Dynamic Symbolic Taint Analysis Of Binary Programs

Taint analysis technique is a kind of effective binary-code-oriented vulnerability detection technique. It firstly marks data which come from suspicious channels as "tainted". Then analyses each instruction while the target program is running, and marks data which is influenced by tainted data as "tainted". At last, detects program vulnerabilities by analysing whether those "tainted" data is used illegal. At present, the technology still remain some problems:1) The false negative rate is very high.2) The efficiency is very low.3)Can’t generate test cases which can trigger the vulnerability, by using program execution information. Study on how to solve these problems will be of important significance.The main contents of this paper include:1) Proposes the dynamic symbolic taint analysis technique. At first, it marks taint source at the beginning of program’s running. Then it collects taint information, according to taint propagating based on instructs, and makes symbolic risk rule to find some potential vulnerabilities by detecting whether the taint information breaks some risk rules.2) Implements an exploit detection system named pintool-DSTA, based on dynamic symbolic taint analysis technique. The system is built on a binary instrumentation platform named PIN, which can effectively reduce the false negative rate of traditional taint analyse and improve its efficiency.3) Verify the accuracy and validity of the system by some experiments. Experimental results show that, on the one hand, pintool-DSTA achieves right taint information, tracking function information and risk report. On the other hand, pintool-DSTA not only can handle risk functions and give risk report(can’t libdft), but also can find some vulnerabilities, which are not triggered by test case.Dynamic symbolic taint analysis is a kind of symbolic improvement on taint analysis technique. In order to detect some unsafe behavior of target program, it analyses whether tainted data violate some risk rules when program is running, by using symbolic idea to symbolize tainted information and risk rule. Experimental results show that, this idea is more effective than taint analysis technique.