Abstract

Dynamic taint analysis and forward symbolic execution are quickly becoming staple techniques in security analyses. Example applications of dynamic taint analysis and forward symbolic execution include malware analysis, input filter generation, test case generation, and vulnerability discovery. Despite the widespread usage of these two techniques, there has been little effort to formally define the algorithms and summarize the critical issues that arise when these techniques are used in typical security contexts. The contributions of this paper are two-fold. First, we precisely describe the algorithms for dynamic taint analysis and forward symbolic execution as extensions to the run-time semantics of a general language. Second, we highlight important implementation choices, common pitfalls, and considerations when using these techniques in a security context.

Highlights

  • Dynamic analysis — the ability to monitor code as it executes — has become a fundamental tool in computer security research

  • Dynamic analysis is attractive because it allows us to reason about actual executions, and can perform precise security analysis based upon run-time information

  • Dynamic forward symbolic execution automatically builds a logical formula describing a program execution path, which reduces the problem of reasoning about the execution to the domain of logic

Read more

Summary

INTRODUCTION

Dynamic analysis — the ability to monitor code as it executes — has become a fundamental tool in computer security research. Example security research areas employing either dynamic taint analysis, forward symbolic execution, or a mix of the two, are: 1) Unknown Vulnerability Detection. Taint analysis and forward symbolic execution are used to automatically generate inputs to test programs [17, 19, 36, 57], and can generate inputs that cause two implementations of the same protocol to behave differently [10, 17]. Given the large number and variety of application domains, one would imagine that implementing dynamic taint analysis and forward symbolic execution would be a textbook problem. Show how our formalization can be used to tease out and describe common implementation details, caveats, and choices as found in various security applications

Overview
Operational Semantics
Language Discussion
DYNAMIC TAINT ANALYSIS
Dynamic Taint Analysis Semantics
Dynamic Taint Policies
A Typical Taint Policy
Dynamic Taint Analysis Challenges and Opportunities
FORWARD SYMBOLIC EXECUTION
Applications and Advantages
Semantics of Forward Symbolic Execution
Forward Symbolic Execution Example
Forward Symbolic Execution Challenges and Opportunities
Formalization and Systematization
Applications
CONCLUSION
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call