%in Benoni+277-882-255-28 abortion pills for sale in Benoni
Ā
Group meeting: TaintPipe - Pipelined Symbolic Taint Analysis
1. TaintPipe: Pipelined Symbolic
Taint Analysis
Jiang Ming, Dinghao Wu, Gaoyao Xiao, Jun Wang, and Peng Liu
The Pennsylvania State University
USENIX Security ā15
4. Taint analysis
ā¢ Basic idea: keep track of tags derived from user
input
Taint seeds Taint propagation Taint sinks
5. Taint analysis
ā¢ Static taint analysis (STA)
ā¢ performed prior to execution
ā¢ no impact on runtime performance
ā¢ under-tainting or over-tainting
ā¢ Dynamic taint analysis (DTA)
ā¢ more accurate
ā¢ high runtime overhead (Pin: > 6X slowdown)
6. Problems of DTA
ā¢ high runtime overhead (6X~30X)
ā¢ 6~8 extra instructions to propagate a taint tag in
shadow memory
ā¢ strict coupling of program execution and data ļ¬ow
tracking logic
ā¢ frequent ācontext-switchesā
ā¢ register spilling
ā¢ data cache pollution
7. Previous work
ā¢ Hardware-assisted approach
ā¢ customized hardware for logging a program trace and delivering
it to other idle cores for inspection
ā¢ hardware ļ¬rst-in ļ¬rst-out buffer for speeding up communication
between cores
ā¢ Software-only methods
ā¢ rely on dynamic binary instrumentation (DBI)
ā¢ decouple dynamic taint analysis from program execution
ā¢ ShadowReplica: āprimary & secondaryā thread model
8. TaintPipe
ā¢ parallel data ļ¬ow tracking using pipelined
symbolic taint analysis
ā¢ segmented symbolic taint analysis
ā¢ symbolic taint state resolution
11. Inlined Analysis vs. TaintPipe
ā¢ (a) code segment
ā¢ (b) symbolic taint states, the input value size and num are labeled
as symbol1 and symbol2
ā¢ (c) resolving symbolic taint states when size is tainted as tag1
and num is a constant value (num = 0xffffffff)
12. TaintPipe
ā¢ record compact control ļ¬ow information to reconstruct
straight-line code
ā¢ targets of direct and indirect jumps have been resolved
ā¢ most addresses of memory operations can be inferred
from the straight-line code
ā¢ pipelining design (asynchronous)
ā¢ may detect an attack some time after the real attack
has happened
14. Architecture
ā¢ built on top of a dynamic binary instrumentation
tool
ā¢ work with unmodiļ¬ed program binaries
15. Implementation
ā¢ online logging and pipelining framework
ā¢ dynamic binary instrumentation framework Pin
ā¢ 3,100 lines of C/C++ code
ā¢ taint analysis engine
ā¢ binary analysis platform BAP
ā¢ based on BAPās symbolic execution module
ā¢ 4,400 lines of OCaml code
16. Logging
ā¢ Logged data
ā¢ control ļ¬ow proļ¬le (in compact format)
ā¢ concrete execution state when taint seeds are
ļ¬rst introduced, including registers and memory
(e.g., CR0~CR4, EFLAGS and addresses of
initial taint seeds)
17. Lightweight Online Logging
ā¢ control ļ¬ow proļ¬le: sequence of basic blocks
executed
ā¢ Detailed Execution Proļ¬le (DEP)
ā¢ 2-byte proļ¬le structure to represent 4-byte basic
block address on x86-32 machine
ā¢ H-tag, L-tag, and special tag (0x0000)
ā¢ optimization for REP-preļ¬x instructions
24. Optimal conļ¬guration
ā¢ Determine the optimal values for two factors
ā¢ control ļ¬ow proļ¬le buffer size
ā¢ number of worker threads
ā¢ Experiment setup
ā¢ 2x Intel Xeon E5-2690
ā¢ 128GB RAM
ā¢ 250GB SSD
ā¢ Ubuntu 12.04
25. Performance
(SPEC CPU2006) On average, the instrumented application thread enforces a 2.60X
slowdown to native execution, while the overall slowdown of TaintPipe is 4.14X.