dytan a generic dynamic taint analysis framework
play

Dytan: A Generic Dynamic Taint Analysis Framework James Clause, - PowerPoint PPT Presentation

Aug 25, 2022 •259 likes •671 views

Dytan: A Generic Dynamic Taint Analysis Framework James Clause, Wanchun (Paul) Li, and Alessandro Orso College of Computing Georgia Institute of Technology Partially supported by: NSF awards CCF-0541080 and CCR-0205422 to Georgia Tech, DHS

  1. Dytan: A Generic Dynamic Taint Analysis Framework James Clause, Wanchun (Paul) Li, and Alessandro Orso College of Computing Georgia Institute of Technology Partially supported by: NSF awards CCF-0541080 and CCR-0205422 to Georgia Tech, DHS and US Air Force Contract No. FA8750-05-2-0214

  2. Dynamic taint analysis (aka dynamic information-flow analysis ) A A A 1 1 B B B Z Z Z 2 2 3 C C C 3 3

  3. Dynamic tainting applications Attack detection / prevention Information policy enforcement Testing Data lifetime / scope

  4. Dynamic tainting applications Attack detection / prevention Attack detection / prevention Detect / prevent attacks such as SQL injection, buffer overruns, stack smashing, cross site scripting Information policy enforcement e.g., Suh et al. 04, Newsome and Song 05, Halfond et al. 06, Kong et al. 06, Qin et al. 06 Testing Data lifetime / scope

  5. Dynamic tainting applications Attack detection / prevention Information policy enforcement Information policy enforcement ensure classified information does not leak outside the system e.g.,Vachharajani et al. 04, McCamant and Ernst 06 Testing Data lifetime / scope

  6. Dynamic tainting applications Attack detection / prevention Information policy enforcement Testing Testing Coverage metrics, test data generation heuristic, ... e.g., Masri et al 05, Leek et al. 07 Data lifetime / scope

  7. Dynamic tainting applications Attack detection / prevention Information policy enforcement Testing Data lifetime / scope Data lifetime / scope track how long sensitive data, such as passwords or account numbers, remain in the application e.g., Chow et al. 04

  8. Motivation Ad-hoc taint analysis Results implementation Ad-hoc taint analysis Results implementation Ad-hoc taint analysis Results implementation Ad-hoc taint analysis Results implementation

  9. Motivation Configuration • Flexible Dytan Generic • Easy to use Framework • Accurate Custom Dynamic Results Taint Analysis

  10. Outline � Motivation & overview • Framework (Dytan) • flexibility • ease of use • accuracy • Empirical evaluation • Conclusions

  11. Framework: flexibility Configuration Taint Propagation Taint sources sinks policy

  12. Framework: flexibility Taint Propagation Taint sources sinks policy

  13. Framework: flexibility Taint Taint Propagation Taint sources sources sinks policy Which data to tag, and how to tag it

  14. Framework: flexibility Taint Propagation Propagation Taint sources sinks policy policy How tags should be propagated at runtime

  15. Framework: flexibility Taint Propagation Taint Taint sources sinks sinks policy Where and how tags should be checked

  16. Taint sources What to tag How to tag Identify what program data Describe how tags should be should be assigned tags assigned for identified data • Variables (local or global) • Single tag • Function parameters • One tag per source • Function return values • Multiple tags per source • Data from an input stream • ... network, filesystem, keyboard, ... • Specific input stream 141.195.121.134:80, a.txt,...

  17. Taint sources What to tag: a.txt How to tag: single tag a.txt a.txt a.txt 1 1 1 1 1 1

  18. Taint sources What to tag: a.txt How to tag: multiple tags a.txt a.txt a.txt 1 1 1 2 1 3 1 4 1 5 1 n

  19. Propagation policy 1 2 A C 3 B 3 Affecting data Mapping function Data that affects the outcome of a Define how tags associated with statement through affecting data should be combined • Data dependencies • Union • Control dependencies • Max • ... A policy can consider both or only data dependencies

  20. Propagation policy 3 Affecting data: if(X) { data dependence control dependence 1 2 C = A + B; Mapping function: } union max

  21. Propagation policy 3 Affecting data: if(X) { ! ! data dependence control dependence 1 2 1 2 C = A + B; Mapping function: } union ! max

  22. Propagation policy 3 Affecting data: if(X) { ! data dependence control dependence 1 ! 3 2 C = A + B; Mapping function: } union ! max

  23. Taint Sinks Where to check What to check Location in the program to The data whose tags should perform a check be checked • Function entry / exit • Variables • Statement type • Function parameters • Specific program point • Function return value How to check Set of conditions to check and a set of actions to perform if the conditions are not met. • validate presence of tags (exit or log) • ensure absence of tags (exit or log) • ...

  24. Taint Sinks 2 3 cmd = read(file); args = read(socket); cmd = trim(cmd + args); ... tok[] = parse(cmd); exec(tok[0], tok[1]);

  25. Taint Sinks Where / what to check: 2 function: exec, param: 0 3 cmd = read(file); args = read(socket); How to check: cmd = trim(cmd + args); validate presence of: ... 2 tok[] = parse(cmd); validate absence of: 3 exec(tok[0], tok[1]); Result:

  26. Taint Sinks Where / what to check: 2 function: exec, param: 0 3 cmd = read(file); args = read(socket); How to check: cmd = trim(cmd + args); validate presence of: ... 2 tok[] = parse(cmd); validate absence of: 3 exec(tok[0], tok[1]); " Result: 2 3

  27. Framework: ease of use Provide two ways to configure the framework • Basic • Select sources, propagation policies, and sinks from a set of predefined options • XML based configuration • Advanced • Suitable for more esoteric applications • Extend OO implementation

  28. Framework: accuracy • Dytan operates at the binary level • consider the actual program semantics • transparently handle libraries • Dytan accounts for both data- and control- flow dependencies

  29. Framework: accuracy The most common source of inaccuracy is incorrectly identifying the information produced and consumed by a statement Two common examples: • Implicit operands add %eax, %ebx // A = A + B produced: %eax , %eflags • Address Generators [ ] * add %eax, %ebx // A = A + B , %ebx consumed: %eax, [%ebx]

  30. Outline � Motivation & overview � Framework � flexibility � ease of use � accuracy • Empirical evaluation • Conclusions

  31. Empirical evaluation • RQ1: Can Dytan be used to (easily) implement existing dynamic taint analyses? • RQ2: How do inaccurate propagation policies affect the analysis results? • In addition: discussion on performance

  32. RQ1: flexibility Goal : show that Dytan can be used to (easily) implement existing dynamic taint analyses • Selected two techniques: • Overwrite attack detection [Qin et al. 04] • SQL injection detection [Halfond et al. 06] • Used Dytan to re-implement both techniques • Measure implementation time • Validate against the original implementation

  33. RQ1: results • Implementation time: • Overwrite attack detection: < 1 hour • SQL injection detection: < 1 day • Comparison with original implementations: • Successfully stopped same attacks as the original implementations

  34. RQ2: accuracy impact Goal : measure the effect of inaccurate propagation policies on analysis results • Selected two subjects: • Gzip (75kb w/o libraries) • Firefox (850kb w/o libraries) • Use Dytan to taint program inputs and measure the amount of heap data tainted at program exit • Compare Dytan against inaccurate policies • no implicit operands (no IM) • no address generators (no AG) • no implicit operands, no address generators (no IM, no AG)

  35. RQ2: results Dytan No IM No AG No IM, no IG 100% 75% 50% 25% 0% Firefox (1 page) Firefox (3 pages) Gzip

  36. Performance • Measured for gzip : � 30x for data flow � 50x for data and control flow • High overhead, but... • In line with existing implementations • Designed for experimentation • Favors flexibility over performance • Implementation can be further optimized

  37. Related work • Existing dynamic tainting approaches [ Suh et al. 04, Newsome and Song 05, Halfond et al. 06, Kong et al. 06, ... ] • Ad-hoc • Other dynamic taint analysis frameworks [ Xu et al. 06 and Lam and Chiueh 06 ] • Focused on security applications • Single taint mark • No control-flow propagation • Operate at the source code level

  38. Conclusions • Dytan • a general framework for dynamic tainting • allows for instantiating and experimenting with different dynamic taint analysis approaches • Initial evaluation • flexible • easy to use • accurate

  39. Future directions • Tool release (documentation, code cleanup) http://www.cc.gatech.edu/~clause/dytan/ (pre-release on request) • Optimization (general and specific) • Applications • Memory protection • Debugging

  40. Questions? http://www.cc.gatech.edu/~clause/dytan/

Recommend

All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but might have been afraid to ask) (Yes, we were trying to overflow the title length field on the submission server) Edward J. Schwartz, Thanassis

738 views • 25 slides
Dynamic Code Evaluation &amp; Taint Analysis Prof. Tom Austin San Jos State University

Dynamic Code Evaluation &amp; Taint Analysis Prof. Tom Austin San Jos State University

CS 152: Programming Language Paradigms Dynamic Code Evaluation &amp; Taint Analysis Prof. Tom Austin San Jos State University Parsing JSON (in-class) Review: additional Ruby eval methods instance_eval evaluates code within the body of an

689 views • 43 slides
Dynamic Code Evaluation &amp; Taint Analysis Prof. Tom Austin San Jos State University

Dynamic Code Evaluation &amp; Taint Analysis Prof. Tom Austin San Jos State University

CS 152: Programming Language Paradigms Dynamic Code Evaluation &amp; Taint Analysis Prof. Tom Austin San Jos State University Dynamic code evaluation eval Executes dynamically Typically, eval takes a string: eval &quot;puts

462 views • 23 slides
Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West

Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West

Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West Fortify Software 2.21.08 Overview Motivation Dynamic taint propagation Sources of inaccuracy Integrating with QA Related work

740 views • 70 slides
InsectJ: A Generic Instrumentation Framework for Collecting Dynamic Information within Eclipse

InsectJ: A Generic Instrumentation Framework for Collecting Dynamic Information within Eclipse

InsectJ: A Generic Instrumentation Framework for Collecting Dynamic Information within Eclipse Arjan Seesing and Alessandro Orso Georgia Institute of Technology This work was supported in part by an IBM Eclipse Innovation Grant.

859 views • 24 slides
Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 ,

Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 ,

Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 , Julian Dolby 3 1 Rensselaer Polytechnic Institute 2 Google 3 IBM Research 1 Taint Analysis for Android Tracks flow of private data Controlled at

629 views • 35 slides
A Generic Framework for Interprocedural Analysis of Numerical Properties + Markus Mller-Olm

A Generic Framework for Interprocedural Analysis of Numerical Properties + Markus Mller-Olm

A Generic Framework for Interprocedural Analysis of Numerical Properties + Markus Mller-Olm Helmut Seidl + Mnster Mnchen PUMA Ringvorlesung, 2009 1 Outline: Background The framework for affine relations Grangers

1.53k views • 113 slides
TRACERJD: GENERIC TRACE-BASED DYNAMIC DEPENDENCE ANALYSIS WITH FINE-GRAINED LOGGING Haipeng Cai

TRACERJD: GENERIC TRACE-BASED DYNAMIC DEPENDENCE ANALYSIS WITH FINE-GRAINED LOGGING Haipeng Cai

TRACERJD: GENERIC TRACE-BASED DYNAMIC DEPENDENCE ANALYSIS WITH FINE-GRAINED LOGGING Haipeng Cai and Raul Santelices Department of Computer Science and Engineering University of Notre Dame Supported by ONR Award N000141410037 SANER 2015

257 views • 15 slides
A Generic Framework for the Analysis and Specialization of Logic Programs an Puebla , Elvira

A Generic Framework for the Analysis and Specialization of Logic Programs an Puebla , Elvira

A Generic Framework for the Analysis and Specialization of Logic Programs an Puebla , Elvira Albert , and Manuel Hermenegildo , Germ ( ) Technical University of Madrid (Spain) ( ) Complutense University of

170 views • 14 slides
PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis

PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis

PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis Tools with Easy-to-use Dynamic Instrumentation Portable Transparent Luk et al PLDI 2005 Efficient Presented by Godmar Back

223 views • 5 slides
Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What

Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What

Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What code paths were executed What parts of the execution interacted with external data Input Determination Which input bytes influence the crash

583 views • 45 slides
The Taint Leakage Model Ron Rivest Crypto in the

The Taint Leakage Model Ron Rivest Crypto in the

The Taint Leakage Model Ron Rivest Crypto in the Clouds Workshop, MIT Rump Session Talk August 4, 2009 Taint Common term in soDware

238 views • 9 slides
AVATAR: A Framework for Dynamic Security Analysis of Embedded Systems Firmwares Jonas Zaddach

AVATAR: A Framework for Dynamic Security Analysis of Embedded Systems Firmwares Jonas Zaddach

AVATAR: A Framework for Dynamic Security Analysis of Embedded Systems Firmwares Jonas Zaddach (zaddach@eurecom.fr) Luca Bruno, Aurlien Francillon, Davide Balzarotti Outline Introduction AVATAR overview Framework components

1.09k views • 44 slides
Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic

Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic

Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic Analysis (WODA 2015) October 26, 2015 Pittsburgh, Pennsylvania, USA http://www.rascal-mpl.org 1 PHP AiR: PHP Analysis in Rascal PHP AiR: a framework

528 views • 16 slides
Android Taint Flow Analysis for App Sets Will Klieber*, Lori Flynn, Amar Bhosale , Limin Jia,

Android Taint Flow Analysis for App Sets Will Klieber*, Lori Flynn, Amar Bhosale , Limin Jia,

Android Taint Flow Analysis for App Sets Will Klieber*, Lori Flynn, Amar Bhosale , Limin Jia, and Lujo Bauer Carnegie Mellon University *presenting Motivation Detect malicious apps that leak sensitive data. E.g., leak contacts list to

514 views • 26 slides
Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at rest Dynamic: Operates at runtime Also hybrids of the two Static: Examples Code review Grep Taint analysis Symbolic

726 views • 49 slides
Modeling the Catchment Via Mixtures: an Uncertainty Framework for Dynamic Hydrologic Systems

Modeling the Catchment Via Mixtures: an Uncertainty Framework for Dynamic Hydrologic Systems

Modeling the Catchment Via Mixtures: an Uncertainty Framework for Dynamic Hydrologic Systems Dynamic Hydrologic Systems Lucy Marshall Assistant Professor of Watershed Analysis A i P f f W h d A l i Department of Land Resources and

580 views • 30 slides
1 Definition of a simple generic class Why generic programming (cont.) class Pair &lt;T&gt; {

1 Definition of a simple generic class Why generic programming (cont.) class Pair &lt;T&gt; {

Topics background and goals of generic programming basics of generic classes = parameterized types generic methods for general algorithms inheritance rules for generic types Generic programming in Java bounded type parameters

261 views • 5 slides
A GENERIC FRAMEWORK FOR ENGAGING ONLINE DATA SOURCES IN INTRODUCTORY PROGRAMMING COURSES NADEEM

A GENERIC FRAMEWORK FOR ENGAGING ONLINE DATA SOURCES IN INTRODUCTORY PROGRAMMING COURSES NADEEM

A GENERIC FRAMEWORK FOR ENGAGING ONLINE DATA SOURCES IN INTRODUCTORY PROGRAMMING COURSES NADEEM ABDUL HAMID 2 A GENERIC FRAMEWORK FOR ENGAGING ONLINE DATA SOURCES LIVE DEMO https://datahub.io/dataset/ubigeo-peru

305 views • 30 slides
Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu,

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu,

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu, Hong, Patrick A. V. Hall, and John H. R. May, &quot;Software Unit Test Coverage and Adequacy,&quot; ACM Computing Surveys, vol. 29, no.4, pp.

1.03k views • 58 slides
Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't care Erik Bosman &lt;erik@minemu.org&gt; Traditional Stack Smashing buf[16] GET / HTTP/1.1 00baseretnarg1arg2 Traditional Stack Smashing buf[16]

1.29k views • 100 slides
10/17/2011 Dynamic Semantics Definition of a (programming) language involves: Generic Language

10/17/2011 Dynamic Semantics Definition of a (programming) language involves: Generic Language

10/17/2011 Dynamic Semantics Definition of a (programming) language involves: Generic Language Technology (2IS15) abstract syntax, so-called signature concrete syntax: Dynamic Semantics textual syntax graphical syntax dr. Suzana

262 views • 4 slides
GENERIC PHY FRAMEWORK: AN OVERVIEW Kishon Vijay Abraham I 1 About Me About Me Working in

GENERIC PHY FRAMEWORK: AN OVERVIEW Kishon Vijay Abraham I 1 About Me About Me Working in

GENERIC PHY FRAMEWORK: AN OVERVIEW Kishon Vijay Abraham I 1 About Me About Me Working in Texas Instruments since 2007 Contributing to linux kernel for the past four years Develop and Maintain PHY Subsystem (drivers/phy)

915 views • 30 slides
Rethinking dynamic visual variables: towards a framework of dynamic semiology Christine Zanin

Rethinking dynamic visual variables: towards a framework of dynamic semiology Christine Zanin

Rethinking dynamic visual variables: towards a framework of dynamic semiology Christine Zanin Associate Professor in geography, University Paris-Diderot Paris 7 Maher Ben Rebah Post PhD Researcher Groupe CARTOMOUV France CNRS Universit

362 views • 13 slides

More recommend