Taint Analysis Review

advertisement
王卓
Agenda
 Overview
 People
 Tools
Overview
 Taint analysis
 主要原理:将来自于网络等不被信任的渠道的数据都会被标
记为“被污染”的,由此产生的一系列算术和逻辑操作新
生成的数据也会继承源数据的“是否被 污染”的属性。然
后根据指令的操作数或者函数参数的污染状态查找软件漏
洞。
相关论文
Dawn Song
 Associate Professor
Computer Science Division
University of California, Berkeley
 Panorama: capturing system-wide information flow
for malware detection and analysis
 Dynamic Taint Analysis for Automatic Detection,
Analysis, and Signature Generation of Exploits on
Commodity Software
Omer Tripp
a PhD candidate at
Tel-Aviv University
TAJ: Effective Taint Analysis of Web Applications
PLDI 09
Learning Minimal Abstractions
POPL2011
James Clause
 An assistant professor
at the University of Delaware.
 Research interests: software engineering with emphasis on
debugging and program analysis
 Penumbra: automatically identifying failure-
relevant inputs using dynamic tainting ISSTA09
 Dytan ISSTA2007
 Effective memory protection using dynamic
tainting ASE07
Tielei Wang
 北京大学计算机科学技术研究所
 TaintScope: A Checksum-Aware Directed Fuzzing Tool
for Automatic Software Vulnerability Detection
IEEE S&P
 IntScope: Automatically Detecting Integer Overflow
Vulnerability in X86 Binary Using Symbolic Execution
NDSS2009
Taintcheck
 Author: James Newsome, Dawn Song
 Dynamic Taint Analysis for Automatic Detection,
Analysis, and Signature Generation of Exploits on
Commodity Software NDSS05
 The first practical taint tool.
 Based on Valgrind.
LIFT
 LIFT: A Low-Overhead Practical Information Flow
Tracking System for Detecting Security Attacks
 Feng Qin, Ohio State University
Cheng Wang, Intel Corporation
Zhenmin Li, University of Illinois at Urbana-Champaign
 A low-overhead attack discoverer.:
1.Fast Path
2.Merged Check
3.Fast Switch
Dytan
 Dytan: A Generic Dynamic Taint Analysis Framework
ISSTA 2007
 James Clause, Wanchun (Paul) Li,
and Alessandro Orso
 Highlight: Control flow Taint
Buzzfuzz
 Taint-based Directed Whitebox Fuzzing
ICSE2009
 Vijay Ganesh and Tim Leek and Martin Rinard
MIT
 Using taint analysis to direct fuzzing.
TaintScope
 TaintScope: A Checksum-Aware Directed Fuzzing Tool
for Automatic Software Vulnerability Detection
 Tielei Wang, Tao Wei1, Guofei Gu, Wei Zou
 Key words: Fuzzing, Taint analysis, Symbolic execution
 The approach: (1) byte analysis
(2) checksum information
Download