StraightTaint: decoupled offline symbolic taint analysis

Jiang, Ming; Wu, Dinghao; Wang, Jun; Xiao, Gaoyao; Liu, Peng

doi:10.1145/2970276.2970299

Cited by 43 publications

(47 citation statements)

References 53 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Their approach fixes the problem of taint loss which resulted from just-in-time translation first time. Ming et al [22] propose a full-featured offline taint analysis tool StraightTaint, which completely decouples the program execution and taint analysis, resulting in much lower execution slowdown. Dolan-Gavitt et al [23] present a full-system analysis tool PANDA that is based on QEMU emulator and has the ability to record and replay executions.…”

Section: Related Workmentioning

confidence: 99%

OFFDTAN: A New Approach of Offline Dynamic Taint Analysis for Binaries

Wang

Dou

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

Dynamic taint analysis is a powerful technique for tracking the flow of sensitive information. Different approaches have been proposed to accelerate this process in an online or offline manner. Unfortunately, most of these approaches still have performance bottlenecks and thus reduce analytical efficiency. To address this limitation, we present OFFDTAN, a new approach of offline dynamic taint analysis for binaries. OFFDTAN can be described in terms of four stages: dynamic information acquisition, vulnerability modeling, offline analysis, and backtrace analysis. It first records program runtime information and models the stack buffer overflow vulnerabilities and controlled jump vulnerabilities. Then it performs offline analysis and backtrace analysis to locate vulnerabilities. We implement OFFDTAN on the basis of QEMU virtual machine and apply it to off-the-shelf applications. In order to illustrate how our approach works, we first employ a case study. Furthermore, six applications have been verified so as to evaluate our approach. Experimental results demonstrate that our approach is correct and effective. Compared with other offline analysis tools, OFFDTAN has much lower application runtime overhead.

show abstract

Section: Related Workmentioning

confidence: 99%

OFFDTAN: A New Approach of Offline Dynamic Taint Analysis for Binaries

Wang

Dou

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…Dynamic binary instrumentation has been widely used for program performance profiling [35] and securityoriented execution monitoring tasks [17], [22]. Pin [20] and DynamoRIO [10] undertake lightweight instrumentation jobs, while Valgrind [24] is designed for more heavyweight instrumentation tasks, e.g., memory debugging.…”

Section: Related Workmentioning

confidence: 99%

“…Pin [20] and DynamoRIO [10] undertake lightweight instrumentation jobs, while Valgrind [24] is designed for more heavyweight instrumentation tasks, e.g., memory debugging. Among them, Pin is widely used for goal-driven binary security tasks, such as dynamic taint analysis [17], [22]. DynInst [12], [16] supports both static and dynamic binary instrumentation.…”

Section: Related Workmentioning

confidence: 99%

“…For example, instrumented code can record process run-time behavior [20], support program analysis [17], [22], or harden the executable layout to improve security [32], [34]. The instrumentation task can be performed at different stages: at compile time [21], at run time [22], or statically on executable files [34], [32]. In this paper, we present UROBOROS, a tool performing static instrumentation on stripped binaries.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

UROBOROS: Instrumenting Stripped Binaries with Static Reassembling

Wang

2016

2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER)

Self Cite

View full text Add to dashboard Cite

Software instrumentation techniques are widely used in program analysis tasks such as program profiling, vulnerability discovering, and security-oriented transforming. In this paper, we present an instrumentation tool called UROBOROS, which supports static instrumentation on stripped binaries. Due to the lack of relocation and debug information, reverse engineering of stripped binaries is challenging. Compared with the previous work, UROBOROS can provide complete, easy-touse, transparent, and efficient static instrumentation on stripped binaries. UROBOROS supports complete instrumentation by statically recovering the relocatable program (including both code and data sections) and the control flow structures from binary code. UROBOROS provides a rich API to access and manipulate different levels of the program structure. The instrumentation facilities of UROBOROS are easy-to-use, users with no binary rewriting and patching skills can directly manipulate stripped binaries to perform smooth program transformations. Distinguished from most instrumentation tools that need to patch the instrumentation code as new sections, UROBOROS can directly inline the instrumentation code into the disassembled program, which provides transparent instrumentation on stripped binaries. For efficiency, in the rewritten output of existing tools, frequent control transfers between the attached and original sections can incur a considerable performance penalty. However, the output from UROBOROS incurs no extra cost because the original and instrumentation code are connected by "fall-through" transfers. We perform comparative evaluations between UROBOROS and the state-of-the-art binary instrumentation tools, including DynInst and Pin. To demonstrate the versatility of UROBOROS, we also implement two real-world reengineering tasks which could be challenging for other instrumentation tools to accomplish. Our experimental results show that UROBOROS outperforms the existing binary instrumentation tools with better performance, lower labor cost, and a broader scope of applications.

show abstract

“…Instrumentation has many use cases such as (1) performance measurements, by checking the exact start/end time of interesting code portions; (2) debugging, by inspecting access to suspected areas like whenever a variable is being read/updated; (3) understanding the code structure by extracting its control flow graph or more complicated scenarios such as (4) taint analysis, by following data items which are affected by value of some tainted inputs; (5) information flow analysis, by keeping track of tainted locations separately; or (6) symbolic execution of program, by tracking and encoding the logic of executed instructions.…”

Section: Introductionmentioning

confidence: 99%

LDMBL: An architecture for reducing code duplication in heavyweight binary instrumentations

Momeni

Kharrazi

2018

Softw Pract Exp

View full text Add to dashboard Cite

Summary Emergence of instrumentation frameworks has vastly contributed to the software engineering practices. As the instrumentation use cases become more complex, complexity of instrumenting programs also increases, leading to a higher risk of software defects, increased development time, and decreased maintainability. In security applications such as symbolic execution and taint analysis, which need to instrument a large number of instruction types, this complexity is prominent. This paper presents an architecture based on the Pin binary instrumentation framework to abstract the low‐level OS and hardware‐dependent implementation details, facilitate code reuse in heavyweight instrumentation use cases, and improve instrumenting program development time. Instructions of x86 and x86‐64 hardware architectures are formally categorized using the Z language based on the Pin framework API. This categorization is used to automate the instrumentation phase on the basis of a configuration list. Furthermore, instrumentation context data such as register data are modeled in an object‐oriented scheme. This makes it possible to focus the instrumenting program development time on writing the essential analysis logics while access to low‐level OS and hardware dependencies are streamlined. The proposed architecture is evaluated by instrumenting 135 instruction types in a concrete symbolic execution engine, resulting in a reduction of the instrumenting program size by 59.7%. Furthermore, performance overhead measure against the SPEC CINT2006 programs is limited to 8.7%.

show abstract

StraightTaint: decoupled offline symbolic taint analysis

Cited by 43 publications

References 53 publications

OFFDTAN: A New Approach of Offline Dynamic Taint Analysis for Binaries

OFFDTAN: A New Approach of Offline Dynamic Taint Analysis for Binaries

UROBOROS: Instrumenting Stripped Binaries with Static Reassembling

LDMBL: An architecture for reducing code duplication in heavyweight binary instrumentations

Contact Info

Product

Resources

About