taint.md

Taint Analysis

Table of contents

• Dynamic Taint Analysis
  • Guide
  • Efficiency
    • Common
    • Commodity Hardware
    • Neural Network
  • Offline Tainting
• Static Taint Analysis
• Taint Policy
• Taint Rule
• Tools

Dynamic Taint Analysis

DTA. Also known as Dynamic information flow tracking (DIFT)

Guide

• TaintCheck Newsome, James, and Dawn Xiaodong Song. "Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software." NDSS. Vol. 5. 2005.
• Schwartz, Edward J., Thanassis Avgerinos, and David Brumley. "All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask)." 2010 IEEE symposium on Security and privacy. IEEE, 2010.]

Efficiency

Common

• Saxena, Prateek, R. Sekar, and Varun Puranik. "Efficient fine-grained binary instrumentationwith applications to taint-tracking." Proceedings of the 6th annual IEEE/ACM international symposium on Code generation and optimization. 2008.
• Ruwase, Olatunji, et al. "Decoupled lifeguards: enabling path optimizations for dynamic correctness checking tools." ACM Sigplan Notices 45.6 (2010): 25-35.
• Bosman, Erik, Asia Slowinska, and Herbert Bos. "Minemu: The world’s fastest taint tracker." International Workshop on Recent Advances in Intrusion Detection. Springer, Berlin, Heidelberg, 2011.
• Kemerlis, Vasileios P., et al. "libdft: Practical dynamic data flow tracking for commodity systems." Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments. 2012.
• Ming, Jiang, et al. "Taintpipe: Pipelined symbolic taint analysis." 24th USENIX Security Symposium (USENIX Security 15). 2015.
• Quinn, Andrew, et al. "JetStream: Cluster-scale parallelization of information flow queries.)" 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). 2016.
• Banerjee, Subarno, et al. "Iodine: fast dynamic taint tracking using rollback-free optimistic hybrid analysis." 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 2019.
• Galea, John, and Daniel Kroening. "The Taint Rabbit: Optimizing Generic Taint Analysis with Dynamic Fast Path Generation." ASIA CCS, 2020.

Commodity Hardware

• Speck Nightingale, Edmund B., et al. "Parallelizing security checks on commodity hardware." ACM SIGARCH Computer Architecture News 36.1 (2008): 308-318.
• Zhu, David, et al. "TaintEraser: Protecting sensitive data leaks using application-level taint tracking." ACM SIGOPS Operating Systems Review 45.1 (2011): 142-154.
• Jee, Kangkook, et al. "A General Approach for Efficiently Accelerating Software-based Dynamic Data Flow Tracking on Commodity Hardware." NDSS. 2012.Offline Tainting

Neural Network

• She, Dongdong, et al. "Neutaint: Efficient Dynamic Taint Analysis with Neural Networks." 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 2020.

Offline Tainting

• Ming, Jiang, et al. "Straighttaint: Decoupled offline symbolic taint analysis." 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 2016.

Static Taint Analysis

• Wang, Xinran, et al. "Still: Exploit code detection via static taint and initialization analyses." 2008 Annual Computer Security Applications Conference (ACSAC). IEEE, 2008.
• Biondi, Philippe, et al. "BinCAT: purrfecting binary static analysis." Symposium sur la sécurité des technologies de l’information et des communications. 2017.
• Taint Summary
  • Changming Liu, et al. "KUBO: Precise and Scalable Detection of User-triggerable Undefined Behavior Bugs in OS Kernel" NDSS. 2021
  • Hang Zhang, et al. "Statically Discovering High-Order Taint Style Vulnerabilities in OS Kernels." CCS. 2021

Taint Policy

• Xu, Wei, Sandeep Bhatkar, and Ramachandran Sekar. "Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks." USENIX Security Symposium. 2006.

Taint Rule

• TaintInduce Chua, Zheng Leong, et al. "One Engine To Serve'em All: Inferring Taint Rules Without Architectural Semantics." NDSS. 2019.

Tools

• Pin Dytan: Dytan Taint Analysis Framework on Linux 64-bit Paper
• Pin libdft: Practical Dynamic Data Flow Tracking. libdft64
• llvm Python bindings Pin (Optional) Triton: a Dynamic Binary Analysis (DBA) framework
• llvm BAP: Binary Analysis Platform Paper
• whole-system BitBlaze QEMU TCGTEMU: The BitBlaze Dynamic Analysis Component Paper
• whole-system Panda QEMU LLVM PIRATE: Platform for IR-based Analyses of Tainted Execution
• whole-system QEMU TCGDECAF: Dynamic Executable Code Analysis Framework Paper
• whole-system SWIFT QEMU MBA: Malware Behavior Analyzer Paper
• static IDA Python BinCAT: a static Binary Code Analysis Toolkit Paper
• KLEE KLEE-TAINT

'To-read' list

• Kang, Min Gyung, et al. "Dta++: dynamic taint analysis with targeted control-flow propagation." NDSS. 2011.