show that NEUTAINT can successfully detect different types of vulnerabilities including buffer/heap/integer overflows, division by zero, etc. Lastly, NEUTAINT can detect 98.7% of total flows, the highest among all taint analysis tools.

show abstract

One Engine To Serve 'em All: Inferring Taint Rules Without Architectural Semantics

Cited by 22 publications

References 42 publications

Asia's surging interest in binary analysis

Asia's surging interest in binary analysis

SoK: Enabling Security Analyses of Embedded Systems via Rehosting

Neutaint: Efficient Dynamic Taint Analysis with Neural Networks

Contact Info

Product

Resources

About