Constructing a Hybrid Taint Analysis Framework for Diagnosing Attacks on Binary Programs

For the purpose of discovering security flaws in software, many dynamic and static taint analyzing techniques have been proposed. By analyzing information flow at runtime, dynamic taint analysis can precisely find security flaws of software. However, on one hand, it suffers from substantial runtime overhead and is incapable of discovering the potential threats. On the other hand, static taint analysis analyzes program’s code without actually executing it which incurs no runtime overhead, and can cover all the code, but it is often not accurate enough. In addition, since the source code of most software is hard to acquire and intruders simply do not attach target program’s source code in practice, software flaw tracking becomes rather complicated. In order to cope with these issues, this paper proposes HYBit, a novel hybrid framework which integrates dynamic and static taint analysis to diagnose the flaws or vulnerabilities for binary programs. In the framework, the source binary is first analyzed by the dynamic taint analyzer. Then, with the runtime information provided by its dynamic counterpart, the static taint analyzer can process the unexecuted part of the target program easily. Furthermore, a taint behavior filtration mechanism is proposed to optimize the performance of the framework. We evaluate our framework from three perspectives: efficiency, coverage, and effectiveness. The results are encouraging.

[1]  Thomas W. Reps,et al.  Analyzing Memory Accesses in x86 Executables , 2004, CC.

[2]  Haibing Guan,et al.  Static program analysis assisted dynamic taint tracking for software vulnerability discovery , 2012, Comput. Math. Appl..

[3]  Tao Wei,et al.  IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution , 2009, NDSS.

[4]  Koen De Bosschere,et al.  DIOTA: Dynamic Instrumentation, Optimization and Transformation of Applications , 2002, PACT 2002.

[5]  Pascal Bouvry,et al.  Behavior-Based Proactive Detection of Unknown Malicious Codes , 2009, 2009 Fourth International Conference on Internet Monitoring and Protection.

[6]  Rafal Wojtczuk UQBTng : a tool capable of automatically finding integer overflows in Win 32 binaries , .

[7]  Erzhou Zhu,et al.  A Translation Framework for Executing the Sequential Binary Code on CPU/GPU Based Architectures , 2011, J. Softw..

[8]  Feng Liu,et al.  DYBS: A Lightweight Dynamic Slicing Framework for Diagnosing Attacks on x86 Binary Programs , 2014, J. Softw..

[9]  Sanjay Rawat,et al.  Combining Static and Dynamic Analysis for Vulnerability Detection , 2013, ArXiv.

[10]  Cheng Wang,et al.  LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[11]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[12]  Nicholas Nethercote,et al.  Valgrind: A Program Supervision Framework , 2003, RV@CAV.

[13]  Feng Liu,et al.  HYBit: A Hybrid Taint Analyzing Framework for Binary Programs , 2013, ICSI.

[14]  Raymond Wu,et al.  Static and dynamic analysis for web security in industry applications , 2010, Int. J. Electron. Secur. Digit. Forensics.

[15]  Haipeng Deng,et al.  A Dynamic-Static Combined Code Layout Reorganization Approach for Dynamic Binary Translation , 2011, J. Softw..

[16]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[17]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[18]  Alessandro Orso,et al.  Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.

[19]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[20]  Tao Xie,et al.  DSD-Crasher: A hybrid analysis tool for bug finding , 2008 .

[21]  Qin Zhao,et al.  Transparent dynamic instrumentation , 2012, VEE '12.

[22]  Edmund M. Clarke,et al.  Bayesian statistical model checking with application to Stateflow/Simulink verification , 2010, Formal Methods in System Design.

[23]  Yannis Smaragdakis,et al.  DSD-Crasher: A hybrid analysis tool for bug finding , 2006, TSEM.

[24]  Alessandro Orso,et al.  Improving penetration testing through static and dynamic analysis , 2011, Softw. Test. Verification Reliab..

[25]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.