Please enable JavaScript.
Coggle requires JavaScript to display documents.
2011 - DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation
2011 - DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation
Goals
Problem
DTA is vulnerable to false negative (undertainting) errors caused by implicit flows, situations in which tainted data values affect control flow, which in turn affects other data.
DTA does not not propagate taint along control dependencies
Focus on enabling taint propagation for benign programs
Information
Enhancement to dynamic taint analysis that additionally propagates taint along a targeted subset of control-flow dependencies.
BitBlaze
Dynamic Taint Analysis
Control dependencies / Implicit flows
Parts of a program where tainted data values affect control
Hypothesis
Under-tainting occurs at just a few places within large benign applications
Approach
Phases
Online Analysis
Apply those rules during future runs of dynamic taint analysis.
Offline Analysis
Generate DTA++ rules by diagnosing branches responsible for under-tainting and determining the extra propagation they require using offline analysis
Diagnosing Under Tainting
Detection predicate
Symbolic execution
Determine whether path substring has a culprit implicit flow
Locating a culprit branch
Multiple culprit branches in a trace
If there are multiple culprit branches, the diagnosis
algorithm presented above finds the one that appears
earliest in the trace.
Once we diagnose one such location, we remove the corresponding formula from the path condition. After this modification, we can perform the diagnosis process a second time to find another culprit branch
Rule Generation
Control flow graph
Extracted from from the program binary and build a database of the immediate post-dominator of each conditional branch by inspecting the CFGs
Generating rules specifying how to propagate taint to the values affected by the flow
Multilevel culprit implicit flows.
Input
One or more execution traces from a program that have been generated using vanilla dynamic taint propagation.
Propagates additional taint along targeted control dependencies in order to ameliorate under-tainting caused by implicit flows
Bitblaze
TEMU
Tracecap
What is?
Offline analysis
Undertainting
Where a value is not tainted even though it is affected by the tainted input
Major cause of undertainting is implicit flows caused by control dependencies, since vanilla dynamic taint analysis tracks only data dependencies.
Contribution