Citation Context

... TaintPipe, a pipelined taint analysis tool that decouples program execution and taint logic, and parallelizes taint analysis on straight-line code segments. Our implementation is built on top of Pin =-=[23]-=-, for the pipelining framework, and BAP [5], for symbolic taint analysis. We have evaluated TaintPipe with a variety of applications such as the SPEC CINT2006 benchmarks, a set of common utilities, a ...

Citation Context

... and then checks the taint status at certain critical location (taint sinks). It has been shown to be effective in dealing with a wide range of security problems, including software attack prevention =-=[25, 40]-=-, information flow control [45, 34], data leak detection [49], and malware analysis [43], to name a few. Static taint analysis [1, 36, 28] (STA) is performed prior to execution and therefore it has no...

Citation Context

... has been widely used in various security applications, including data flow policy enforcement [25, 40, 27], reversing protocol data structures [33, 38, 6], malware analysis [39] and Android security =-=[14]-=-. However, an intrinsic limitation of DTA is its significant performance slowdown. Schwartz et al. [32] formally defined the operational semantics for DTA and forward symbolic execution (FSE). Our app...

Citation Context

...int logic code. In principle, it is possible to remove redundant taint logic by means of static offline optimizations. Unfortunately, even static disassembly of stripped binaries is still a challenge =-=[22, 35]-=-. Therefore, the assumption by ShadowReplica that an accurate control flow graph can be constructed may not be feasible in certain scenarios, such as analyzing control flow obfuscated software. We tak...

Citation Context

... and then checks the taint status at certain critical location (taint sinks). It has been shown to be effective in dealing with a wide range of security problems, including software attack prevention =-=[25, 40]-=-, information flow control [45, 34], data leak detection [49], and malware analysis [43], to name a few. Static taint analysis [1, 36, 28] (STA) is performed prior to execution and therefore it has no...

Citation Context

...own to be effective in dealing with a wide range of security problems, including software attack prevention [25, 40], information flow control [45, 34], data leak detection [49], and malware analysis =-=[43]-=-, to name a few. Static taint analysis [1, 36, 28] (STA) is performed prior to execution and therefore it has no impact on runtime performance. STA has the advantage of considering multiple execution ...

Citation Context

...ber of x86 instructions related to string operations (e.g., MOVS, LODS) with REP-prefix are executed repeatedly until the counter register (ecx) counts down to 0. Dynamic binary instrumentation tools =-=[23, 4]-=- normally treat a REP-prefixed instruction as an implicit loop and generate a single instruction basic block in each iteration. In our evaluation, there are several cases that unrolling such REP-prefi...

Citation Context

...t at the cost of potential imprecision. For example, STA may result in either under-tainting or over-tainting [32] when merging results at control flow confluence points. Dynamic taint analysis (DTA) =-=[25, 13, 27]-=-, in contrast, propagates taint as a program executes, which is more accurate than static taint analysis since it only considers the actual path taken at run time. However, the high runtime overhead i...

Citation Context

...t at the cost of potential imprecision. For example, STA may result in either under-tainting or over-tainting [32] when merging results at control flow confluence points. Dynamic taint analysis (DTA) =-=[25, 13, 27]-=-, in contrast, propagates taint as a program executes, which is more accurate than static taint analysis since it only considers the actual path taken at run time. However, the high runtime overhead i...

Citation Context

...dge indicates an explicit data flow dependency between two nodes. Taint graph faithfully describes intrinsic malicious intents, which can be used as malware specification to detect suspicious samples =-=[12]-=-. The statistics of our testing results are presented in Table 3. It is worth noting that 6 out of 8 malware samples are applied with various control flow obfuscation methods (the fifth column), such ...

Citation Context

...n, which add further pressure to runtime performance. The proliferation of multicore systems has inspired researchers to decouple taint tracking logic onto spare cores in order to improve performance =-=[24, 31, 26, 15, 17, 9]-=-. Previous work can be classified into two categories. The first category is hardware-assisted approaches. For example, Speck [26] needs OS level support for speculative execution and rollback. Ruwase...

Citation Context

...t certain critical location (taint sinks). It has been shown to be effective in dealing with a wide range of security problems, including software attack prevention [25, 40], information flow control =-=[45, 34]-=-, data leak detection [49], and malware analysis [43], to name a few. Static taint analysis [1, 36, 28] (STA) is performed prior to execution and therefore it has no impact on runtime performance. STA...

Citation Context

...t certain critical location (taint sinks). It has been shown to be effective in dealing with a wide range of security problems, including software attack prevention [25, 40], information flow control =-=[45, 34]-=-, data leak detection [49], and malware analysis [43], to name a few. Static taint analysis [1, 36, 28] (STA) is performed prior to execution and therefore it has no impact on runtime performance. STA...

Citation Context

...tes taint following the real path taken at run time. DTA has been widely used in various security applications, including data flow policy enforcement [25, 40, 27], reversing protocol data structures =-=[33, 38, 6]-=-, malware analysis [39] and Android security [14]. However, an intrinsic limitation of DTA is its significant performance slowdown. Schwartz et al. [32] formally defined the operational semantics for ...

Citation Context

...range of security problems, including software attack prevention [25, 40], information flow control [45, 34], data leak detection [49], and malware analysis [43], to name a few. Static taint analysis =-=[1, 36, 28]-=- (STA) is performed prior to execution and therefore it has no impact on runtime performance. STA has the advantage of considering multiple execution paths, but at the cost of potential imprecision. F...

Citation Context

...tes taint following the real path taken at run time. DTA has been widely used in various security applications, including data flow policy enforcement [25, 40, 27], reversing protocol data structures =-=[33, 38, 6]-=-, malware analysis [39] and Android security [14]. However, an intrinsic limitation of DTA is its significant performance slowdown. Schwartz et al. [32] formally defined the operational semantics for ...

Citation Context

...ath taken at run time. DTA has been widely used in various security applications, including data flow policy enforcement [25, 40, 27], reversing protocol data structures [33, 38, 6], malware analysis =-=[39]-=- and Android security [14]. However, an intrinsic limitation of DTA is its significant performance slowdown. Schwartz et al. [32] formally defined the operational semantics for DTA and forward symboli...

Citation Context

...tion and data flow tracking logic. The original program instructions mingle with the taint tracking instructions, and usually it takes 6–8 extra instructions to propagate a taint tag in shadow memory =-=[11]-=-. In addition, the frequent “context switches” between the original program execution and its corresponding taint propagation lead to register spilling and data cache pollution, which add further pres...

Citation Context

...ted its adoption in production systems. The slowdown incurred by conventional dynamic taint analysis tools [25, 13] can easily go beyond 30X times. Even with the state-of-theart DTA tool based on Pin =-=[20]-=-, typically it still introduces more than 6X slowdown. The crux of the performance penalty comes from the strict coupling of program execution and data flow tracking logic. The original program instru...

Citation Context

...that decouples program execution and taint logic, and parallelizes taint analysis on straight-line code segments. Our implementation is built on top of Pin [23], for the pipelining framework, and BAP =-=[5]-=-, for symbolic taint analysis. We have evaluated TaintPipe with a variety of applications such as the SPEC CINT2006 benchmarks, a set of common utilities, a list of recent real-life software vulnerabi...

Citation Context

...aint sinks). It has been shown to be effective in dealing with a wide range of security problems, including software attack prevention [25, 40], information flow control [45, 34], data leak detection =-=[49]-=-, and malware analysis [43], to name a few. Static taint analysis [1, 36, 28] (STA) is performed prior to execution and therefore it has no impact on runtime performance. STA has the advantage of cons...

Citation Context

...ation. Taint logic code, deciding whether and how to propagate taint, require additional instructions and “context switches”. Frequently executing taint logic code incurs substantial overhead. Minemu =-=[3]-=- achieved a decent runtime performance at the cost of sacrificing memory space to speed up shadow memory access. Moreover, Minemu utilized spare SSE registers to alleviate the pressure of general regi...

Citation Context

...bolic taint input may be used as a memory lookup index. Without any constraint, a symbolic memory index could point to any memory cell. Inspired by the index-based memory model proposed by Cha et al. =-=[8]-=-, we attempt to narrow down the symbolic memory accesses to a small range with symbolic taint states and path predicates. We first leverage value set analysis [2] to limit the range of a symbolic memo...

Citation Context

...tes taint following the real path taken at run time. DTA has been widely used in various security applications, including data flow policy enforcement [25, 40, 27], reversing protocol data structures =-=[33, 38, 6]-=-, malware analysis [39] and Android security [14]. However, an intrinsic limitation of DTA is its significant performance slowdown. Schwartz et al. [32] formally defined the operational semantics for ...

Citation Context

...ssible cryptography functions by observing the input-output dependency with multi-tag taint analysis. That is, each byte in the encrypted message is dependent on almost all bytes of input data or key =-=[7, 21, 48]-=-. However, multi-tag dynamic taint analysis normally has to sacrifice more shadow memory and imposes much higher runtime overhead than single-tag dynamic taint analysis. Recall that multi-tag propagat...

Citation Context

...range of security problems, including software attack prevention [25, 40], information flow control [45, 34], data leak detection [49], and malware analysis [43], to name a few. Static taint analysis =-=[1, 36, 28]-=- (STA) is performed prior to execution and therefore it has no impact on runtime performance. STA has the advantage of considering multiple execution paths, but at the cost of potential imprecision. F...

Citation Context

... To this end, we counted the total number of tainted bytes in the taint state when taint analysis hit the taint sinks. Column 4 ∼ 6 of Table 2 show the number of taint bytes when running libdft, Temu =-=[44]-=- and TaintPipe, respectively. Compared with the inlined dynamic taint analysis tools (libdft and Temu), TaintPipe’s symbolic taint analysis achieves almost the same results in 8 cases and introduces o...

Citation Context

...n, which add further pressure to runtime performance. The proliferation of multicore systems has inspired researchers to decouple taint tracking logic onto spare cores in order to improve performance =-=[24, 31, 26, 15, 17, 9]-=-. Previous work can be classified into two categories. The first category is hardware-assisted approaches. For example, Speck [26] needs OS level support for speculative execution and rollback. Ruwase...

Citation Context

...7X slowdown (“TaintPipe - overall” / “nullpin”) and libdft introduces 6.4X slowdown— this number is coincident to the observation that propagating a taint tag normally requires extra 6–8 instructions =-=[30, 11]-=-. In summary, TaintPipe outperforms inlined dynamic taint analysis drastically: 2.38X faster than the inlined dynamic taint analysis, and 3.79X faster in terms of application execution. In the best ca...

Citation Context

...f conditional jump [29], which leads to a much more compact profile. However, reconstruction straight-line code from 1 bit profile is more complicated to make it fit for offline analysis. Zhao et al. =-=[47]-=- proposed Detailed Execution Profile (DEP), a 2-byte profile structure to represent 4-byte basic block address on x8632 machine. In DEP, a 4-byte address is divided into two parts: H-tag for the 2 hig...

Citation Context

... thread’s execution speed is typically faster than the processing speed of worker threads. To mitigate this bottleneck, we employed “one producer, multiple consumers” model and N-way buffering scheme =-=[46]-=-. At the center of our design is a thread pool, which is subdivided into n linked buffers, and the producer thread and multiple worker threads work on different buffers simultaneously. More specifical...

Citation Context

...rect jumps (e.g., jmp eax). Typically it is hard to precisely infer the destination of an indirect jump statically. Thus, the taint logic optimization methods that rely on accurate control flow graph =-=[17, 18]-=- will fail. In contrast, our approach does not rely on control flow graph and therefore we analyzed these obfuscated malware samples smoothly. Cryptography Function Detection. Malware authors often us...

Citation Context

...n, which add further pressure to runtime performance. The proliferation of multicore systems has inspired researchers to decouple taint tracking logic onto spare cores in order to improve performance =-=[24, 31, 26, 15, 17, 9]-=-. Previous work can be classified into two categories. The first category is hardware-assisted approaches. For example, Speck [26] needs OS level support for speculative execution and rollback. Ruwase...

Citation Context

...only introduces marginal side effects. 4.2.3 Taint Operation Generation Based on BIL statements, we construct taint operations. Taint operations inside a basic block are formed as “taint basic block” =-=[37]-=-, which are cached for efficiency. To make the best of cache effect, we merge the basic blocks with only one predecessor and one successor. Since BIL explicitly reveals the side effect of intricate x8...

Citation Context

...evel taint for EFLAGS register, representing whether a bit of the EFLAGS is tainted or not due to side effects. Recent work has demonstrated the value of bit-level taint in binary code de-obfuscation =-=[42]-=-. int a, b, c, d; 1: a = read (); 2: c = read (); 3: c = c xor c; 4: b = ~ a; 5: d = a & b; (a) a basic block (b) a taint basic block 1: Taint (a) = tag1; 2: Taint (c) = tag2; 3: Taint (c) = 0; 4: Tai...

Citation Context

...n, which add further pressure to runtime performance. The proliferation of multicore systems has inspired researchers to decouple taint tracking logic onto spare cores in order to improve performance =-=[24, 31, 26, 15, 17, 9]-=-. Previous work can be classified into two categories. The first category is hardware-assisted approaches. For example, Speck [26] needs OS level support for speculative execution and rollback. Ruwase...

Citation Context

...introduced, TaintPipe collects control flow information, which is represented as a sequence of basic blocks executed. Conceptually, we can use a single bit to record the direction of conditional jump =-=[29]-=-, which leads to a much more compact profile. However, reconstruction straight-line code from 1 bit profile is more complicated to make it fit for offline analysis. Zhao et al. [47] proposed Detailed ...

Citation Context

...n, which add further pressure to runtime performance. The proliferation of multicore systems has inspired researchers to decouple taint tracking logic onto spare cores in order to improve performance =-=[24, 31, 26, 15, 17, 9]-=-. Previous work can be classified into two categories. The first category is hardware-assisted approaches. For example, Speck [26] needs OS level support for speculative execution and rollback. Ruwase...

Citation Context

...int logic code. In principle, it is possible to remove redundant taint logic by means of static offline optimizations. Unfortunately, even static disassembly of stripped binaries is still a challenge =-=[22, 35]-=-. Therefore, the assumption by ShadowReplica that an accurate control flow graph can be constructed may not be feasible in certain scenarios, such as analyzing control flow obfuscated software. We tak...

Citation Context

...will lead to precision loss. Check the code at Line 4 and 5 in Figure 7, value d will always be zero since b is the negation of a. Unfortunately, some previous work may label d as tainted incorrectly =-=[41]-=-. Third, different from related work [20, 17], TaintPipe supports bit-level taint for EFLAGS register, representing whether a bit of the EFLAGS is tainted or not due to side effects. Recent work has d...

Citation Context

...d memory model proposed by Cha et al. [8], we attempt to narrow down the symbolic memory accesses to a small range with symbolic taint states and path predicates. We first leverage value set analysis =-=[2]-=- to limit the range of a symbolic memory access and then refine the range by querying a constraint solver. The path predicate along the straight-line code usually limits the scope of symbolic memory a...

Citation Context

...n, which add further pressure to runtime performance. The proliferation of multicore systems has inspired researchers to decouple taint tracking logic onto spare cores in order to improve performance =-=[24, 31, 26, 15, 17, 9]-=-. Previous work can be classified into two categories. The first category is hardware-assisted approaches. For example, Speck [26] needs OS level support for speculative execution and rollback. Ruwase...

Citation Context

...osed symbolic inheritance tracking to parallelize dynamic taint analysis. TaintPipe differs from Ruwase et al.’s approach in three ways: 1) Their approach was built on top of a log-based architecture =-=[10]-=- for efficient communication with idle cores, while TaintPipe works on commodity multi-core hardware directly. 2) To achieve better parallelization, they adopted a relaxed taint propagation policy to ...

Citation Context

...ssible cryptography functions by observing the input-output dependency with multi-tag taint analysis. That is, each byte in the encrypted message is dependent on almost all bytes of input data or key =-=[7, 21, 48]-=-. However, multi-tag dynamic taint analysis normally has to sacrifice more shadow memory and imposes much higher runtime overhead than single-tag dynamic taint analysis. Recall that multi-tag propagat...

Citation Context

...range of security problems, including software attack prevention [25, 40], information flow control [45, 34], data leak detection [49], and malware analysis [43], to name a few. Static taint analysis =-=[1, 36, 28]-=- (STA) is performed prior to execution and therefore it has no impact on runtime performance. STA has the advantage of considering multiple execution paths, but at the cost of potential imprecision. F...

Citation Context

...ssible cryptography functions by observing the input-output dependency with multi-tag taint analysis. That is, each byte in the encrypted message is dependent on almost all bytes of input data or key =-=[7, 21, 48]-=-. However, multi-tag dynamic taint analysis normally has to sacrifice more shadow memory and imposes much higher runtime overhead than single-tag dynamic taint analysis. Recall that multi-tag propagat...