Design and implementation of an efficient container tag dynamic taint analysis

Abstract

Dynamic taint analysis is a commonly used technique in software security. By tracking the processing of tainted data in the program, dynamic taint analysis can provide users with information on how the variables they are interested in are affected by the program input. The information is stored in tags corresponding to the variables, and the type of the tag determines the level of detail it can store. While integer tags can only indicate whether the taint exists, container tags provide knowledge of which part of the input the taint originated from. This knowledge is crucial for fields such as protocol reverse engineering and fuzzing. Despite their advantages, container tags suffer from low execution efficiency. In some applications, the execution time can increase by thousands of times as compared to the use of integer tags. In this paper, we propose an efficient container tag scheme based on the Reduced Ordered Binary Decision Diagram. The test results indicate that our container tag scheme achieves average speedups of 7.53x and 100.96x compared to the two container tag schemes utilized in libdft64.