Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis...
Transcript of Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis...
![Page 1: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/1.jpg)
Taint Analysis
![Page 2: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/2.jpg)
Contents
2
• Pin ToolØ IntroductionØ Intel PIN CapabilityØ How to instrumentationØ How to Pass ParametersØ Instrumentation granularity
• Dynamic Taint AnalysisØ Classify of taint analysisØ Basic ConceptØ IntroductionØ Byte or bit Ø Shadow MemoryØ Dynamic Taint Analysis
![Page 3: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/3.jpg)
Pin tools
3
![Page 4: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/4.jpg)
Instrumentation
• Atechniquethatinsertscodeintoaprogramtocollectrun-timeinformationorchangeitsbehavior
4
![Page 5: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/5.jpg)
Different Instrumentations• Source-CodeInstrumentation
Ø CompilerPluginü Insertcodewherecompilethesourcetobinaryü Highefficient
• StaticBinaryInstrumentationØ Binaryrewriter
ü Disassemblingandrecompileü Difficulttoensurecorrectness
• DynamicBinaryInstrumentationØ DynamicBinaryInstrumentationTool
ü Instrumentcodejustbeforeitrunsü Noneedtorecompileorre-linkü Analyzeandmodifycodeatruntime
5
![Page 6: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/6.jpg)
Dynamic Binary Instrumentation• Intel PIN• Valgrind• QEMU
6
![Page 7: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/7.jpg)
Intel Pin Capability• Binary Analysis:
Ø TraceControlFloworDataFlowØ Hookfunction,signalsandsystemcallØ Multi-Threadsupport
• Change program behavior:Ø Add/deleteinstructions/basicblocks/functionsØ ChangeregistervaluesØ ChangecontrolflowØ Changememoryvalues
7
![Page 8: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/8.jpg)
Starting at first application IP Read a Trace from Application CodeJit it, adding instrumentation code from inscount.dllEncode the trace into the Code CacheExecute Jitted code
Execution of Trace endsCall into PINVM.DLL to Jit next tracePass in app IP of Trace’s target
Source Trace exit branch is modified to directly branch to Destination Trace
Pin Work Flow Demonstrationgzip.exe input.txt
Application Code andData
Application Process
System Call Dispatcher
Event Dispatcher Thread Dispatcher
PINVM.DLL
inscount.dll
PIN.LIB
Code Cache
NTDLL.DLL
Windows kernel
CreateProcess (gzip.exe, input.txt, suspended)
Launcher
PIN.EXE
Launcher Process
Boot Routine +Data:firstAppIp,“Inscount.dll”
Load PINVM.DLL
Inject Pin BootRoutine and Data into application
Load inscount.dll and run its main()
Start PINVM.DLL running(firstAppIp, “inscount.dll”)
pin.exe –t inscount.dll – gzip.exe input.txtCount 258743109
PinTool that counts application instructions executed, prints Count at end
Resume at BootRoutine
First app IP
app Ip of Trace’s target
Read a Trace from Application CodeJit it, adding instrumentation code from inscount.dllEncode the jitted trace into the Code Cache
GetContext(&firstAppIp)SetContext(BootRoutineIp)WriteProcessMemory(BootRoutine, BootData)
Decoder
Encoder
![Page 9: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/9.jpg)
How to instrumentation
9
Insertcallback function forinstructions,basicblocks,functionsandimage.e.g.,Instruction Instrumentation
![Page 10: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/10.jpg)
How to instrumentation
10
![Page 11: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/11.jpg)
How to Pass Parameters
11
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)ifun, IARG_TYPE, IARG, …… IARG_END);
IARG_TYPE:Ø IARG_ADDRINTØ IARG_PTRØ IARG_BOOLØ IARG_UINT32Ø IARG_UINT64Ø IARG_INST_PTRØ IARG_REG_VALUEØ IARG_REG_REFERENCEØ IARG_REG_CONST_REFERENCEØ ……
IARG:Ø INS_Address(ins)Ø INS_OperandReg(ins, 0)Ø INS_MemoryOperandCount(
ins)Ø INS_Valid(ins)Ø ……
![Page 12: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/12.jpg)
Instrumentation Granularity:• Instructioninstrumentation• Basicblockinstrumentation
Ø Asequenceofinstructionsterminatedatacontrol-flowchanginginstructionØ Singleentry,singleexit
• TraceinstrumentationØ Asequenceofbasicblocksterminatedatanunconditionalcontrol-flowchanginginstruction
Ø Singleentry,multipleexits• Routineinstrumentation• Imageinstrumentation
APIs:
12
![Page 13: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/13.jpg)
Compare with Trace and Basic Block
13
![Page 14: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/14.jpg)
Taint Analysis
18
• Classify of taint analysis• Basic Concept• Introduction• Byte or bit • Shadow Memory• Dynamic Taint Analysis
![Page 15: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/15.jpg)
Classify Of taint Analysis
• StaticTaintAnalysisØ Theadvantageofusingstaticanalysisisthefactthatitprovidesbettercodecoveragethandynamicanalysis.
Ø Ontheotherhand,theprincipaldisadvantageofthestaticanalysisisthatit'snotasaccuratethanthedynamicanalysis- Itcannotaccesstheruntimeinformationforexample.Wecan'tretrieveregistersormemoryvalues.
• DynamicTaintAnalysisØ Dynamicanalysiswecan'tcoverallthecodebutyouwillbemorereliable.
19
![Page 16: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/16.jpg)
Basic concept
20
Taintpropagation:Ø TaintIfanoperationusesthevalueofsometainted object,sayX,toderiveavalueforanother,sayY,thenobjectYbecomestainted.ObjectXtaintedtheobjectY
![Page 17: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/17.jpg)
Taint propagation
21
![Page 18: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/18.jpg)
Basic concept
22
• TaintSources: program,ormemorylocations,wheredataofinterestenterthesystemandsubsequentlygettagged.Fortheconvenienceofdescription,weusetheuserinputasthetaintsourceinthiscourse.
• TaintTracking: processofpropagatingdatatagsaccordingtoprogramsemantics
• TaintSinks: program,ormemorylocations,wherechecksfortaggeddatacanbemade
![Page 19: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/19.jpg)
Introduction
23
Taintanalysisisusedtoknowataprogrampointwhatpartofmemoryorregisterarecontrollablebythesomedataweareinterested,forexample:userinput.
Accordingtotheinstructionsemanticsthetaintisspreadovertheexecution.
![Page 20: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/20.jpg)
Introduction
24
Forexampleseethefollowingcode.
Intheexample1,atthebeginning,the'a'and'b'variablesarenottainted.Whentheatoifunctioniscalledthe'a'variableistainted.Then'b'istaintedwhenassignedbythe'a'value.Nowweknowthatthefoo2functionargumentcanbecontrolledbytheuser.
![Page 21: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/21.jpg)
Introduction
25
Intheexample2,whenthebufferisallocatedviamallocthecontentisnottainted.Thenwhentheallocatedareaisinitiazliedbyuserinputs,weneedtotaintthebytes'buffer+2','buffer+12'and'buffer+30'.Later,whenoneofthosebytesisread,weknowitcanbecontrolledbytheuser.
![Page 22: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/22.jpg)
Byte or bit ?
26
Oneoftheseproblems istodeterminewhatmethodisthemoreaccuratetodoataintwithagreatprecision.Forexample,whatarewesupposedtodowhenacontrolledbyteismultipliedandstoredsomewhereinmemory?Shouldwetaintthedestinationvariable?Seethefollowingcode.
call atoi@pltmov eax,edxcmp eax,$0jse nextcmp eax,$4jne nextshl eax,0x3sub eax,edxmov eax,DWORDPTR[rbp-0x4]next:mov DWORDPTR[rbp-0x4],eaxleaveret
![Page 23: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/23.jpg)
Byte or bit ?
27
Inthepreviouscode,wecancontrolonly5bitsofthevariable'num';notthewholeinteger.So,wecan'tsaythatwecontrolthetotalityofthisvariablewhenitisreturnedandusedsomewhereelse.
![Page 24: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/24.jpg)
Byte or bit ?
28
Bytetaintanalysisassertbistainted.Bittaintanalysisassertbis
nottainted.
![Page 25: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/25.jpg)
Byte or bit ?
29
So,whattodo?Taintingbytesiseasierandlightortaintingbitscontrolledbytheuser?Ifyoutaintbytes,itwillbeeasierbutnot reliable.Ifwetaintbits,itwillbeharderandmoredifficultto
managethetainttreebutitwillbe99%reliable.
Taintbytesisenoughformostsituation.
![Page 26: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/26.jpg)
Dynamic Taint Analysis
30
Howtodothedynamictaintanalysis?
![Page 27: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/27.jpg)
Dynamic Taint Analysis
31
Inordertodothis,weneedadynamicbinaryinstrumentation(DBI)framework.ThepurposeoftheDBIistoaddapre/posthandleroneach
instruction.Whenahandleriscalled,youareabletoretrievealltheinformationyouwantabouttheinstructionortheenvironment(memory).
WechoosetousePin:aC++dynamicbinaryinstrumentationframework(withoutIR)writtenbyIntel.
![Page 28: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/28.jpg)
32
Weusershadowmemorytomarkalladdresscanbetaintedbyoriginatedataweinterested.
Shadow Memory
![Page 29: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/29.jpg)
Shadow Memory
33
• ShadowMemory: Shadowmemorydescribesacomputersciencetechniqueinwhichpotentiallyeverybyteusedbyaprogramduringitsexecutionhasashadowbyteorbytes.
• Theseshadowbytesaretypicallyinvisibletotheoriginalprogramand areusedtorecordinformationabouttheoriginalpieceofdata.
![Page 30: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/30.jpg)
Shadow Memory
34
• ShadowMemoryØ Weneedamapping
ü Addr →AbstractStateü Register→Abstract
![Page 31: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/31.jpg)
Shadow Memory
35
• ShadowMemoryØ Weneedamapping
ü Addr →AbstractStateü Register→Abstract
![Page 32: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/32.jpg)
Shadow Memory
36
• ShadowMemoryØ Weneedamapping
ü Addr →AbstractStateü Register→Abstract
![Page 33: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/33.jpg)
Shadow Memory
37
• ShadowMemoryØ Weneedamapping
ü Addr →AbstractStateü Register→Abstract
![Page 34: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/34.jpg)
Shadow Memory
38
• ShadowMemoryØ Weneedamapping
ü Addr →AbstractStateü Register→Abstract
![Page 35: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/35.jpg)
Dynamic taint Analysis
39
Firstlyweneedtodeterminatealluserinputslikeenvironment andsyscalls.Webegintotainttheseinputsandwespread/removethetaintwhenwehaveinstructionslikeGET/PUT,LOAD/STORE.
![Page 36: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/36.jpg)
Dynamic Taint Analysis
40
• Forthisfirstexample,wearegoingtotaintthe'read'memoryareaandwewillseeabriefoverviewofthePinAPI.Forthisfirsttestwewill:Ø Catchthesys_read syscall.Ø Getthesecondandthethirdargumentfortaintarea.Ø CallanhandlerwhenwehaveaninstructionlikeLOADorSTOREinthisarea.
Ø Spreadthetaint.
![Page 37: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/37.jpg)
Catch the syscalls
41
Whenasyscall occurs,wewillcheckifthesyscall isread.Then,wesavethesecondandthirdargumentwhichdescribeourmemoryarea.Thesecondargumentisthestartofmemoryaddresswhich
thesyscall iswritingto.Thethirdargumentisthelengthofdatatowritetothe
memeory.
![Page 38: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/38.jpg)
Catch the syscalls
42
![Page 39: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/39.jpg)
Catch the LOAD and STORE instructions
43
Nowweneedtocatchallinstructionsthatread(LOAD)orwrite(STORE)inthetaintedarea.Todothat,wewilladdafunctioncalledeachtimeanaccesstothisareaismade.
![Page 40: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/40.jpg)
Catch the LOAD and STORE instructions
44
![Page 41: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/41.jpg)
Hook Load Instruction
45
![Page 42: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/42.jpg)
Hook Store Instruction
46
![Page 43: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/43.jpg)
Spread the taint
47
ImagineyouLOADavalueinaregisterfromthetaintedmemory,thenyouSTOREthisregisterinanothermemorylocation.Inthiscase,weneedtotainttheregisterandthenewmemorylocation.Sameway,ifaconstantisSTOREDinthememoryarea
tainted,weneedtodeletethetaintbecausetheusercan'tcontrolthismemorylocationanymore.
![Page 44: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/44.jpg)
Spread the taint
48
ImagineyouLOADavalueinaregisterfromthetaintedmemory,thenyouSTOREthisregisterinanothermemorylocation.Inthiscase,weneedtotainttheregisterandthenewmemorylocation.Sameway,ifaconstantisSTOREDinthememoryarea
tainted,weneedtodeletethetaintbecausetheusercan'tcontrolthismemorylocationanymore.
![Page 45: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/45.jpg)
Spread the taint
49
![Page 46: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/46.jpg)
Spread the taint
50
![Page 47: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/47.jpg)
Taint analysis for security
• DetectOverflow-Return-Address
51
![Page 48: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/48.jpg)
Detect overflow-Return-Value
• Howtocheckifthereturnaddressisoverflowed?
• Howtogettheespvaluepointedtoreturnaddress?
![Page 49: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/49.jpg)
Check the return address
pop %espesp
Beforeeveryreturn
if %esptainted
ret addroverflowed
![Page 50: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/50.jpg)
Get esp value
getcpu context getesp valueinstrument checktheespvalue
![Page 51: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/51.jpg)
![Page 52: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/52.jpg)
Example
![Page 53: Taint Analysis - Nanjing Universityseclab.nju.edu.cn/lecture/TaintAnalysis.pdfDynamic Taint Analysis 31 In order to do this, we need a dynamic binary instrumentation(DBI) framework.](https://reader030.fdocuments.us/reader030/viewer/2022040301/5e7936e5b1935918780cbb21/html5/thumbnails/53.jpg)
Reference:PIN introduce[1]https://software.intel.com/sites/landingpage/pintool/docs/71313/Pin/html/index.html
PIN�API���[2]https://software.intel.com/sites/landingpage/pintool/docs/71313/Pin/html/group__PIN__SYSCALL__API.html
PINtool���[3]https://software.intel.com/en-us/articles/pin-a-binary-instrumentation-tool-downloads
[4]FreeSentry:ProtectingAgainstUse-After-FreeVulnerabilitiesDuetoDanglingPointers