Taint-based Dynamic Analysis (CoC Research Day 2009)
-
Upload
james-clause -
Category
Technology
-
view
494 -
download
0
Transcript of Taint-based Dynamic Analysis (CoC Research Day 2009)
![Page 1: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/1.jpg)
Taint-based Dynamic Analysis
CoC Research Day - 9/25/2009
Designed at Apple in California;assembled at Georgia Tech
![Page 2: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/2.jpg)
Dynamic Tainting Overview
C
A
B Z
![Page 3: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/3.jpg)
Dynamic Tainting Overview
1 Assign
taint marks
C
A
B Z
![Page 4: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/4.jpg)
Dynamic Tainting Overview
1 Assign
taint marks
C
A
B
31
2
Z
![Page 5: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/5.jpg)
Dynamic Tainting Overview
1 Assign
taint marks2 Propagate
taint marks
C
A
B
31
2
Z
![Page 6: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/6.jpg)
Dynamic Tainting Overview
1 Assign
taint marks2 Propagate
taint marks
C
A
B
31
2
Z
![Page 7: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/7.jpg)
Dynamic Tainting Overview
1 Assign
taint marks3 Check
taint marks2 Propagate
taint marks
C
A
B
31
2
Z
![Page 8: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/8.jpg)
Dynamic Tainting Overview
1 Assign
taint marks3 Check
taint marks2 Propagate
taint marks
C
A
B
31
2
Z
C
A
B
31
2
Z
3
![Page 9: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/9.jpg)
Dynamic Tainting Applications
Attack detection / prevention
Information policy enforcement
Testing
Memory errors
Data lifetime
![Page 10: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/10.jpg)
Dynamic Tainting Applications
Attack detection / preventionPrevent stack smashing, SQL injection, buffer overruns, etc.Attack detection / prevention
Information policy enforcement
Testing
Memory errors
Data lifetime
![Page 11: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/11.jpg)
Dynamic Tainting Applications
Information policy enforcementensure classified information does not leave the system
Attack detection / prevention
Information policy enforcement
Testing
Memory errors
Data lifetime
![Page 12: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/12.jpg)
Dynamic Tainting Applications
TestingCoverage metrics, test data generation heuristic, etc.
✔/✘
Attack detection / prevention
Information policy enforcement
Testing
Memory errors
Data lifetime
![Page 13: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/13.jpg)
Dynamic Tainting Applications
Attack detection / prevention
Information policy enforcement
Testing
Data lifetimetrack how long sensitive data remains in an application
Memory errors
Data lifetime
![Page 14: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/14.jpg)
Dynamic Tainting Applications
Attack detection / prevention
Information policy enforcement
Testing
Memory errorsDetect illegal memory access, leak detection, etc.Memory errors
Data lifetime
![Page 15: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/15.jpg)
Dynamic Tainting Applications
Attack detection / prevention
Information policy enforcement
Testing
Memory errorsDetect illegal memory access, leak detection, etc.leak detectionMemory errors
Data lifetime
![Page 16: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/16.jpg)
addhash(char hname[]) {35. int i;36. HASHPTR hptr;37. unsigned int hsum = 0;
38. for(i = 0 ; i < strlen(hname) ; i++) {39. sum += (unsigned int) hname[i];40. }41. hsum %= 3001;42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) {43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX));44. hptr->hnext = (HASHPTR) NULL;45. hptr->hnum = ++netctr;46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char));47. sprintf(hptr->hname , "%s" , hname);48. return(1);49. } else {! ... 67. } }
Detecting leaks is easy
![Page 17: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/17.jpg)
addhash(char hname[]) {35. int i;36. HASHPTR hptr;37. unsigned int hsum = 0;
38. for(i = 0 ; i < strlen(hname) ; i++) {39. sum += (unsigned int) hname[i];40. }41. hsum %= 3001;42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) {43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX));44. hptr->hnext = (HASHPTR) NULL;45. hptr->hnum = ++netctr;46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char));47. sprintf(hptr->hname , "%s" , hname);48. return(1);49. } else {! ... 67. } }
Detecting leaks is easy
![Page 18: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/18.jpg)
addhash(char hname[]) {35. int i;36. HASHPTR hptr;37. unsigned int hsum = 0;
38. for(i = 0 ; i < strlen(hname) ; i++) {39. sum += (unsigned int) hname[i];40. }41. hsum %= 3001;42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) {43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX));44. hptr->hnext = (HASHPTR) NULL;45. hptr->hnum = ++netctr;46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char));47. sprintf(hptr->hname , "%s" , hname);48. return(1);49. } else {! ... 67. } }
Detecting leaks is easy; fixing them is not
![Page 19: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/19.jpg)
Discover where the last pointer to un-freed memory is lost
Leak Detection Overview
![Page 20: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/20.jpg)
Assign taint marks
Propagate taint marks
Check taint marks
ptr1 = malloc(...) ➔ ptr1
ptr2 = calloc(...) ➔ ptr2
ptr3 = ptr1 ➔ ptr3 , ptr1
ptr1 = NULL ➔ ptr1 , ptr3
ptr4 = ptr2 + 1 ➔ ptr4 , ptr2
Report error if taint mark’s count is zero andmemory has not been freed.
1 1
1
Discover where the last pointer to un-freed memory is lost
Leak Detection Overview
![Page 21: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/21.jpg)
Assign taint marks
Propagate taint marks
Check taint marks
ptr1 = malloc(...) ➔ ptr1
ptr2 = calloc(...) ➔ ptr2
ptr3 = ptr1 ➔ ptr3 , ptr1
ptr1 = NULL ➔ ptr1 , ptr3
ptr4 = ptr2 + 1 ➔ ptr4 , ptr2
Report error if taint mark’s count is zero andmemory has not been freed.
1 1
1
Discover where the last pointer to un-freed memory is lost
Leak Detection Overview
# of pointers tainted with this color
![Page 22: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/22.jpg)
Assign taint marks
Propagate taint marks
Check taint marks
ptr1 = malloc(...) ➔ ptr1
ptr2 = calloc(...) ➔ ptr2
ptr3 = ptr1 ➔ ptr3 , ptr1
ptr1 = NULL ➔ ptr1 , ptr3
ptr4 = ptr2 + 1 ➔ ptr4 , ptr2
Report error if taint mark’s count is zero andmemory has not been freed.
1 1
1
Discover where the last pointer to un-freed memory is lost
Leak Detection Overview
![Page 23: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/23.jpg)
Assign taint marks
Propagate taint marks
Check taint marks
ptr1 = malloc(...) ➔ ptr1
ptr2 = calloc(...) ➔ ptr2
ptr3 = ptr1 ➔ ptr3 , ptr1
ptr1 = NULL ➔ ptr1 , ptr3
ptr4 = ptr2 + 1 ➔ ptr4 , ptr2
Report error if taint mark’s count is zero andmemory has not been freed.
2
1 1
1
1 2
2
2
1
1 2 2
Discover where the last pointer to un-freed memory is lost
Leak Detection Overview
![Page 24: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/24.jpg)
Assign taint marks
Propagate taint marks
Check taint marks
ptr1 = malloc(...) ➔ ptr1
ptr2 = calloc(...) ➔ ptr2
ptr3 = ptr1 ➔ ptr3 , ptr1
ptr1 = NULL ➔ ptr1 , ptr3
ptr4 = ptr2 + 1 ➔ ptr4 , ptr2
Report error if taint mark’s count is zero andmemory has not been freed.
2
1 1
1
1 2
2
2
1
1 2 2
In general propagation follows standard pointer arithmetic rules
Discover where the last pointer to un-freed memory is lost
Leak Detection Overview
![Page 25: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/25.jpg)
Assign taint marks
Propagate taint marks
Check taint marks
ptr1 = malloc(...) ➔ ptr1
ptr2 = calloc(...) ➔ ptr2
ptr3 = ptr1 ➔ ptr3 , ptr1
ptr1 = NULL ➔ ptr1 , ptr3
ptr4 = ptr2 + 1 ➔ ptr4 , ptr2
Report error if taint mark’s count is zero andmemory has not been freed.
2
3
1 1
1
1 2
2
2
1
1 2 2
In general propagation follows standard pointer arithmetic rules
Discover where the last pointer to un-freed memory is lost
Leak Detection Overview
![Page 26: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/26.jpg)
addhash(char hname[]) {35. int i;36. HASHPTR hptr;37. unsigned int hsum = 0;
38. for(i = 0 ; i < strlen(hname) ; i++) {39. sum += (unsigned int) hname[i];40. }41. hsum %= 3001;42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) {43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX));44. hptr->hnext = (HASHPTR) NULL;45. hptr->hnum = ++netctr;46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char));47. sprintf(hptr->hname , "%s" , hname);48. return(1);49. } else {! ... 67. } }
Detecting leaks is easy
![Page 27: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/27.jpg)
46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char));
delHtab() {15. int i;16. HASHPTR hptr , zapptr;17. for(i = 0; i < 3001; i++) {18. hptr = hashtab[i];19. if(hptr != (HASHPTR) NULL) {20. zapptr = hptr ;21. while(hptr->hnext != (HASHPTR) NULL) {22.! ! hptr = hptr->hnext;23.! ! free(zapptr);24.! ! zapptr = hptr ;25.! ! }
26.! ! free(hptr);27.! }28. }!29. free(hashtab);30. return; }
Detecting leaks is easy
![Page 28: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/28.jpg)
46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char));
Detecting leaks is easy; fixing them is, too
delHtab() {15. int i;16. HASHPTR hptr , zapptr;17. for(i = 0; i < 3001; i++) {18. hptr = hashtab[i];19. if(hptr != (HASHPTR) NULL) {20. zapptr = hptr ;21. while(hptr->hnext != (HASHPTR) NULL) {22.! ! hptr = hptr->hnext;23.! ! free(zapptr);24.! ! zapptr = hptr ;25.! ! }
26.! ! free(hptr);27.! }28. }!29. free(hashtab);30. return; }
![Page 29: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/29.jpg)
46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char));
Detecting leaks is easy; fixing them is, too
delHtab() {15. int i;16. HASHPTR hptr , zapptr;17. for(i = 0; i < 3001; i++) {18. hptr = hashtab[i];19. if(hptr != (HASHPTR) NULL) {20. zapptr = hptr ;21. while(hptr->hnext != (HASHPTR) NULL) {22.! ! hptr = hptr->hnext;23.! ! free(zapptr);24.! ! zapptr = hptr ;25.! ! }
26.! ! free(hptr);27.! }28. }!29. free(hashtab);30. return; }
free(hptr->hname)
![Page 30: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/30.jpg)
Leakpoint implementation
![Page 31: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/31.jpg)
Leakpoint implementation
Pointer to memory area 0x1C93AC0 (16 bytes) allocated: at malloc by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34) by main (main.c:98) was leaked: at free by delHtab (hash.c:28) by grdcell(grdcell.c:354) by main (main.c:227)
![Page 32: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/32.jpg)
Leakpoint implementation
Pointer to memory area 0x1C93AC0 (16 bytes) allocated: at malloc by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34) by main (main.c:98) was leaked: at free by delHtab (hash.c:28) by grdcell(grdcell.c:354) by main (main.c:227)
![Page 33: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/33.jpg)
Leakpoint implementation
Pointer to memory area 0x1C93AC0 (16 bytes) allocated: at malloc by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34) by main (main.c:98) was leaked: at free by delHtab (hash.c:28) by grdcell(grdcell.c:354) by main (main.c:227)
![Page 34: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/34.jpg)
Evaluation
![Page 35: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/35.jpg)
Evaluation
Transmission
![Page 36: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/36.jpg)
Evaluation
Transmission
Locations identified by Leakpoint correspond to where the leaks were fixed by developers.
![Page 37: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/37.jpg)
Evaluation
Transmission
Also found thousands of leaks in theSPEC INT benchmarks
Locations identified by Leakpoint correspond to where the leaks were fixed by developers.
![Page 38: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/38.jpg)
static void processCompletedTasks(tr_web *web) { ... task->done_func(web->session, ..., task->done_func_user_data); ... evbuffer_free(task->response); tr_free(task->url); tr_free(task); ...}
static void invokeRequest(void * vreq) { ... hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH); memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH); tr_webRun(req->session, req->url, req->done_func, hash); ...}
static void onStoppedResponse(tr_session *session, ..., void *torrent_hash) { dbgmsg(NULL, "got a response ... message"); // tr_free(torrent_hash); onReqDone(session);}
![Page 39: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/39.jpg)
Overhead
Powerful but expensive50 - 100x overheads
are common
• Execution time is completely automated
• Developers have to think less
![Page 40: Taint-based Dynamic Analysis (CoC Research Day 2009)](https://reader036.fdocuments.us/reader036/viewer/2022062707/558458c5d8b42a5b0a8b51b3/html5/thumbnails/40.jpg)
Questions?