SlideShare a Scribd company logo

Taint-based Dynamic Analysis (CoC Research Day 2009)

James Clause, profile picture
James Clause

This document discusses taint-based dynamic analysis and leak detection. It provides an overview of how taint analysis works by assigning taint marks to tracked values, propagating those marks as values are operated on, and checking the taint marks to detect issues. It then discusses applications of taint analysis like attack prevention, information flow monitoring, testing, and detecting memory errors and leaks. Finally, it dives deeper into how leak detection specifically tracks pointers to allocated memory and reports errors if a pointer's taint mark reaches zero but the memory has not been freed.

Technology
1 of 40
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Taint-based Dynamic Analysis CoC Research Day - 9/25/2009 Designed at Apple in California; assembled at GeorgiaTech
Dynamic Tainting Overview C A B Z
Dynamic Tainting Overview 1 Assign taint marks C A B Z
Dynamic Tainting Overview 1 Assign taint marks C A B 312 Z
Dynamic Tainting Overview 1 Assign taint marks 2 Propagate taint marks C A B 312 Z
Dynamic Tainting Overview 1 Assign taint marks 2 Propagate taint marks C A B 312 Z
Dynamic Tainting Overview 1 Assign taint marks 3 Check taint marks 2 Propagate taint marks C A B 312 Z
Dynamic Tainting Overview 1 Assign taint marks 3 Check taint marks 2 Propagate taint marks C A B 312 Z C A B 312 Z 3
Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
Dynamic Tainting Applications Attack detection / prevention Prevent stack smashing, SQL injection, buffer overruns, etc. Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
Dynamic Tainting Applications Information policy enforcement ensure classified information does not leave the system Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
Dynamic Tainting Applications Testing Coverage metrics, test data generation heuristic, etc. ✔/✘ Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Data lifetime track how long sensitive data remains in an application Memory errors Data lifetime
Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Detect illegal memory access, leak detection, etc. Memory errors Data lifetime
Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Detect illegal memory access, leak detection, etc.leak detection Memory errors Data lifetime
addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy; fixing them is not
Discover where the last pointer to un-freed memory is lost Leak Detection Overview
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview # of pointers tainted with this color
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 1 1 1 1 2 2 2 1 1 2 2 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 1 1 1 1 2 2 2 1 1 2 2 In general propagation follows standard pointer arithmetic rules Discover where the last pointer to un-freed memory is lost Leak Detection Overview
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 3 1 1 1 1 2 2 2 1 1 2 2 In general propagation follows standard pointer arithmetic rules Discover where the last pointer to un-freed memory is lost Leak Detection Overview
addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; } Detecting leaks is easy
46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); Detecting leaks is easy; fixing them is, too delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; }
46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); Detecting leaks is easy; fixing them is, too delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; } free(hptr->hname)
Leakpoint implementation
Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
Evaluation
Evaluation Transmission
Evaluation Transmission Locations identified by Leakpoint correspond to where the leaks were fixed by developers.
Evaluation Transmission Also found thousands of leaks in the SPEC INT benchmarks Locations identified by Leakpoint correspond to where the leaks were fixed by developers.
static void processCompletedTasks(tr_web *web) { ... task->done_func(web->session, ..., task->done_func_user_data); ... evbuffer_free(task->response); tr_free(task->url); tr_free(task); ... } static void invokeRequest(void * vreq) { ... hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH); memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH); tr_webRun(req->session, req->url, req->done_func, hash); ... } static void onStoppedResponse(tr_session *session, ..., void *torrent_hash) { dbgmsg(NULL, "got a response ... message"); // tr_free(torrent_hash); onReqDone(session); }
Overhead Powerful but expensive 50 - 100x overheads are common • Execution time is completely automated • Developers have to think less
Questions?

More Related Content

PDF
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
James Clause
 
PPT
03
moodle_annotation
 
PPTX
Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...
DevGAMM Conference
 
DOC
Knight's Tour
Veysi Ertekin
 
PPTX
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019
corehard_by
 
PPTX
Basic C++ 11/14 for Python Programmers
Appier
 
PDF
Program Language - Fall 2013
Yun-Yan Chi
 
PPSX
Ch11.2&3(1)
emilyharu
 
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
James Clause
 
03
moodle_annotation
 
Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...
DevGAMM Conference
 
Knight's Tour
Veysi Ertekin
 
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019
corehard_by
 
Basic C++ 11/14 for Python Programmers
Appier
 
Program Language - Fall 2013
Yun-Yan Chi
 
Ch11.2&3(1)
emilyharu
 

What's hot (9)

PDF
MongoDB Analytics
datablend
 
PDF
The Ring programming language version 1.8 book - Part 66 of 202
Mahmoud Samir Fayed
 
PDF
The Art Of Parsing @ Devoxx France 2014
Dinesh Bolkensteyn
 
PDF
Gabriele Lana - The Magic of Elixir
Codemotion
 
PDF
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...
MASAYUKITEZUKA1
 
PDF
A Taste of Python - Devdays Toronto 2009
Jordan Baker
 
PDF
Php radomize
do_aki
 
PPTX
How to add an optimization for C# to RyuJIT
Egor Bogatov
 
PDF
Programming with GUTs
Kevlin Henney
 
MongoDB Analytics
datablend
 
The Ring programming language version 1.8 book - Part 66 of 202
Mahmoud Samir Fayed
 
The Art Of Parsing @ Devoxx France 2014
Dinesh Bolkensteyn
 
Gabriele Lana - The Magic of Elixir
Codemotion
 
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...
MASAYUKITEZUKA1
 
A Taste of Python - Devdays Toronto 2009
Jordan Baker
 
Php radomize
do_aki
 
How to add an optimization for C# to RyuJIT
Egor Bogatov
 
Programming with GUTs
Kevlin Henney
 
Ad

Similar to Taint-based Dynamic Analysis (CoC Research Day 2009) (20)

PPTX
Memory protection using dynamic tainting
USERAAPKA
 
PDF
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
James Clause
 
PDF
Effective Memory Protection Using Dynamic Tainting (ASE 2007)
James Clause
 
PPTX
C++ memory leak detection
Võ Hòa
 
PDF
Better Embedded 2013 - Detecting Memory Leaks with Valgrind
Rigels Gordani
 
PDF
Debugging tools
Matteo Virgilio
 
PDF
Memory Management and Leaks in Postgres from pgext.day 2025
Phil Eaton
 
PDF
Safe Clearing of Private Data
PVS-Studio
 
PDF
Software Design: Impact of Memory Usage (Copying, Cloning and Aliases)
Adair Dingle
 
PDF
20140531 serebryany lecture02_find_scary_cpp_bugs
Computer Science Club
 
DOCX
Valgrind debugger Tutorial
Anurag Tomar
 
PPT
Automatically Tolerating And Correcting Memory Errors
Emery Berger
 
PPT
Security related security analyst ppt.ppt
MubeenaBegum11
 
PDF
How to Perform Memory Leak Test Using Valgrind
RapidValue
 
PDF
Valgrind tutorial
Satabdi Das
 
PDF
Yandex may 2013 a san-tsan_msan
Yandex
 
PDF
Yandex may 2013 a san-tsan_msan
Yandex
 
PDF
Yandex may 2013 a san-tsan_msan
Yandex
 
PDF
Efficient and linear static approach for finding the memory leak in C
IJECEIAES
 
PDF
Memory Leak Debuging in the Semi conductor Hardwares
Karthick Rajagopal
 
Memory protection using dynamic tainting
USERAAPKA
 
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
James Clause
 
Effective Memory Protection Using Dynamic Tainting (ASE 2007)
James Clause
 
C++ memory leak detection
Võ Hòa
 
Better Embedded 2013 - Detecting Memory Leaks with Valgrind
Rigels Gordani
 
Debugging tools
Matteo Virgilio
 
Memory Management and Leaks in Postgres from pgext.day 2025
Phil Eaton
 
Safe Clearing of Private Data
PVS-Studio
 
Software Design: Impact of Memory Usage (Copying, Cloning and Aliases)
Adair Dingle
 
20140531 serebryany lecture02_find_scary_cpp_bugs
Computer Science Club
 
Valgrind debugger Tutorial
Anurag Tomar
 
Automatically Tolerating And Correcting Memory Errors
Emery Berger
 
Security related security analyst ppt.ppt
MubeenaBegum11
 
How to Perform Memory Leak Test Using Valgrind
RapidValue
 
Valgrind tutorial
Satabdi Das
 
Yandex may 2013 a san-tsan_msan
Yandex
 
Yandex may 2013 a san-tsan_msan
Yandex
 
Yandex may 2013 a san-tsan_msan
Yandex
 
Efficient and linear static approach for finding the memory leak in C
IJECEIAES
 
Memory Leak Debuging in the Semi conductor Hardwares
Karthick Rajagopal
 
Ad

More from James Clause (11)

PDF
Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
James Clause
 
PDF
Energy-directed Test Suite Optimization (GREENS 2013)
James Clause
 
PDF
Enabling and Supporting the Debugging of Field Failures (Job Talk)
James Clause
 
PDF
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
James Clause
 
PDF
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
James Clause
 
PDF
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
James Clause
 
PDF
Initial Explorations on Design Pattern Energy Usage (GREENS 12)
James Clause
 
PDF
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
James Clause
 
PDF
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
James Clause
 
PDF
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
James Clause
 
PDF
Camouflage: Automated Anonymization of Field Data (ICSE 2011)
James Clause
 
Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
James Clause
 
Energy-directed Test Suite Optimization (GREENS 2013)
James Clause
 
Enabling and Supporting the Debugging of Field Failures (Job Talk)
James Clause
 
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
James Clause
 
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
James Clause
 
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
James Clause
 
Initial Explorations on Design Pattern Energy Usage (GREENS 12)
James Clause
 
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
James Clause
 
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
James Clause
 
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
James Clause
 
Camouflage: Automated Anonymization of Field Data (ICSE 2011)
James Clause
 

Recently uploaded (20)

PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
A Presentation on Touch Screen Technology
memembruh336
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
August Patch Tuesday
Ivanti
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Approach and Philosophy of On baking technology
30anthuong17
 
A Presentation on Touch Screen Technology
memembruh336
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
A Presentation on Artificial Intelligence
memembruh336
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
August Patch Tuesday
Ivanti
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 

Taint-based Dynamic Analysis (CoC Research Day 2009)

  • 1. Taint-based Dynamic Analysis CoC Research Day - 9/25/2009 Designed at Apple in California; assembled at GeorgiaTech
  • 3. Dynamic Tainting Overview 1 Assign taint marks C A B Z
  • 4. Dynamic Tainting Overview 1 Assign taint marks C A B 312 Z
  • 5. Dynamic Tainting Overview 1 Assign taint marks 2 Propagate taint marks C A B 312 Z
  • 6. Dynamic Tainting Overview 1 Assign taint marks 2 Propagate taint marks C A B 312 Z
  • 7. Dynamic Tainting Overview 1 Assign taint marks 3 Check taint marks 2 Propagate taint marks C A B 312 Z
  • 8. Dynamic Tainting Overview 1 Assign taint marks 3 Check taint marks 2 Propagate taint marks C A B 312 Z C A B 312 Z 3
  • 9. Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
  • 10. Dynamic Tainting Applications Attack detection / prevention Prevent stack smashing, SQL injection, buffer overruns, etc. Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
  • 11. Dynamic Tainting Applications Information policy enforcement ensure classified information does not leave the system Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
  • 12. Dynamic Tainting Applications Testing Coverage metrics, test data generation heuristic, etc. ✔/✘ Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
  • 13. Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Data lifetime track how long sensitive data remains in an application Memory errors Data lifetime
  • 14. Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Detect illegal memory access, leak detection, etc. Memory errors Data lifetime
  • 15. Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Detect illegal memory access, leak detection, etc.leak detection Memory errors Data lifetime
  • 16. addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
  • 17. addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
  • 18. addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy; fixing them is not
  • 19. Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 20. Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 21. Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview # of pointers tainted with this color
  • 22. Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 23. Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 1 1 1 1 2 2 2 1 1 2 2 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 24. Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 1 1 1 1 2 2 2 1 1 2 2 In general propagation follows standard pointer arithmetic rules Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 25. Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 3 1 1 1 1 2 2 2 1 1 2 2 In general propagation follows standard pointer arithmetic rules Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 26. addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
  • 27. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; } Detecting leaks is easy
  • 28. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); Detecting leaks is easy; fixing them is, too delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; }
  • 29. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); Detecting leaks is easy; fixing them is, too delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; } free(hptr->hname)
  • 31. Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
  • 32. Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
  • 33. Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
  • 36. Evaluation Transmission Locations identified by Leakpoint correspond to where the leaks were fixed by developers.
  • 37. Evaluation Transmission Also found thousands of leaks in the SPEC INT benchmarks Locations identified by Leakpoint correspond to where the leaks were fixed by developers.
  • 38. static void processCompletedTasks(tr_web *web) { ... task->done_func(web->session, ..., task->done_func_user_data); ... evbuffer_free(task->response); tr_free(task->url); tr_free(task); ... } static void invokeRequest(void * vreq) { ... hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH); memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH); tr_webRun(req->session, req->url, req->done_func, hash); ... } static void onStoppedResponse(tr_session *session, ..., void *torrent_hash) { dbgmsg(NULL, "got a response ... message"); // tr_free(torrent_hash); onReqDone(session); }
  • 39. Overhead Powerful but expensive 50 - 100x overheads are common • Execution time is completely automated • Developers have to think less