| In the field of system and software security, the methodologies of attack and defense merge in the form of in-depth analyzing theories. This paper chooses a data-flow oriented technique, namely dynamic taint analysis, as the funda-mental and main line of the research on binary program analysis and vulnera-bility mining.As the first step, a multi-taint-tag assembly-level taint propagation strat-egy is proposed, and its implementation separates taint tracking operations from execution with an off-line structure, utilizes memory-mapped files to enhance I/O efficiency, processes taint paths during virtual execution playback, and uses parallelization mechanisms to achieve speedup. On top of that, a methodology is proposed to employ taint analysis to reveal the semantic information of in-put data and its implicit relation with binary procedures, which is used for the measurement of correlations among data bytes, format segmentation and data type inference. Furthermore, a novel API in-memory fuzz testing technique is discussed, which employs taint analysis to reveal its pragmatic information and locates the routines and instructions which process taint data, and instrumen-tation is used to construct loops around such routines, in which the contained taint memory values are mutated in each loop.According to experiment results, the taint analysis framework outmatches existing fully-fledged tools with about60%advancement in speed; As for generic file formats, over85%fields could be correctly extracted with reverse engineer-ing; Compared to traditional fuzzing, the in-memory API fuzzing eliminates the bottleneck of interrupting execution paths and gained95%enhancement in ex-ecution speed. |
PDF Full Text Request