SlideShare a Scribd company logo

Taint-based Dynamic Analysis (CoC Research Day 2009)

James Clause
James Clause

This document discusses taint-based dynamic analysis and leak detection. It provides an overview of how taint analysis works by assigning taint marks to tracked values, propagating those marks as values are operated on, and checking the taint marks to detect issues. It then discusses applications of taint analysis like attack prevention, information flow monitoring, testing, and detecting memory errors and leaks. Finally, it dives deeper into how leak detection specifically tracks pointers to allocated memory and reports errors if a pointer's taint mark reaches zero but the memory has not been freed.

Technology
1 of 40
Download to read offline
Taint-based Dynamic Analysis CoC Research Day - 9/25/2009 Designed at Apple in California; assembled at GeorgiaTech
Dynamic Tainting Overview C A B Z
Dynamic Tainting Overview 1 Assign taint marks C A B Z
Dynamic Tainting Overview 1 Assign taint marks C A B 312 Z
Dynamic Tainting Overview 1 Assign taint marks 2 Propagate taint marks C A B 312 Z
Dynamic Tainting Overview 1 Assign taint marks 2 Propagate taint marks C A B 312 Z
Dynamic Tainting Overview 1 Assign taint marks 3 Check taint marks 2 Propagate taint marks C A B 312 Z
Dynamic Tainting Overview 1 Assign taint marks 3 Check taint marks 2 Propagate taint marks C A B 312 Z C A B 312 Z 3
Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
Dynamic Tainting Applications Attack detection / prevention Prevent stack smashing, SQL injection, buffer overruns, etc. Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
Dynamic Tainting Applications Information policy enforcement ensure classified information does not leave the system Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
Dynamic Tainting Applications Testing Coverage metrics, test data generation heuristic, etc. ✔/✘ Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Data lifetime track how long sensitive data remains in an application Memory errors Data lifetime
Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Detect illegal memory access, leak detection, etc. Memory errors Data lifetime
Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Detect illegal memory access, leak detection, etc.leak detection Memory errors Data lifetime
addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy; fixing them is not
Discover where the last pointer to un-freed memory is lost Leak Detection Overview
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview # of pointers tainted with this color
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 1 1 1 1 2 2 2 1 1 2 2 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 1 1 1 1 2 2 2 1 1 2 2 In general propagation follows standard pointer arithmetic rules Discover where the last pointer to un-freed memory is lost Leak Detection Overview
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 3 1 1 1 1 2 2 2 1 1 2 2 In general propagation follows standard pointer arithmetic rules Discover where the last pointer to un-freed memory is lost Leak Detection Overview
addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; } Detecting leaks is easy
46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); Detecting leaks is easy; fixing them is, too delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; }
46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); Detecting leaks is easy; fixing them is, too delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; } free(hptr->hname)
Leakpoint implementation
Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
Evaluation
Evaluation Transmission
Evaluation Transmission Locations identified by Leakpoint correspond to where the leaks were fixed by developers.
Evaluation Transmission Also found thousands of leaks in the SPEC INT benchmarks Locations identified by Leakpoint correspond to where the leaks were fixed by developers.
static void processCompletedTasks(tr_web *web) { ... task->done_func(web->session, ..., task->done_func_user_data); ... evbuffer_free(task->response); tr_free(task->url); tr_free(task); ... } static void invokeRequest(void * vreq) { ... hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH); memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH); tr_webRun(req->session, req->url, req->done_func, hash); ... } static void onStoppedResponse(tr_session *session, ..., void *torrent_hash) { dbgmsg(NULL, "got a response ... message"); // tr_free(torrent_hash); onReqDone(session); }
Overhead Powerful but expensive 50 - 100x overheads are common • Execution time is completely automated • Developers have to think less
Questions?

Recommended

Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)James Clause
 
03
0303
03moodle_annotation
 
Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...
Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...
Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...
DevGAMM Conference
 
Knight's Tour
Knight's TourKnight's Tour
Knight's Tour
Veysi Ertekin
 
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019
corehard_by
 
Basic C++ 11/14 for Python Programmers
Basic C++ 11/14 for Python ProgrammersBasic C++ 11/14 for Python Programmers
Basic C++ 11/14 for Python Programmers
Appier
 
Program Language - Fall 2013
Program Language - Fall 2013 Program Language - Fall 2013
Program Language - Fall 2013
Yun-Yan Chi
 
Ch11.2&3(1)
Ch11.2&3(1)Ch11.2&3(1)
Ch11.2&3(1)emilyharu
 

Recommended

Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)James Clause
 
03
0303
03moodle_annotation
 
Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...
Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...
Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...
DevGAMM Conference
 
Knight's Tour
Knight's TourKnight's Tour
Knight's Tour
Veysi Ertekin
 
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019
corehard_by
 
Basic C++ 11/14 for Python Programmers
Basic C++ 11/14 for Python ProgrammersBasic C++ 11/14 for Python Programmers
Basic C++ 11/14 for Python Programmers
Appier
 
Program Language - Fall 2013
Program Language - Fall 2013 Program Language - Fall 2013
Program Language - Fall 2013
Yun-Yan Chi
 
Ch11.2&3(1)
Ch11.2&3(1)Ch11.2&3(1)
Ch11.2&3(1)emilyharu
 
MongoDB Analytics
MongoDB AnalyticsMongoDB Analytics
MongoDB Analyticsdatablend
 
The Ring programming language version 1.8 book - Part 66 of 202
The Ring programming language version 1.8 book - Part 66 of 202The Ring programming language version 1.8 book - Part 66 of 202
The Ring programming language version 1.8 book - Part 66 of 202
Mahmoud Samir Fayed
 
The Art Of Parsing @ Devoxx France 2014
The Art Of Parsing @ Devoxx France 2014The Art Of Parsing @ Devoxx France 2014
The Art Of Parsing @ Devoxx France 2014
Dinesh Bolkensteyn
 
Gabriele Lana - The Magic of Elixir
Gabriele Lana - The Magic of ElixirGabriele Lana - The Magic of Elixir
Gabriele Lana - The Magic of Elixir
Codemotion
 
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...
MASAYUKITEZUKA1
 
A Taste of Python - Devdays Toronto 2009
A Taste of Python - Devdays Toronto 2009A Taste of Python - Devdays Toronto 2009
A Taste of Python - Devdays Toronto 2009
Jordan Baker
 
Php radomize
Php radomizePhp radomize
Php radomize
do_aki
 
How to add an optimization for C# to RyuJIT
How to add an optimization for C# to RyuJITHow to add an optimization for C# to RyuJIT
How to add an optimization for C# to RyuJIT
Egor Bogatov
 
Programming with GUTs
Programming with GUTsProgramming with GUTs
Programming with GUTs
Kevlin Henney
 
Computer notes - Hashing
Computer notes - HashingComputer notes - Hashing
Computer notes - Hashing
ecomputernotes
 
PyCon2009_AI_Alt
PyCon2009_AI_AltPyCon2009_AI_Alt
PyCon2009_AI_AltHiroshi Ono
 
Rust concurrency tutorial 2015 12-02
Rust concurrency tutorial 2015 12-02Rust concurrency tutorial 2015 12-02
Rust concurrency tutorial 2015 12-02
nikomatsakis
 
Add a 3rd field help that contains a short help string for each of t.pdf
Add a 3rd field help that contains a short help string for each of t.pdfAdd a 3rd field help that contains a short help string for each of t.pdf
Add a 3rd field help that contains a short help string for each of t.pdf
info245627
 
Basic c++ 11/14 for python programmers
Basic c++ 11/14 for python programmersBasic c++ 11/14 for python programmers
Basic c++ 11/14 for python programmers
Jen Yee Hong
 
Library functions in c++
Library functions in c++Library functions in c++
Library functions in c++
Neeru Mittal
 
computer notes - Data Structures - 35
computer notes - Data Structures - 35computer notes - Data Structures - 35
computer notes - Data Structures - 35ecomputernotes
 
assign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docx
assign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docxassign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docx
assign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docx
festockton
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryption
hubx
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryption
Christoph Matthies
 
Compiler design.pdf
Compiler design.pdfCompiler design.pdf
Compiler design.pdf
Nitesh Dubey
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NoSuchCon
 
ADA FILE
ADA FILEADA FILE
ADA FILE
Gaurav Singh
 

More Related Content

What's hot

MongoDB Analytics
MongoDB AnalyticsMongoDB Analytics
MongoDB Analyticsdatablend
 
The Ring programming language version 1.8 book - Part 66 of 202
The Ring programming language version 1.8 book - Part 66 of 202The Ring programming language version 1.8 book - Part 66 of 202
The Ring programming language version 1.8 book - Part 66 of 202
Mahmoud Samir Fayed
 
The Art Of Parsing @ Devoxx France 2014
The Art Of Parsing @ Devoxx France 2014The Art Of Parsing @ Devoxx France 2014
The Art Of Parsing @ Devoxx France 2014
Dinesh Bolkensteyn
 
Gabriele Lana - The Magic of Elixir
Gabriele Lana - The Magic of ElixirGabriele Lana - The Magic of Elixir
Gabriele Lana - The Magic of Elixir
Codemotion
 
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...
MASAYUKITEZUKA1
 
A Taste of Python - Devdays Toronto 2009
A Taste of Python - Devdays Toronto 2009A Taste of Python - Devdays Toronto 2009
A Taste of Python - Devdays Toronto 2009
Jordan Baker
 
Php radomize
Php radomizePhp radomize
Php radomize
do_aki
 
How to add an optimization for C# to RyuJIT
How to add an optimization for C# to RyuJITHow to add an optimization for C# to RyuJIT
How to add an optimization for C# to RyuJIT
Egor Bogatov
 
Programming with GUTs
Programming with GUTsProgramming with GUTs
Programming with GUTs
Kevlin Henney
 

What's hot (9)

MongoDB Analytics
MongoDB AnalyticsMongoDB Analytics
MongoDB Analytics
 
The Ring programming language version 1.8 book - Part 66 of 202
The Ring programming language version 1.8 book - Part 66 of 202The Ring programming language version 1.8 book - Part 66 of 202
The Ring programming language version 1.8 book - Part 66 of 202
 
The Art Of Parsing @ Devoxx France 2014
The Art Of Parsing @ Devoxx France 2014The Art Of Parsing @ Devoxx France 2014
The Art Of Parsing @ Devoxx France 2014
 
Gabriele Lana - The Magic of Elixir
Gabriele Lana - The Magic of ElixirGabriele Lana - The Magic of Elixir
Gabriele Lana - The Magic of Elixir
 
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...
 
A Taste of Python - Devdays Toronto 2009
A Taste of Python - Devdays Toronto 2009A Taste of Python - Devdays Toronto 2009
A Taste of Python - Devdays Toronto 2009
 
Php radomize
Php radomizePhp radomize
Php radomize
 
How to add an optimization for C# to RyuJIT
How to add an optimization for C# to RyuJITHow to add an optimization for C# to RyuJIT
How to add an optimization for C# to RyuJIT
 
Programming with GUTs
Programming with GUTsProgramming with GUTs
Programming with GUTs
 

Similar to Taint-based Dynamic Analysis (CoC Research Day 2009)

Computer notes - Hashing
Computer notes - HashingComputer notes - Hashing
Computer notes - Hashing
ecomputernotes
 
PyCon2009_AI_Alt
PyCon2009_AI_AltPyCon2009_AI_Alt
PyCon2009_AI_AltHiroshi Ono
 
Rust concurrency tutorial 2015 12-02
Rust concurrency tutorial 2015 12-02Rust concurrency tutorial 2015 12-02
Rust concurrency tutorial 2015 12-02
nikomatsakis
 
Add a 3rd field help that contains a short help string for each of t.pdf
Add a 3rd field help that contains a short help string for each of t.pdfAdd a 3rd field help that contains a short help string for each of t.pdf
Add a 3rd field help that contains a short help string for each of t.pdf
info245627
 
Basic c++ 11/14 for python programmers
Basic c++ 11/14 for python programmersBasic c++ 11/14 for python programmers
Basic c++ 11/14 for python programmers
Jen Yee Hong
 
Library functions in c++
Library functions in c++Library functions in c++
Library functions in c++
Neeru Mittal
 
computer notes - Data Structures - 35
computer notes - Data Structures - 35computer notes - Data Structures - 35
computer notes - Data Structures - 35ecomputernotes
 
assign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docx
assign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docxassign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docx
assign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docx
festockton
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryption
hubx
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryption
Christoph Matthies
 
Compiler design.pdf
Compiler design.pdfCompiler design.pdf
Compiler design.pdf
Nitesh Dubey
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NoSuchCon
 
ADA FILE
ADA FILEADA FILE
ADA FILE
Gaurav Singh
 
ภาษาซี
ภาษาซีภาษาซี
ภาษาซีkramsri
 
Assignment on Numerical Method C Code
Assignment on Numerical Method C CodeAssignment on Numerical Method C Code
Assignment on Numerical Method C Code
Syed Ahmed Zaki
 
Circular queue
Circular queueCircular queue
Circular queue
ShobhaHiremath8
 
How multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsHow multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cards
Riscure
 
Seminar Hacking & Security Analysis
Seminar Hacking & Security AnalysisSeminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Dan H
 

Similar to Taint-based Dynamic Analysis (CoC Research Day 2009) (20)

Computer notes - Hashing
Computer notes - HashingComputer notes - Hashing
Computer notes - Hashing
 
PyCon2009_AI_Alt
PyCon2009_AI_AltPyCon2009_AI_Alt
PyCon2009_AI_Alt
 
Rust concurrency tutorial 2015 12-02
Rust concurrency tutorial 2015 12-02Rust concurrency tutorial 2015 12-02
Rust concurrency tutorial 2015 12-02
 
Add a 3rd field help that contains a short help string for each of t.pdf
Add a 3rd field help that contains a short help string for each of t.pdfAdd a 3rd field help that contains a short help string for each of t.pdf
Add a 3rd field help that contains a short help string for each of t.pdf
 
Basic c++ 11/14 for python programmers
Basic c++ 11/14 for python programmersBasic c++ 11/14 for python programmers
Basic c++ 11/14 for python programmers
 
Library functions in c++
Library functions in c++Library functions in c++
Library functions in c++
 
computer notes - Data Structures - 35
computer notes - Data Structures - 35computer notes - Data Structures - 35
computer notes - Data Structures - 35
 
assign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docx
assign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docxassign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docx
assign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docx
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryption
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryption
 
Compiler design.pdf
Compiler design.pdfCompiler design.pdf
Compiler design.pdf
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
 
ADA FILE
ADA FILEADA FILE
ADA FILE
 
C lab manaual
C lab manaualC lab manaual
C lab manaual
 
Ch3 selection
Ch3 selectionCh3 selection
Ch3 selection
 
ภาษาซี
ภาษาซีภาษาซี
ภาษาซี
 
Assignment on Numerical Method C Code
Assignment on Numerical Method C CodeAssignment on Numerical Method C Code
Assignment on Numerical Method C Code
 
Circular queue
Circular queueCircular queue
Circular queue
 
How multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsHow multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cards
 
Seminar Hacking & Security Analysis
Seminar Hacking & Security AnalysisSeminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
 

More from James Clause

Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...James Clause
 
Energy-directed Test Suite Optimization (GREENS 2013)
Energy-directed Test Suite Optimization (GREENS 2013)Energy-directed Test Suite Optimization (GREENS 2013)
Energy-directed Test Suite Optimization (GREENS 2013)James Clause
 
Enabling and Supporting the Debugging of Field Failures (Job Talk)
Enabling and Supporting the Debugging of Field Failures (Job Talk)Enabling and Supporting the Debugging of Field Failures (Job Talk)
Enabling and Supporting the Debugging of Field Failures (Job Talk)James Clause
 
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...James Clause
 
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)James Clause
 
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)James Clause
 
Initial Explorations on Design Pattern Energy Usage (GREENS 12)
Initial Explorations on Design Pattern Energy Usage (GREENS 12)Initial Explorations on Design Pattern Energy Usage (GREENS 12)
Initial Explorations on Design Pattern Energy Usage (GREENS 12)James Clause
 
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)James Clause
 
Effective Memory Protection Using Dynamic Tainting (ASE 2007)
Effective Memory Protection Using Dynamic Tainting (ASE 2007)Effective Memory Protection Using Dynamic Tainting (ASE 2007)
Effective Memory Protection Using Dynamic Tainting (ASE 2007)James Clause
 
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)James Clause
 
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)James Clause
 
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)James Clause
 
Camouflage: Automated Anonymization of Field Data (ICSE 2011)
Camouflage: Automated Anonymization of Field Data (ICSE 2011)Camouflage: Automated Anonymization of Field Data (ICSE 2011)
Camouflage: Automated Anonymization of Field Data (ICSE 2011)James Clause
 

More from James Clause (13)

Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
 
Energy-directed Test Suite Optimization (GREENS 2013)
Energy-directed Test Suite Optimization (GREENS 2013)Energy-directed Test Suite Optimization (GREENS 2013)
Energy-directed Test Suite Optimization (GREENS 2013)
 
Enabling and Supporting the Debugging of Field Failures (Job Talk)
Enabling and Supporting the Debugging of Field Failures (Job Talk)Enabling and Supporting the Debugging of Field Failures (Job Talk)
Enabling and Supporting the Debugging of Field Failures (Job Talk)
 
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
 
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
 
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
 
Initial Explorations on Design Pattern Energy Usage (GREENS 12)
Initial Explorations on Design Pattern Energy Usage (GREENS 12)Initial Explorations on Design Pattern Energy Usage (GREENS 12)
Initial Explorations on Design Pattern Energy Usage (GREENS 12)
 
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
 
Effective Memory Protection Using Dynamic Tainting (ASE 2007)
Effective Memory Protection Using Dynamic Tainting (ASE 2007)Effective Memory Protection Using Dynamic Tainting (ASE 2007)
Effective Memory Protection Using Dynamic Tainting (ASE 2007)
 
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
 
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
 
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
 
Camouflage: Automated Anonymization of Field Data (ICSE 2011)
Camouflage: Automated Anonymization of Field Data (ICSE 2011)Camouflage: Automated Anonymization of Field Data (ICSE 2011)
Camouflage: Automated Anonymization of Field Data (ICSE 2011)
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 

Taint-based Dynamic Analysis (CoC Research Day 2009)

  • 1. Taint-based Dynamic Analysis CoC Research Day - 9/25/2009 Designed at Apple in California; assembled at GeorgiaTech
  • 3. Dynamic Tainting Overview 1 Assign taint marks C A B Z
  • 4. Dynamic Tainting Overview 1 Assign taint marks C A B 312 Z
  • 5. Dynamic Tainting Overview 1 Assign taint marks 2 Propagate taint marks C A B 312 Z
  • 6. Dynamic Tainting Overview 1 Assign taint marks 2 Propagate taint marks C A B 312 Z
  • 7. Dynamic Tainting Overview 1 Assign taint marks 3 Check taint marks 2 Propagate taint marks C A B 312 Z
  • 8. Dynamic Tainting Overview 1 Assign taint marks 3 Check taint marks 2 Propagate taint marks C A B 312 Z C A B 312 Z 3
  • 9. Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
  • 10. Dynamic Tainting Applications Attack detection / prevention Prevent stack smashing, SQL injection, buffer overruns, etc. Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
  • 11. Dynamic Tainting Applications Information policy enforcement ensure classified information does not leave the system Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
  • 12. Dynamic Tainting Applications Testing Coverage metrics, test data generation heuristic, etc. ✔/✘ Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
  • 13. Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Data lifetime track how long sensitive data remains in an application Memory errors Data lifetime
  • 14. Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Detect illegal memory access, leak detection, etc. Memory errors Data lifetime
  • 15. Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Detect illegal memory access, leak detection, etc.leak detection Memory errors Data lifetime
  • 16. addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
  • 17. addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
  • 18. addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy; fixing them is not
  • 19. Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 20. Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 21. Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview # of pointers tainted with this color
  • 22. Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 23. Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 1 1 1 1 2 2 2 1 1 2 2 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 24. Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 1 1 1 1 2 2 2 1 1 2 2 In general propagation follows standard pointer arithmetic rules Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 25. Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 3 1 1 1 1 2 2 2 1 1 2 2 In general propagation follows standard pointer arithmetic rules Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 26. addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
  • 27. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; } Detecting leaks is easy
  • 28. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); Detecting leaks is easy; fixing them is, too delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; }
  • 29. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); Detecting leaks is easy; fixing them is, too delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; } free(hptr->hname)
  • 31. Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
  • 32. Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
  • 33. Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
  • 36. Evaluation Transmission Locations identified by Leakpoint correspond to where the leaks were fixed by developers.
  • 37. Evaluation Transmission Also found thousands of leaks in the SPEC INT benchmarks Locations identified by Leakpoint correspond to where the leaks were fixed by developers.
  • 38. static void processCompletedTasks(tr_web *web) { ... task->done_func(web->session, ..., task->done_func_user_data); ... evbuffer_free(task->response); tr_free(task->url); tr_free(task); ... } static void invokeRequest(void * vreq) { ... hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH); memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH); tr_webRun(req->session, req->url, req->done_func, hash); ... } static void onStoppedResponse(tr_session *session, ..., void *torrent_hash) { dbgmsg(NULL, "got a response ... message"); // tr_free(torrent_hash); onReqDone(session); }
  • 39. Overhead Powerful but expensive 50 - 100x overheads are common • Execution time is completely automated • Developers have to think less