王卓 Agenda Overview People Tools Overview Taint analysis 主要原理:将来自于网络等不被信任的渠道的数据都会被标 记为“被污染”的,由此产生的一系列算术和逻辑操作新 生成的数据也会继承源数据的“是否被 污染”的属性。然 后根据指令的操作数或者函数参数的污染状态查找软件漏 洞。 相关论文 Dawn Song Associate Professor Computer Science Division University of California, Berkeley Panorama: capturing system-wide information flow for malware detection and analysis Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Omer Tripp a PhD candidate at Tel-Aviv University TAJ: Effective Taint Analysis of Web Applications PLDI 09 Learning Minimal Abstractions POPL2011 James Clause An assistant professor at the University of Delaware. Research interests: software engineering with emphasis on debugging and program analysis Penumbra: automatically identifying failure- relevant inputs using dynamic tainting ISSTA09 Dytan ISSTA2007 Effective memory protection using dynamic tainting ASE07 Tielei Wang 北京大学计算机科学技术研究所 TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection IEEE S&P IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution NDSS2009 Taintcheck Author: James Newsome, Dawn Song Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software NDSS05 The first practical taint tool. Based on Valgrind. LIFT LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Ohio State University Cheng Wang, Intel Corporation Zhenmin Li, University of Illinois at Urbana-Champaign A low-overhead attack discoverer.: 1.Fast Path 2.Merged Check 3.Fast Switch Dytan Dytan: A Generic Dynamic Taint Analysis Framework ISSTA 2007 James Clause, Wanchun (Paul) Li, and Alessandro Orso Highlight: Control flow Taint Buzzfuzz Taint-based Directed Whitebox Fuzzing ICSE2009 Vijay Ganesh and Tim Leek and Martin Rinard MIT Using taint analysis to direct fuzzing. TaintScope TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang, Tao Wei1, Guofei Gu, Wei Zou Key words: Fuzzing, Taint analysis, Symbolic execution The approach: (1) byte analysis (2) checksum information