James Clause, profile picture
Uploaded byJames Clause
966 views

Taint-based Dynamic Analysis (CoC Research Day 2009)

This document discusses taint-based dynamic analysis and leak detection. It provides an overview of how taint analysis works by assigning taint marks to tracked values, propagating those marks as values are operated on, and checking the taint marks to detect issues. It then discusses applications of taint analysis like attack prevention, information flow monitoring, testing, and detecting memory errors and leaks. Finally, it dives deeper into how leak detection specifically tracks pointers to allocated memory and reports errors if a pointer's taint mark reaches zero but the memory has not been freed.

Embed presentation

Downloaded 20 times
Taint-based Dynamic Analysis CoC Research Day - 9/25/2009 Designed at Apple in California; assembled at GeorgiaTech
Dynamic Tainting Overview C A B Z
Dynamic Tainting Overview 1 Assign taint marks C A B Z
Dynamic Tainting Overview 1 Assign taint marks C A B 312 Z
Dynamic Tainting Overview 1 Assign taint marks 2 Propagate taint marks C A B 312 Z
Dynamic Tainting Overview 1 Assign taint marks 2 Propagate taint marks C A B 312 Z
Dynamic Tainting Overview 1 Assign taint marks 3 Check taint marks 2 Propagate taint marks C A B 312 Z
Dynamic Tainting Overview 1 Assign taint marks 3 Check taint marks 2 Propagate taint marks C A B 312 Z C A B 312 Z 3
Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
Dynamic Tainting Applications Attack detection / prevention Prevent stack smashing, SQL injection, buffer overruns, etc. Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
Dynamic Tainting Applications Information policy enforcement ensure classified information does not leave the system Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
Dynamic Tainting Applications Testing Coverage metrics, test data generation heuristic, etc. ✔/✘ Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Data lifetime track how long sensitive data remains in an application Memory errors Data lifetime
Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Detect illegal memory access, leak detection, etc. Memory errors Data lifetime
Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Detect illegal memory access, leak detection, etc.leak detection Memory errors Data lifetime
addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy; fixing them is not
Discover where the last pointer to un-freed memory is lost Leak Detection Overview
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview # of pointers tainted with this color
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 1 1 1 1 2 2 2 1 1 2 2 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 1 1 1 1 2 2 2 1 1 2 2 In general propagation follows standard pointer arithmetic rules Discover where the last pointer to un-freed memory is lost Leak Detection Overview
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 3 1 1 1 1 2 2 2 1 1 2 2 In general propagation follows standard pointer arithmetic rules Discover where the last pointer to un-freed memory is lost Leak Detection Overview
addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; } Detecting leaks is easy
46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); Detecting leaks is easy; fixing them is, too delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; }
46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); Detecting leaks is easy; fixing them is, too delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; } free(hptr->hname)
Leakpoint implementation
Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
Evaluation
Evaluation Transmission
Evaluation Transmission Locations identified by Leakpoint correspond to where the leaks were fixed by developers.
Evaluation Transmission Also found thousands of leaks in the SPEC INT benchmarks Locations identified by Leakpoint correspond to where the leaks were fixed by developers.
static void processCompletedTasks(tr_web *web) { ... task->done_func(web->session, ..., task->done_func_user_data); ... evbuffer_free(task->response); tr_free(task->url); tr_free(task); ... } static void invokeRequest(void * vreq) { ... hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH); memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH); tr_webRun(req->session, req->url, req->done_func, hash); ... } static void onStoppedResponse(tr_session *session, ..., void *torrent_hash) { dbgmsg(NULL, "got a response ... message"); // tr_free(torrent_hash); onReqDone(session); }
Overhead Powerful but expensive 50 - 100x overheads are common • Execution time is completely automated • Developers have to think less
Questions?

More Related Content

PDF
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
byJames Clause
 
PPT
03
bymoodle_annotation
 
PPTX
Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...
byDevGAMM Conference
 
DOC
Knight's Tour
byVeysi Ertekin
 
PPTX
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019
bycorehard_by
 
PPTX
Basic C++ 11/14 for Python Programmers
byAppier
 
PDF
Program Language - Fall 2013
byYun-Yan Chi
 
PPSX
Ch11.2&3(1)
byemilyharu
 
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
byJames Clause
 
03
bymoodle_annotation
 
Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...
byDevGAMM Conference
 
Knight's Tour
byVeysi Ertekin
 
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019
bycorehard_by
 
Basic C++ 11/14 for Python Programmers
byAppier
 
Program Language - Fall 2013
byYun-Yan Chi
 
Ch11.2&3(1)
byemilyharu
 

What's hot

PDF
MongoDB Analytics
bydatablend
 
PDF
The Ring programming language version 1.8 book - Part 66 of 202
byMahmoud Samir Fayed
 
PDF
The Art Of Parsing @ Devoxx France 2014
byDinesh Bolkensteyn
 
PDF
Gabriele Lana - The Magic of Elixir
byCodemotion
 
PDF
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...
byMASAYUKITEZUKA1
 
PDF
A Taste of Python - Devdays Toronto 2009
byJordan Baker
 
PDF
Php radomize
bydo_aki
 
PPTX
How to add an optimization for C# to RyuJIT
byEgor Bogatov
 
PDF
Programming with GUTs
byKevlin Henney
 
MongoDB Analytics
bydatablend
 
The Ring programming language version 1.8 book - Part 66 of 202
byMahmoud Samir Fayed
 
The Art Of Parsing @ Devoxx France 2014
byDinesh Bolkensteyn
 
Gabriele Lana - The Magic of Elixir
byCodemotion
 
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...
byMASAYUKITEZUKA1
 
A Taste of Python - Devdays Toronto 2009
byJordan Baker
 
Php radomize
bydo_aki
 
How to add an optimization for C# to RyuJIT
byEgor Bogatov
 
Programming with GUTs
byKevlin Henney
 

Similar to Taint-based Dynamic Analysis (CoC Research Day 2009)

PPTX
Memory protection using dynamic tainting
byUSERAAPKA
 
PDF
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
byJames Clause
 
PDF
Effective Memory Protection Using Dynamic Tainting (ASE 2007)
byJames Clause
 
PPTX
C++ memory leak detection
byVõ Hòa
 
PDF
Better Embedded 2013 - Detecting Memory Leaks with Valgrind
byRigels Gordani
 
PDF
Debugging tools
byMatteo Virgilio
 
PDF
Memory Management and Leaks in Postgres from pgext.day 2025
byPhil Eaton
 
PDF
Safe Clearing of Private Data
byPVS-Studio
 
PDF
Software Design: Impact of Memory Usage (Copying, Cloning and Aliases)
byAdair Dingle
 
PDF
20140531 serebryany lecture02_find_scary_cpp_bugs
byComputer Science Club
 
DOCX
Valgrind debugger Tutorial
byAnurag Tomar
 
PPT
Automatically Tolerating And Correcting Memory Errors
byEmery Berger
 
PPT
Security related security analyst ppt.ppt
byMubeenaBegum11
 
PDF
How to Perform Memory Leak Test Using Valgrind
byRapidValue
 
PDF
Valgrind tutorial
bySatabdi Das
 
PDF
Yandex may 2013 a san-tsan_msan
byYandex
 
PDF
Yandex may 2013 a san-tsan_msan
byYandex
 
PDF
Yandex may 2013 a san-tsan_msan
byYandex
 
PDF
Efficient and linear static approach for finding the memory leak in C
byIJECEIAES
 
PDF
Memory Leak Debuging in the Semi conductor Hardwares
byKarthick Rajagopal
 
Memory protection using dynamic tainting
byUSERAAPKA
 
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
byJames Clause
 
Effective Memory Protection Using Dynamic Tainting (ASE 2007)
byJames Clause
 
C++ memory leak detection
byVõ Hòa
 
Better Embedded 2013 - Detecting Memory Leaks with Valgrind
byRigels Gordani
 
Debugging tools
byMatteo Virgilio
 
Memory Management and Leaks in Postgres from pgext.day 2025
byPhil Eaton
 
Safe Clearing of Private Data
byPVS-Studio
 
Software Design: Impact of Memory Usage (Copying, Cloning and Aliases)
byAdair Dingle
 
20140531 serebryany lecture02_find_scary_cpp_bugs
byComputer Science Club
 
Valgrind debugger Tutorial
byAnurag Tomar
 
Automatically Tolerating And Correcting Memory Errors
byEmery Berger
 
Security related security analyst ppt.ppt
byMubeenaBegum11
 
How to Perform Memory Leak Test Using Valgrind
byRapidValue
 
Valgrind tutorial
bySatabdi Das
 
Yandex may 2013 a san-tsan_msan
byYandex
 
Yandex may 2013 a san-tsan_msan
byYandex
 
Yandex may 2013 a san-tsan_msan
byYandex
 
Efficient and linear static approach for finding the memory leak in C
byIJECEIAES
 
Memory Leak Debuging in the Semi conductor Hardwares
byKarthick Rajagopal
 

More from James Clause

PDF
Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
byJames Clause
 
PDF
Energy-directed Test Suite Optimization (GREENS 2013)
byJames Clause
 
PDF
Enabling and Supporting the Debugging of Field Failures (Job Talk)
byJames Clause
 
PDF
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
byJames Clause
 
PDF
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
byJames Clause
 
PDF
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
byJames Clause
 
PDF
Initial Explorations on Design Pattern Energy Usage (GREENS 12)
byJames Clause
 
PDF
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
byJames Clause
 
PDF
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
byJames Clause
 
PDF
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
byJames Clause
 
PDF
Camouflage: Automated Anonymization of Field Data (ICSE 2011)
byJames Clause
 
Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
byJames Clause
 
Energy-directed Test Suite Optimization (GREENS 2013)
byJames Clause
 
Enabling and Supporting the Debugging of Field Failures (Job Talk)
byJames Clause
 
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
byJames Clause
 
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
byJames Clause
 
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
byJames Clause
 
Initial Explorations on Design Pattern Energy Usage (GREENS 12)
byJames Clause
 
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
byJames Clause
 
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
byJames Clause
 
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
byJames Clause
 
Camouflage: Automated Anonymization of Field Data (ICSE 2011)
byJames Clause
 

Recently uploaded

PPTX
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
PDF
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
PPTX
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
PDF
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
PDF
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
PDF
[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...
bywintari3
 
PPTX
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
PDF
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
PDF
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
PDF
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PDF
ODSC AI West: Agent Optimization: Beyond Context engineering
byShashikant Jagtap
 
PDF
[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...
byWintari Yasmin
 
PPTX
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
PDF
[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...
bywintari3
 
PDF
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
PDF
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
PDF
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
PDF
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
PDF
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...
bywintari3
 
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
ODSC AI West: Agent Optimization: Beyond Context engineering
byShashikant Jagtap
 
[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...
byWintari Yasmin
 
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...
bywintari3
 
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 

Taint-based Dynamic Analysis (CoC Research Day 2009)

  • 1.
    Taint-based Dynamic Analysis CoCResearch Day - 9/25/2009 Designed at Apple in California; assembled at GeorgiaTech
  • 2.
  • 3.
    Dynamic Tainting Overview 1Assign taint marks C A B Z
  • 4.
    Dynamic Tainting Overview 1Assign taint marks C A B 312 Z
  • 5.
    Dynamic Tainting Overview 1Assign taint marks 2 Propagate taint marks C A B 312 Z
  • 6.
    Dynamic Tainting Overview 1Assign taint marks 2 Propagate taint marks C A B 312 Z
  • 7.
    Dynamic Tainting Overview 1Assign taint marks 3 Check taint marks 2 Propagate taint marks C A B 312 Z
  • 8.
    Dynamic Tainting Overview 1Assign taint marks 3 Check taint marks 2 Propagate taint marks C A B 312 Z C A B 312 Z 3
  • 9.
    Dynamic Tainting Applications Attackdetection / prevention Information policy enforcement Testing Memory errors Data lifetime
  • 10.
    Dynamic Tainting Applications Attackdetection / prevention Prevent stack smashing, SQL injection, buffer overruns, etc. Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
  • 11.
    Dynamic Tainting Applications Informationpolicy enforcement ensure classified information does not leave the system Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
  • 12.
    Dynamic Tainting Applications Testing Coveragemetrics, test data generation heuristic, etc. ✔/✘ Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
  • 13.
    Dynamic Tainting Applications Attackdetection / prevention Information policy enforcement Testing Data lifetime track how long sensitive data remains in an application Memory errors Data lifetime
  • 14.
    Dynamic Tainting Applications Attackdetection / prevention Information policy enforcement Testing Memory errors Detect illegal memory access, leak detection, etc. Memory errors Data lifetime
  • 15.
    Dynamic Tainting Applications Attackdetection / prevention Information policy enforcement Testing Memory errors Detect illegal memory access, leak detection, etc.leak detection Memory errors Data lifetime
  • 16.
    addhash(char hname[]) { 35.int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
  • 17.
    addhash(char hname[]) { 35.int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
  • 18.
    addhash(char hname[]) { 35.int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy; fixing them is not
  • 19.
    Discover where thelast pointer to un-freed memory is lost Leak Detection Overview
  • 20.
    Assign taint marks Propagate taint marks Check taintmarks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 21.
    Assign taint marks Propagate taint marks Check taintmarks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview # of pointers tainted with this color
  • 22.
    Assign taint marks Propagate taint marks Check taintmarks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 23.
    Assign taint marks Propagate taint marks Check taintmarks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 1 1 1 1 2 2 2 1 1 2 2 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 24.
    Assign taint marks Propagate taint marks Check taintmarks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 1 1 1 1 2 2 2 1 1 2 2 In general propagation follows standard pointer arithmetic rules Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 25.
    Assign taint marks Propagate taint marks Check taintmarks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 3 1 1 1 1 2 2 2 1 1 2 2 In general propagation follows standard pointer arithmetic rules Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 26.
    addhash(char hname[]) { 35.int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
  • 27.
    46. hptr->hname =(char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; } Detecting leaks is easy
  • 28.
    46. hptr->hname =(char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); Detecting leaks is easy; fixing them is, too delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; }
  • 29.
    46. hptr->hname =(char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); Detecting leaks is easy; fixing them is, too delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; } free(hptr->hname)
  • 30.
  • 31.
    Leakpoint implementation Pointer tomemory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
  • 32.
    Leakpoint implementation Pointer tomemory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
  • 33.
    Leakpoint implementation Pointer tomemory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
  • 34.
  • 35.
  • 36.
    Evaluation Transmission Locations identified byLeakpoint correspond to where the leaks were fixed by developers.
  • 37.
    Evaluation Transmission Also found thousandsof leaks in the SPEC INT benchmarks Locations identified by Leakpoint correspond to where the leaks were fixed by developers.
  • 38.
    static void processCompletedTasks(tr_web*web) { ... task->done_func(web->session, ..., task->done_func_user_data); ... evbuffer_free(task->response); tr_free(task->url); tr_free(task); ... } static void invokeRequest(void * vreq) { ... hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH); memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH); tr_webRun(req->session, req->url, req->done_func, hash); ... } static void onStoppedResponse(tr_session *session, ..., void *torrent_hash) { dbgmsg(NULL, "got a response ... message"); // tr_free(torrent_hash); onReqDone(session); }
  • 39.
    Overhead Powerful but expensive 50- 100x overheads are common • Execution time is completely automated • Developers have to think less
  • 40.