All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask)

Schwartz, Edward J.; Avgerinos, Thanassis; Brumley, David

doi:10.1109/sp.2010.26

Cited by 547 publications

(298 citation statements)

References 48 publications

Supporting

Mentioning

275

Contrasting

Unclassified

Order By: Relevance

“…In particular, we explore innovative techniques to improve automated test input generation approaches [29], [121] to strengthen structural coverage testing, which has long been advocated by the software industry to assess test adequacy [20], [56], [117], [132] but is still limited, even with the recent development of advanced techniques [105], [128], [138], [142]. We then enhance security vulnerability detection techniques [64], [93] by integrating static and dynamic program analysis techniques to actively search for security vulnerability defects.…”

Section: Motivationmentioning

confidence: 99%

Goal-oriented dynamic test generation

Khoo

Fong

et al. 2015

Information and Software Technology

View full text Add to dashboard Cite

Section: Motivationmentioning

confidence: 99%

Goal-oriented dynamic test generation

Khoo

Fong

et al. 2015

Information and Software Technology

View full text Add to dashboard Cite

“…To trace the information flow between buffers, our system primarily uses a specialized form of dynamic taint analysis [23,24]. We introduce a fresh taint mark for each buffer as a possible source for information flow.…”

Section: Information Flowmentioning

confidence: 99%

HI-CFG: Construction by Binary Analysis and Application to Attack Polymorphism

Caselden

Bazhanyuk²,

Payer

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Security analysis often requires understanding both the control and data-flow structure of a binary. We introduce a new program representation, a hybrid information-and control-flow graph (HI-CFG), and give algorithms to infer it from an instruction-level trace. As an application, we consider the task of generalizing an attack against a program whose inputs undergo complex transformations before reaching a vulnerability. We apply the HI-CFG to find the parts of the program that implement each transformation, and then generate new attack inputs under a user-specified combination of transformations. Structural knowledge allows our approach to scale to applications that are infeasible with monolithic symbolic execution. Such attack polymorphism shows the insufficiency of any filter that does not support all the same transformations as the vulnerable application. In case studies, we show this attack capability against a PDF viewer and a word processor.

show abstract

“…Thus, to automatically capture the semantic meanings of functions without the source code is an even harder problem. One way of learning the semantic relations between arguments is to use taint analysis [22]. Since the semantics of different set of function calls vary a lot, the detailed method of carrying out taint analysis needs to be customized accordingly.…”

Section: Model Refinementmentioning

confidence: 99%

On Detection of Erratic Arguments

Han

Yan

Deng

et al. 2012

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Abstract. Due to the erratic nature, the value of a function argument in one normal program execution could become illegal in another normal execution context. Attacks utilizing such erratic arguments are able to evade detections as fine-grained context information is unavailable in many existing detection schemes. In order to obtain such fine-grained context information, a precise model on the internal program states has to be built, which is impractical especially monitoring a closed source program alone. In this paper, we propose an intrusion detection scheme which builds on two diverse programs providing semantically-close functionality. Our model learns underlying semantic correlation of the argument values in these programs, and consequently gains more accurate context information compared to existing schemes. Through experiments, we show that such context information is effective in detecting attacks which manipulate erratic arguments with comparable false positive rates.

show abstract

All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask)

Cited by 547 publications

References 48 publications

Goal-oriented dynamic test generation

Goal-oriented dynamic test generation

HI-CFG: Construction by Binary Analysis and Application to Attack Polymorphism

On Detection of Erratic Arguments

Contact Info

Product

Resources

About