Abstract
Dynamic taint analysis and forward symbolic execution are quickly becoming staple techniques in security analyses. Example applications of dynamic taint analysis and forward symbolic execution include malware analysis, input filter generation, test case generation, and vulnerability discovery. Despite the widespread usage of these two techniques, there has been little effort to formally define the algorithms and summarize the critical issues that arise when these techniques are used in typical security contexts. The contributions of this paper are two-fold. First, we precisely describe the algorithms for dynamic taint analysis and forward symbolic execution as extensions to the run-time semantics of a general language. Second, we highlight important implementation choices, common pitfalls, and considerations when using these techniques in a security context.
Highlights
Dynamic analysis — the ability to monitor code as it executes — has become a fundamental tool in computer security research
Dynamic analysis is attractive because it allows us to reason about actual executions, and can perform precise security analysis based upon run-time information
Dynamic forward symbolic execution automatically builds a logical formula describing a program execution path, which reduces the problem of reasoning about the execution to the domain of logic
Summary
Dynamic analysis — the ability to monitor code as it executes — has become a fundamental tool in computer security research. Example security research areas employing either dynamic taint analysis, forward symbolic execution, or a mix of the two, are: 1) Unknown Vulnerability Detection. Taint analysis and forward symbolic execution are used to automatically generate inputs to test programs [17, 19, 36, 57], and can generate inputs that cause two implementations of the same protocol to behave differently [10, 17]. Given the large number and variety of application domains, one would imagine that implementing dynamic taint analysis and forward symbolic execution would be a textbook problem. Show how our formalization can be used to tease out and describe common implementation details, caveats, and choices as found in various security applications
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.