3. Dytan:
A Generic Dynamic Taint
Analysis Framework
James Clause,Wanchun (Paul) Li,
and Alessandro Orso
College of Computing
Georgia Institute of Technology
Partially supported by:
NSF awards CCF-0541080 and CCR-0205422 to Georgia Tech,
DHS and US Air Force Contract No. FA8750-05-2-0214
4. Dytan:
A Generic Dynamic Taint
Analysis Framework
James Clause,Wanchun (Paul) Li,
and Alessandro Orso
College of Computing
Georgia Institute of Technology
Partially supported by:
NSF awards CCF-0541080 and CCR-0205422 to Georgia Tech,
DHS and US Air Force Contract No. FA8750-05-2-0214
Muteki Kōjin Daitān 3
(Invincible Steel Man Daitarn 3)
120 meters
800 tons
Megaborg
Fighting
Anime
Robot
10. Dynamic tainting applications
Information policy enforcement
Attack detection / prevention
Testing
Data lifetime / scope
Attack detection / prevention
Detect / prevent attacks such as SQL injection, buffer overruns,
stack smashing, cross site scripting
e.g., Suh et al. 04, Newsome and Song 05,
Halfond et al. 06, Kong et al. 06, Qin et al. 06
11. Dynamic tainting applications
Information policy enforcement
Attack detection / prevention
Testing
Data lifetime / scope
Information policy enforcement
ensure classified information does not leak outside the system
e.g.,Vachharajani et al. 04, McCamant and Ernst 06
12. Dynamic tainting applications
Information policy enforcement
Attack detection / prevention
Testing
Data lifetime / scope
Testing
Coverage metrics, test data generation heuristic, ...
e.g., Masri et al 05, Leek et al. 07
13. Dynamic tainting applications
Information policy enforcement
Attack detection / prevention
Testing
Data lifetime / scopeData lifetime / scope
track how long sensitive data, such as passwords or account
numbers, remain in the application
e.g., Chow et al. 04
30. if(X) {
C = A + B;
}
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence
union
max
...
31. 3
if(X) {
C = A + B;
}
1 2
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence
union
max
...
32. 3
if(X) {
C = A + B;
}
1 2
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence✔
union
max
...
33. 3
if(X) {
C = A + B;
}
1 2
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence✔
union
max
...
34. 3
if(X) {
C = A + B;
}
1 2
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence✔
union
max
✔
...
35. 3
if(X) {
C = A + B;
}
1 2
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence✔
union
max
✔
1 2
...
36. 3
if(X) {
C = A + B;
}
1 2
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence
union
max
...
37. 3
if(X) {
C = A + B;
}
1 2
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence
union
max
✔
✔
...
38. 3
if(X) {
C = A + B;
}
1 2
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence
union
max
✔
✔
...
39. 3
if(X) {
C = A + B;
}
1 2
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence
union
max
✔
✔
✔
...
40. 3
if(X) {
C = A + B;
}
1 2
Propagation policy
Affecting data:
control dependence
Mapping function:
data dependence
union
max
✔
✔
✔
3
...
41. Taint Sinks
Where / what to check:
How to check:
Result:
cmd = read(file);
args = read(socket);
cmd = trim(cmd + args);
...
tok[] = parse(cmd);
exec(tok[0], tok[1]);
42. Taint Sinks
Where / what to check:
How to check:
Result:
cmd = read(file);
args = read(socket);
cmd = trim(cmd + args);
...
tok[] = parse(cmd);
exec(tok[0], tok[1]);
2
43. Taint Sinks
Where / what to check:
How to check:
Result:
cmd = read(file);
args = read(socket);
cmd = trim(cmd + args);
...
tok[] = parse(cmd);
exec(tok[0], tok[1]);
2
3
44. Taint Sinks
function: exec, param: 0
Where / what to check:
How to check:
Result:
cmd = read(file);
args = read(socket);
cmd = trim(cmd + args);
...
tok[] = parse(cmd);
exec(tok[0], tok[1]);
2
3
45. validate presence of:
validate absence of:
Taint Sinks
function: exec, param: 0
Where / what to check:
How to check:
Result:
cmd = read(file);
args = read(socket);
cmd = trim(cmd + args);
...
tok[] = parse(cmd);
exec(tok[0], tok[1]);
2
3
2
3
46. validate presence of:
validate absence of:
Taint Sinks
function: exec, param: 0
Where / what to check:
How to check:
Result:
cmd = read(file);
args = read(socket);
cmd = trim(cmd + args);
...
tok[] = parse(cmd);
exec(tok[0], tok[1]);
2
3
2
3
2 3
47. validate presence of:
validate absence of:
Taint Sinks
function: exec, param: 0
Where / what to check:
How to check:
Result:
cmd = read(file);
args = read(socket);
cmd = trim(cmd + args);
...
tok[] = parse(cmd);
exec(tok[0], tok[1]);
✘
2
3
2
3
2 3
48. • Used Dytan to re-implement existing dynamic
tainting techniques
• Overwrite attack detection [Qin et al. 04]
• SQL injection detection [Halfond et al. 06]
• Measure implementation time
• Validate against original implementation
INITIAL EVALUATION
49. • Used Dytan to re-implement existing dynamic
tainting techniques
• Overwrite attack detection [Qin et al. 04]
• SQL injection detection [Halfond et al. 06]
• Measure implementation time
• Validate against original implementation
INITIAL EVALUATION
Flexible
Easy to use
Accurate
Expensive
50. CONTRIBUTIONS
• The definition of a generic framework for
dynamic taint analysis
• A tool, DYTAN, that implements our framework
for x86 Linux executables
• A set of studies that provide initial evidence of
the framework's generality, applicability, and
potential usefulness of prototyping different
dynamic taint analyses
56. INTERNAL
IMPROVING ORACLE QUALITY BY
DETECTING BRITTLE ASSERTIONS
AND UNUSED INPUTS IN TESTS
Chen Huo and James Clause
University of Delaware
57. INTERNAL
IMPROVING ORACLE QUALITY BY
DETECTING BRITTLE ASSERTIONS
AND UNUSED INPUTS IN TESTS
Chen Huo and James Clause
University of Delaware
58. REVIEWERS
“Overall, I like this paper. It is clear, well-written,
and it has clear contributions. I can see it inspiring
research on dynamic information flow.”
“Overall, this is an OK paper, but
it could be a much better one.”
“The strongest piece of the paper for me is the
comparison between different taint flow policies.”
“One nice aspect of the work is that it addresses
control-flow based implicit information flow.”
(Some excerpts)
60. AUDIENCE
What is the performance compared to ad-hoc tools?
—Elaine Weyuker
Can you implement chopping?
—Mark Harman
Are there opportunities for optimization?
What is the relation between tainting and dynamic slicing?
—Atanas (Nasko) Rountev
(Questions, paraphrased)
Is is possible to implement information flow from input to output,
checking to see what input reaches an output?
—Andy Podgurski
73. VENUE FREQUENCY
(In Proceedings and Articles)
0 100 200
# Citations
Venue
Type
Security
Software Engineering
General CS
Networking
Systems
Programming Languages
Architecture
Artificial Intelligence
Databases
75. CITED, SURE, BUT HOW?
• Generic dynamic tainting reference
(in different areas)
76. CITED, SURE, BUT HOW?
• Generic dynamic tainting reference
(in different areas)
• Point of comparison
(often in terms of performance)
77. CITED, SURE, BUT HOW?
• Generic dynamic tainting reference
(in different areas)
• Point of comparison
(often in terms of performance)
• Technique to extend, improve, or port
• Adding support for multi-threading
• Increasing efficiency (static analysis, offline analysis,
parallelization on multicores, better handling of implicit
control flow, …)
• Porting to Windows,Android, and other platforms
85. FINAL REMARKS
• Why was Dytan a successful effort?
• Name :-)
• Combination and adaptation of latest and greatest techniques
(standing on the shoulders of giants)
• Timely
• Available (albeit not widely)
86. FINAL REMARKS
• Why was Dytan a successful effort?
• Name :-)
• Combination and adaptation of latest and greatest techniques
(standing on the shoulders of giants)
• Timely
• Available (albeit not widely)
• Takeaway message
87. FINAL REMARKS
• Why was Dytan a successful effort?
• Name :-)
• Combination and adaptation of latest and greatest techniques
(standing on the shoulders of giants)
• Timely
• Available (albeit not widely)
• Takeaway message
• Build tools that implement your techniques
• Make them available
• Maintain and improve them (within reason)
• The community must support and reward that!