| Nowadays computers are widely used in almost everywhere in our life. At the same time, the number of tools to detect attack has been increasing rapidly in recent years. But the number of the attacks does not decrease. Based on the program source code, there are already some techniques and tools that can successfully detect buffer overflow. While this condition is not available in most cases, the techniques have to rely on binary to detect the malicious behaviors. And most of the existing tools can only detect one kind of attacks, which restricts the use of the tool and makes the tool not so practical. In order to address these problems, binary-based information flow tracking is introduced and applied to my work to analyze the program to detect kinds of attacks. Generally this technique labels the input data from unsafe channels as―tainted‖, then any data derived from the tainted data are labeled as tainted. In this way the behavior of a program can be analyzed and presented. Binary-based information flow tracking follows the malicious data, and monitors the behaviors in memory. By adding detecting kinds of rules, we can detect kinds of attacks, and discover kinds of vulnerabilities.While the regular binary-based information flow tracking systems meet a problem when they applied to detect the malicious behaviors. When operations result in a value greater than the maximum value which causes the value to wrap-around, the overflow happens. The existing systems only concern whether the control flow is modified or not, while ignore the modifications of data flow. Thus a detection gap comes up. Obviously not only the modifications of the control flow should be taken into account, but the ones of the data flow should be considered as well. In our work, we did the following works.Our work presents an effective and practical method to implement the information flow tracking. The system is implemented on binary translation platform DynamoRIOFunction recognition is introduced into information flow tracking to address the related problem. When a function is called, the function will be identified and the function's behavior will be recognized. Function recognition is implemented on the information flow tracking system to improve the system. In our work, function recognition is the strategy we applied to address the detection gap.Our work presents an effective and practical method to enhance the information flow tracking with function recognition, and the experimental results are shown to manifest the effectiveness and practicability of our tool. |
PDF Full Text Request