Dynamic Taint Analysis Research Articles

HardTaint: Production-Run Dynamic Taint Analysis via Selective Hardware Tracing

Dynamic taint analysis (DTA), as a fundamental analysis technique, is widely used in security, privacy, and diagnosis, etc. As DTA demands to collect and analyze massive taint data online, it suffers extremely high runtime overhead. Over the past decades, numerous attempts have been made to lower the overhead of DTA. Unfortunately, the reductions they achieved are marginal, causing DTA only applicable to the debugging/testing scenarios. In this paper, we propose and implement HardTaint, a system that can realize production-run dynamic taint tracking. HardTaint adopts a hybrid and systematic design which combines static analysis, selective hardware tracing and parallel graph processing techniques. The comprehensive evaluations demonstrate that HardTaint introduces only around 8% runtime overhead which is an order of magnitude lower than the state-of-the-arts, while without sacrificing any taint detection capability.

TAICHI: Transform Your Secret Exploits Into Mine From a Victim's Perspective

Acquiring and analyzing exploits, which take advantage of vulnerabilities to conduct malicious actions, are crucial for victims (and defenders) when responding to system compromising incidents. However, exploits are sensitive and valuable assets that are not available to victims. The most common resource available for victims to investigate is network traffic, which covers the exploitation period. Thus reconstructing exploits from network traffic is demanded. In practice, the reconstruction process is performed manually, thus inefficient and non-scalable. In this paper, we present an automated solution <monospace xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">TAICHI</monospace> to reconstruct exploits from network traffic, able to generate replica exploits and facilitate timely incident analysis. By nature, a working exploit has to satisfy (1) <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">path constraints</i> which ensure the program path same as the original exploit’s is explored and the same vulnerability is triggered, and (2) <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">exploit constraints</i> which ensure the same exploitation strategy is applied, e.g., to bypass deployed defenses or to stitch multiple gadgets together. We propose a hybrid solution to this problem by integrating techniques including multi-version execution (MVE), dynamic taint analysis (DTA), and concolic execution. We have implemented a prototype of <monospace xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">TAICHI</monospace> on x86 and x86-64 Linux and tested it on the Cyber Grand Challenge (CGC) dataset, several Capture the Flag (CTF) challenges, and Metasploit exploit modules targeting real world applications. The evaluation results showed that <monospace xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">TAICHI</monospace> could reconstruct exploits efficiently with a high success rate. Moreover, it could be applied to production environments without disrupting running services, and could reconstruct exploits even if only one round of exploitation traffic is available.

Design and implementation of an efficient container tag dynamic taint analysis

Dynamic taint analysis is a commonly used technique in software security. By tracking the processing of tainted data in the program, dynamic taint analysis can provide users with information on how the variables they are interested in are affected by the program input. The information is stored in tags corresponding to the variables, and the type of the tag determines the level of detail it can store. While integer tags can only indicate whether the taint exists, container tags provide knowledge of which part of the input the taint originated from. This knowledge is crucial for fields such as protocol reverse engineering and fuzzing. Despite their advantages, container tags suffer from low execution efficiency. In some applications, the execution time can increase by thousands of times as compared to the use of integer tags. In this paper, we propose an efficient container tag scheme based on the Reduced Ordered Binary Decision Diagram. The test results indicate that our container tag scheme achieves average speedups of 7.53x and 100.96x compared to the two container tag schemes utilized in libdft64.

Automatic protocol reverse engineering for industrial control systems with dynamic taint analysis

Automatic protocol reverse engineering for industrial control systems with dynamic taint analysis

SAMLDroid: A Static Taint Analysis and Machine Learning Combined High-Accuracy Method for Identifying Android Apps with Location Privacy Leakage Risks.

Insecure applications (apps) are increasingly used to steal users’ location information for illegal purposes, which has aroused great concern in recent years. Although the existing methods, i.e., static and dynamic taint analysis, have shown great merit for identifying such apps, which mainly rely on statically analyzing source code or dynamically monitoring the location data flow, identification accuracy is still under research, since the analysis results contain a certain false positive or true negative rate. In order to improve the accuracy and reduce the misjudging rate in the process of vetting suspicious apps, this paper proposes SAMLDroid, a combined method of static code analysis and machine learning for identifying Android apps with location privacy leakage, which can effectively improve the identification rate compared with existing methods. SAMLDroid first uses static analysis to scrutinize source code to investigate apps with location acquiring intentions. Then it exploits a well-trained classifier and integrates an app’s multiple features to dynamically analyze the pattern and deliver the final verdict about the app’s property. Finally, it is proved by conducting experiments, that the accuracy rate of SAMLDroid is up to 98.4%, which is nearly 20% higher than Apparecium.

DRTaint: A Dynamic Taint Analysis Framework Supporting Correlation Analysis Between Data Regions

Taint analysis is a common technology for software analysis, which is widely used in the region of information security. Aiming at the problem that the existing binary program dynamic taint analysis framework does not support “replay” analysis and the analysis efficiency is low, a taint analysis framework called DRTaint is proposed. DRTaint is a universal taint analysis framework that supports correlation analysis between data regions. Experiments show that DRTaint shows good performance advantages when performing taint analysis many times on one program. On the basis of DRTaint, this paper studies the malicious code behavior extraction method based on taint analysis, and the research finds that DRTaint can provide better support for malicious code behavior extraction.

Platform-Independent Dynamic Taint Analysis for JavaScript

Previous approaches to dynamic taint analysis for JavaScript are implemented directly in a browser or JavaScript engine, limiting their applicability to a single platform and requiring ongoing maintenance as platforms evolve, or they require nontrivial program transformations. We present an approach that relies on instrumentation to encode taint propagation as instructions for an abstract machine. Our approach has two key advantages: it is platform-independent and can be used with any existing JavaScript engine, and it can track taint on primitive values without requiring the introduction of wrapper objects. Furthermore, our technique enables multiple deployment scenarios by varying when and where the generated instructions are executed and it supports indirect taint sources, i.e., situations where taint enters an application via arguments passed to dynamically registered event-listener functions. We implemented the technique for the ECMAScript 5 language in a tool called Ichnaea, and evaluated it on 22 NPM modules containing several types of injection vulnerabilities, including 4 modules containing vulnerabilities that were not previously discovered and reported. On these modules, run-time overheads range from 3.17x to 38.42x, which is significantly better than a previous transformation-based technique. We also report on a case study that shows how Ichnaea can be used to detect privacy leaks in a Tizen web application for the Samsung Gear S2 smart watch.

Tell You a Definite Answer: Whether Your Data is Tainted During Thread Scheduling

With the advent of multicore processors, there is a great need to write parallel programs to take advantage of parallel computing resources. However, due to the nondeterminism of parallel execution, the malware behaviors sensitive to thread scheduling are extremely difficult to detect. Dynamic taint analysis is widely used in security problems. By serializing a multithreaded execution and then propagating taint tags along the serialized schedule, existing dynamic taint analysis techniques lead to under-tainting with respect to other possible interleavings under the same input. In this paper, we propose an approach called DSTAM that integrates symbolic analysis and guided execution to systematically detect tainted instances on all possible executions under a given input. Symbolic analysis infers alternative interleavings of an executed trace that cover new tainted instances, and computes thread schedules that guide future executions. Guided execution explores new execution traces that drive future symbolic analysis. We have implemented a prototype as part of an educational tool that teaches secure C programming, where accuracy is more critical than efficiency. To the best of our knowledge, DSTAM is the first algorithm that addresses the challenge of taint analysis for multithreaded program under fixed inputs.

The Propagation Strategy Model of Taint Analysis

The taint propagation strategy is the core of the taint analysis technology. When the taint analysis toolsanalyses the target program, it needs to mark the target data according to the formulatedtaint propagation strategy. Formulating a reasonable strategy for taint propagation can effectively improve the accuracy of taint analysis. There are two difficulties in developing the taint propagation strategy, namely, alias analysis in static taint analysis and indirect jump in dynamic taint analysis. In our paper, we propose a taint propagation strategy at the intermediate representation language level, which can effectively improve the accuracy of taint propagation.

TaintMan: An ART-Compatible Dynamic Taint Analysis Framework on Unmodified and Non-Rooted Android Devices

Dynamic taint analysis (DTA), as a mainstream information flow tracking technique, has been widely used in mobile security. On the Android platform, the existing DTA approaches are typically implemented by instrumenting the Dalvik virtual machine (DVM) interpreter or the Android emulator with taint enforcement code. The most prominent problem of the interpreter-based approaches is that they cannot work in the new Android RunTime (ART) environment introduced since the 5.0 release. For the emulator-based approaches, the most prominent problem is that they cannot be deployed on real devices. In addition, almost all the existing Android DTA approaches only concern the explicit information flow caused by data dependence, while completely ignore the impact of implicit information flow caused by control dependence. These problems limit their adoption in the latest Android system and make them ineffective in detecting the state-of-the-art malware whose privacy-breaching behaviors are inactivated in the analyzed environment (e.g., the emulator) or conducted via implicit information flow. In this paper, we present TaintMan, an ART-compatible DTA framework that can be deployed on unmodified and non-rooted Android devices. In TaintMan, the taint enforcement code is statically instrumented into both the target application and the system class libraries to track data flow and common control flow. A specially designed execution environment reconstruction technique, named reference hijacking, is proposed to force the target application to reference the instrumented system class libraries. By enforcing on-demand instrumentation and on-demand tracking, the performance overhead is significantly reduced. We have developed TaintMan and deployed it on two popular stock smartphones (HTC One S equipped with Android-4.0 and Motorola MOTO G equipped with Android-5.0). The evaluation with malware samples and real-world applications shows that TaintMan can effectively detect privacy leakage behaviors with an acceptable performance overhead.

Lightweight and Efficient Hypervisor-Based Dynamic Binary Instrumentation and Analysis Method

At present, various vulnerabilities and malicious programs are still constantly threatening the system security, and in-depth analysis of legitimate applications and malicious code is an important link of security defense under the current security situation. Dynamic binary analysis is the important method in the field of binary analysis, and after years of research and development, many valuable results have been achieved, and some mature tools generated have been widely used in practice. But it still faces multiple challenges in terms of analysis efficiency, deployment, and the impact on the target program. Based on the existing research, this article proposes a new lightweight hypervisor-based dynamic binary instrumentation method, which uses the virtualization features of new processors to perform transparent and efficient execution interception of the target program, so that it can instrument the target program and redirect the original execution. To take full advantage of the interception solution, we further present a compact inline dynamic taint analysis method that enables fine-grained data flow analysis of the target program with multiple processes and kernel modules. Experiments in the real environment show that the proposed method is effective and efficient in the binary instrumentation and analysis, it can achieve a good balance in analysis performance, availability and stealthiness, and can be applied to the practical analysis scenarios.

Polar

Industrial Control System (ICS) protocols are widely used to build communications among system components. Compared with common internet protocols, ICS protocols have more control over remote devices by carrying a specific field called “function code”, which assigns what the receive end should do. Therefore, it is of vital importance to ensure their correctness. However, traditional vulnerability detection techniques such as fuzz testing are challenged by the increasing complexity of these diverse ICS protocols. In this paper, we present a function code aware fuzzing framework — Polar, which automatically extracts semantic information from the ICS protocol and utilizes this information to accelerate security vulnerability detection. Based on static analysis and dynamic taint analysis, Polar initiates the values of the function code field and identifies some vulnerable operations. Then, novel semantic aware mutation and selection strategies are designed to optimize the fuzzing procedure. For evaluation, we implement Polar on top of two popular fuzzers — AFL and AFLFast, and conduct experiments on several widely used ICS protocols such as Modbus, IEC104, and IEC 61850. Results show that, compared with AFL and AFLFast, Polar achieves the same code coverage and bug detection numbers at the speed of 1.5X-12X. It also gains increase with 0%--91% more paths within 24 hours. Furthermore, Polar has exposed 10 previously unknown vulnerabilities in those protocols, 6 of which have been assigned unique CVE identifiers in the US National Vulnerability Database.

A Multigranularity Forensics and Analysis Method on Privacy Leakage in Cloud Environment

The problem of cloud forensics aims at processing multidimensional, massive, and heterogeneous data to collect and recover evidence in cloud environment. Existing approaches focus on excavating all suspicious behaviors from data and ignore privacy leakage details and behavioral characteristics. In order to conduct privacy leakage analysis in cloud specifically, we propose a multigranularity privacy leakage forensics method to analyze privacy violations caused by malware in cloud environment. By simulating the target virtual machine environment, our method can detect privacy leakage behaviors of malware without touching user’s privacy data. We combine continuous RAM mirroring technology and dynamic taint analysis to assist the forensics investigation. To demonstrate the efficacy and utility of our method, we evaluate its performance with some real-world malware samples by comparing with some state-of-the-art malware analysis systems. Experimental results indicate that our method can identify more privacy leakage paths and behaviors.

NDroid: Toward Tracking Information Flows Across Multiple Android Contexts

For performance and compatibility reasons, developers tend to use native code in their applications (or simply apps). This makes a bidirectional data flow through multiple contexts, i.e., the Java context and the native context, in Android apps. Unfortunately, this interaction brings serious challenges to existing dynamic analysis systems, which fail to capture the data flow across different contexts. In this paper, we first performed a large-scale study on apps using native code and reported some observations. Then, we identified several scenarios where data flow cannot be tracked by existing systems, leading to uncaught information leakage. Based on these insights, we designed and implemented NDroid , an efficient dynamic taint analysis system that could track the data flow between both Java context and native context. The evaluation of real apps demonstrated the effectiveness of NDroid in identifying information leakage with reasonable performance overhead.

NeuralTaint: A Key Segment Marking Tool Based on Neural Network

Dynamic taint analysis techniques are a popular dynamic software analysis method. Marking a key segment of program function by dynamic taint analysis is an important part of software vulnerability research. Key segment marking usually related to the control flow taint analysis, however, several specific program structure may cause failure in key segment marking due to the control flow dependence, and overtainting and undertainting problem. In this paper, we proposed a novel method to mark a key segment accurately and efficiently with deep learning technology. Firstly, we fit the program function execution into a continuous function by the convoluntional network, and then mark the key segment roughly through derivative information of fitted nerual network. Finally, we mark the key segment of specific program function completely and accurately by filtering and diffusion algorithm. We developed the key segment marking tool NeuralTaint on this principle. We design an experiment to select the specific neural network structure of NeuralTaint. Our extensive evaluations demonstrate that NeuralTaint significantly outperforms the two state-of-the-art traditional dynamic taint analysis tool on seven popular real-world programs.

A Dynamic Taint Analysis Framework Based on Entity Equipment

With the development of the Internet of Things, the security of embedded device has received extensive attention. Taint analysis technology can improve the understanding of the firmware program operating mechanism and improve the effectiveness of security analysis. It is an important method in security analysis. Traditional taint analysis of embedded device firmware requires complex pre-preparation work, setting up a virtual operating environment. Those security analysts have to invest a lot of time and effort in this work, and the results are usually unsatisfactory. In this paper, we propose a dynamic taint analysis method based on entity equipment. The core idea of our approach is to divide the taint analysis into two parts: the simulation analysis on the host and the real execution on the entity equipment. Since one of the features of our method is based on entity equipment, there is no need to build a dedicated virtual environment. Another feature is that the tested firmware program runs on entity equipment and can ensure the accuracy of the analysis by comparing the results of the taint analysis with the device firmware run-time information. We implement a prototype system and verified the effectiveness of the method, which can perform taint analysis on multiple architecture embedded firmware programs and detect vulnerabilities such as stack overflow, heap overflow and so on. Finally, we verify our prototype with a test case to effectively detect vulnerabilities in the firmware program. And we evaluate the performance of the prototype, compared with PANDA, the time overhead of our prototype is reduced by 5.9%.

OFFDTAN: A New Approach of Offline Dynamic Taint Analysis for Binaries

Dynamic taint analysis is a powerful technique for tracking the flow of sensitive information. Different approaches have been proposed to accelerate this process in an online or offline manner. Unfortunately, most of these approaches still have performance bottlenecks and thus reduce analytical efficiency. To address this limitation, we present OFFDTAN, a new approach of offline dynamic taint analysis for binaries. OFFDTAN can be described in terms of four stages: dynamic information acquisition, vulnerability modeling, offline analysis, and backtrace analysis. It first records program runtime information and models the stack buffer overflow vulnerabilities and controlled jump vulnerabilities. Then it performs offline analysis and backtrace analysis to locate vulnerabilities. We implement OFFDTAN on the basis of QEMU virtual machine and apply it to off-the-shelf applications. In order to illustrate how our approach works, we first employ a case study. Furthermore, six applications have been verified so as to evaluate our approach. Experimental results demonstrate that our approach is correct and effective. Compared with other offline analysis tools, OFFDTAN has much lower application runtime overhead.

Unix Domain Sockets Applied in Android Malware Should Not Be Ignored

Increasingly, malicious Android apps use various methods to steal private user data without their knowledge. Detecting the leakage of private data is the focus of mobile information security. An initial investigation found that none of the existing security analysis systems can track the flow of information through Unix domain sockets to detect the leakage of private data through such sockets, which can result in zero-day exploits in the information security field. In this paper, we conduct the first systematic study on Unix domain sockets as applied in Android apps. Then, we identify scenarios in which such apps can leak private data through Unix domain sockets, which the existing dynamic taint analysis systems do not catch. Based on these insights, we propose and implement JDroid, a taint analysis system that can track information flows through Unix domain sockets effectively to detect such privacy leaks.

Semantic-integrated software watermarking with tamper-proofing

The existing works of software watermarking have the intrinsic defects: watermarking is independent of program semantics and have weak strength and resilience to state-of-the-art reverse engineering such as symbolic execution, dynamic taint analysis and theorem proving. In this paper, we propose a semantic-integrated watermarking with tamper-proofing to mitigate such problems. This work chooses neural network as the “integrator” and skillfully integrates the watermarking and tamper-proofing module into program semantics. The difficult of reverse engineering or tampering with watermarked program is equal to extracting the rules from neural networks, which had be proven as a NP-hard problem. We have deployed our work in SPECint-2006 benchmarks to evaluate the overhead, strength and resilience. Experiment results show that our watermarking could effectively resist the state-of-the-art reverse engineering, and the introduced overhead is acceptable.

A malware detection method based on family behavior graph

Graph-based malware detection methods must build a behavior graph for each known malware, and they are difficult to apply in practice. To solve this issue, we study how to build a common behavior graph for each malware family. We represent malware behaviors as dependency graphs. To find the dependency relations between system calls, we use a dynamic taint analysis technique to mark the system call parameters with taint tags, and we then build the system call dependency graph by tracing the propagation of the taint data. Based on the dependency graphs of malware samples, we propose an algorithm to extract the common behavior graph, which is used to represent the behavioral features of a malware family. Finally, a graph matching algorithm that is based on the maximum weight subgraph is used to detect malicious code. The experimental results show that the proposed method has a high detection rate and a low false positive rate and can detect malware variants.