Upload File

taint analysis review

16
王王

Upload: beau-cherry

Post on 04-Jan-2016

112 views

Category:

Documents


7 download

Report

DESCRIPTION

Taint Analysis Review. 王卓. Agenda. Overview People Tools. Overview. Taint analysis 主要原理 : 将来自于网络等不被信任的渠道的数据都会被标记为“被污染”的,由此产生的一系列算术和逻辑操作新生成的数据也会继承源数据的“是否被 污染”的属性。然后根据指令的操作数或者函数参数的污染状态查找软件漏洞。. 相关论文. Dawn Song. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Taint Analysis Review

王卓

Page 2: Taint Analysis Review

AgendaOverview

People

Tools

Page 3: Taint Analysis Review

OverviewTaint analysis

主要原理 :将来自于网络等不被信任的渠道的数据都会被标记为“被污染”的,由此产生的一系列算术和逻辑操作新生成的数据也会继承源数据的“是否被 污染”的属性。然后根据指令的操作数或者函数参数的污染状态查找软件漏洞。

Page 4: Taint Analysis Review

相关论文

Page 5: Taint Analysis Review

Dawn SongAssociate Professor

Computer Science Division University of California, Berkeley

Panorama: capturing system-wide information flow for malware detection and analysis

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software

Page 6: Taint Analysis Review

Omer Trippa PhD candidate at Tel-Aviv University

TAJ: Effective Taint Analysis of Web Applications PLDI 09

Learning Minimal Abstractions POPL2011

Page 7: Taint Analysis Review

James ClauseAn assistant professor at the University of Delaware.Research interests: software engineering with

emphasis on debugging and program analysisPenumbra: automatically identifying

failure-relevant inputs using dynamic tainting ISSTA09

Dytan ISSTA2007Effective memory protection using

dynamic tainting ASE07

Page 8: Taint Analysis Review

Tielei Wang北京大学计算机科学技术研究所

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability DetectionIEEE S&P

IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution NDSS2009

Page 9: Taint Analysis Review

TaintcheckAuthor: James Newsome, Dawn SongDynamic Taint Analysis for Automatic

Detection, Analysis, and Signature Generation of Exploits on Commodity Software NDSS05

The first practical taint tool.Based on Valgrind.

Page 10: Taint Analysis Review

LIFTLIFT: A Low-Overhead Practical Information Flow

Tracking System for Detecting Security AttacksFeng Qin, Ohio State University Cheng Wang, Intel Corporation Zhenmin Li, University of Illinois at Urbana-

ChampaignA low-overhead attack discoverer.:1.Fast Path2.Merged Check3.Fast Switch

Page 11: Taint Analysis Review

DytanDytan: A Generic Dynamic Taint Analysis

Framework ISSTA 2007James Clause, Wanchun (Paul) Li, and Alessandro OrsoHighlight: Control flow Taint

Page 12: Taint Analysis Review

BuzzfuzzTaint-based Directed Whitebox

Fuzzing ICSE2009Vijay Ganesh and Tim Leek and Martin

Rinard MITUsing taint analysis to direct fuzzing.

Page 13: Taint Analysis Review
Page 14: Taint Analysis Review

TaintScopeTaintScope: A Checksum-Aware Directed

Fuzzing Tool for Automatic Software Vulnerability Detection

Tielei Wang, Tao Wei1, Guofei Gu, Wei ZouKey words: Fuzzing, Taint analysis, Symbolic

executionThe approach: (1) byte analysis (2) checksum information

Page 15: Taint Analysis Review
Page 16: Taint Analysis Review

Taint scope

Type-based Taint Analysis for Java Web Applications

Taint analysis

Dynamic Taint Propagation

Capturing Information Flow with Concatenated Dynamic Taint Analysis

Taint-based Dynamic Analysis (CoC Research Day 2009)

Program Analysis of Cryptographic Implementations for Security · Program Analysis of Cryptographic Implementations for Security ... not use broken hash functions * Taint Analysis

Taint and Information Flow Analysis Using Sweet.js Macros

SpecTaint: Speculative Taint Analysis for Discovering

Scalable and Precise Taint Analysis for Android

Botnet Analysis – II (Dynamic Taint Analysis)

TaintPipe: Pipelined Symbolic Taint Analysis · tiple threads as different stages of a pipeline to carry out symbolic taint analysis in parallel. Our experiments show that TaintPipe

DECAF++: Elastic Whole-System Dynamic Taint Analysisadava003/RAID__Elastic... · namic taint analysis, and thus the proposed improvements are applicable to any hardware architecture

TaintPipe: Pipelined Symbolic Taint Analysis - Faculty Pipelined Symbolic Taint Analysis Jiang Ming, Dinghao Wu, Gaoyao Xiao, ... (DBI) to decouple dynamic taint analysis from program

Static Taint-Analysis on Binary Executablesweb.cs.iastate.edu/~weile/cs513x/5.TaintAnalysis2.pdf · Static taint data-dependency analysis (classical) data-ow analysis problem: input

Android Taint Flow Analysis for App Setswklieber/slides/soap2014.pdf · Android Taint Flow Analysis for App Sets Will Klieber ... We build upon existing Android static analyses:

Dynamic Taint Analysis for Automatic Detection, …bitblaze.cs.berkeley.edu/papers/taintcheck-full.pdfDynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation

Smoke Taint Removal

Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework

[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability discovery

Dynamic Taint Analysisheng/teaching/cs260-winter2017/... · 2017. 9. 29. · Approach: Dynamic Taint Analysis ... –Destination address for control flow (default) –Format string

P/Taint: Unified Points-to and Taint Analysis · 2021. 5. 19. · information-flow analysis computes which taint sources can influence a value and whether a value can reach a sink

Taint Droid

All You Ever Wanted to Know About Dynamic Taint Analysis ... · All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to

Molecular genetic analysis of boar taint

Dynamic Taint Analysis

Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software

SoK: On the Soundness and Precision of Dynamic Taint Analysisheng/teaching/cs260-winter... · the practicality of this approach, we build a new taint analysis system that is formally

Dynamic Taint Analysis and Forward Symbolic Execution Ankush Tyagi

Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,

Neutaint: Efficient Dynamic Taint Analysis with Neural Networks

On Soundness and Precision of Dynamic Taint Analysis · On Soundness and Precision of Dynamic Taint Analysis Dated: 01/22/2014 SycureLab Lok Kwong Yan Airforce Research Laboratory

Taint Analysis of JavaScript Code to Detect Web ... · Taint Analysis of JavaScript Code to Detect Web Applications ... Introduction About me • Security Consultant and Researcher

eu-15-Kim Triaging-Crashes-With-Backward-Taint-Analysis ... · crash point is affected by the user input. ... Crash Point ①Leave trace log ... eu-15-Kim_Triaging-Crashes-With-Backward-Taint-Analysis-For-ARM-Architecture.pptx

Investigation of taint analysis for Smartphone-implicit ... · Investigation of taint analysis for Smartphone-implicit taint detection and privacy leakage detection ... leak detection