Abstract
A type-based dynamic taint analysis (DTA) was developed to provide binary-level with semantic analyses to detect software vulnerabilities. The system marks input variables as tainted and adds types and symbol values as attributes to the taints. Type information within functions and instructions is used to track the propagation of tainted variables. Type-aware taint propagation and type-oriented forward symbolic execution are used to get the propagation maps for the tainted variables and path conditions, which are used to calculate desired constraints on the inputs. Thus, the system knows the propagation mechanisms of the input variables in the data flow as well as their impact in the control flow, which leads to a better understanding of the vulnerability semantics. This technology is applied here to analyze a browser-based vulnerability using dynamic binary instrumentation to inject the analysis codes into the target process to dynamically analyze the tainting. The detection checks whether the process illegally uses the tainted data. The result is combined with symbolic execution to calculate the input constraints. The information for both data and control flow dependencies embedded in the vulnerability signatures can be identified. Tests on seven known vulnerabilities show that the typed DTA significantly improves the semantics for the analysis of vulnerability mechanisms and produces more comprehensible and usable vulnerability signatures.
| Original language | English (US) |
|---|---|
| Pages (from-to) | 1320-1328+1334 |
| Journal | Qinghua Daxue Xuebao/Journal of Tsinghua University |
| Volume | 52 |
| Issue number | 10 |
| State | Published - Oct 2012 |
| Externally published | Yes |
Keywords
- Dynamic taint analysis (DTA)
- Software vulnerabilities
- Symbolic execution
- Taint propagation
- Type information
- Vulnerability signatures
ASJC Scopus subject areas
- Engineering(all)
- Computer Science Applications
- Applied Mathematics