Platform-Independent Dynamic Taint Analysis for JavaScript

Karim, Rezwana; Tip, Frank; Sochurkova, Alena; Sen, Koushik

doi:10.1109/tse.2018.2878020

Cited by 39 publications

(27 citation statements)

References 30 publications

(47 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Code-based taint analysis tools [19], [22]- [24] often fail to analyze source code for commercial reasons, and only binary code analysis is possible. The main practice is to insert taint tracking codes in the binary code to get taint propagation information when the program is running.…”

Section: Related Workmentioning

confidence: 99%

A Dynamic Taint Analysis Framework Based on Entity Equipment

Ren¹,

Dong²,

Lin³

et al. 2019

IEEE Access

View full text Add to dashboard Cite

With the development of the Internet of Things, the security of embedded device has received extensive attention. Taint analysis technology can improve the understanding of the firmware program operating mechanism and improve the effectiveness of security analysis. It is an important method in security analysis. Traditional taint analysis of embedded device firmware requires complex pre-preparation work, setting up a virtual operating environment. Those security analysts have to invest a lot of time and effort in this work, and the results are usually unsatisfactory. In this paper, we propose a dynamic taint analysis method based on entity equipment. The core idea of our approach is to divide the taint analysis into two parts: the simulation analysis on the host and the real execution on the entity equipment. Since one of the features of our method is based on entity equipment, there is no need to build a dedicated virtual environment. Another feature is that the tested firmware program runs on entity equipment and can ensure the accuracy of the analysis by comparing the results of the taint analysis with the device firmware run-time information. We implement a prototype system and verified the effectiveness of the method, which can perform taint analysis on multiple architecture embedded firmware programs and detect vulnerabilities such as stack overflow, heap overflow and so on. Finally, we verify our prototype with a test case to effectively detect vulnerabilities in the firmware program. And we evaluate the performance of the prototype, compared with PANDA, the time overhead of our prototype is reduced by 5.9%.INDEX TERMS Embedded firmware, dynamic taint analysis, cross-debugging. I. INTRODUCE

show abstract

Section: Related Workmentioning

confidence: 99%

A Dynamic Taint Analysis Framework Based on Entity Equipment

Ren¹,

Dong²,

Lin³

et al. 2019

IEEE Access

View full text Add to dashboard Cite

show abstract

“…Language-specific dynamic taint analysis systems typically treat data flow outside of the targeted programming language as a black box. For example, for language-embeddings such as node.js, the instrumentation typically only supports the dynamic language code [35,58]. Some of these systems, e.g.…”

Section: Related Workmentioning

confidence: 99%

“…While this approach can be applied to languages like C that are compiled anyway, it is unpractical for interpreted high-level languages as it prevents more high-level language-specific instrumentation. Taint analysis applications for higher-level languages may instead determine the data flow effects behind a language boundary from an externally supplied specification [33,35]. However, especially for larger libraries such specifications are tedious to maintain and are not guaranteed to reflect the actually executed code.…”

Section: Introductionmentioning

confidence: 99%

Multi-language dynamic taint analysis in a polyglot virtual machine

Kreindl¹,

Bonetta

Leopoldseder³

et al. 2020

Proceedings of the 17th International Conference on Managed Programming Languages and Runtimes

View full text Add to dashboard Cite

Dynamic taint analysis is a popular program analysis technique in which sensitive data is marked as tainted and the propagation of tainted data is tracked in order to determine whether that data reaches critical program locations. This analysis technique has been successfully applied to software vulnerability detection, malware analysis, testing and debugging, and many other fields. However, existing approaches of dynamic taint analysis are either languagespecific or they target native code. Neither is suitable for analyzing applications in which high-level dynamic languages such as JavaScript and low-level languages such as C interact. In these approaches, the language boundary forms an opaque barrier that prevents a sound analysis of data flow in the other language and can thus lead to the analysis being evaded.In this paper we introduce TruffleTaint, a platform for multilanguage dynamic taint analysis that uses language-independent techniques for propagating taint labels to overcome the language boundary but still allows for language-specific taint propagation rules. Based on the Truffle framework for implementing runtimes for programming languages, TruffleTaint supports propagating taint in and between a selection of dynamic and low-level programming languages and can be easily extended to support additional languages. We demonstrate TruffleTaint's propagation capabilities and evaluate its performance using several benchmarks from the Computer Language Benchmarks Game, which we implemented as combinations of C, JavaScript and Python code and which we adapted to propagate taint in various scenarios of language interaction. Our evaluation shows that TruffleTaint causes low to zero slowdown when no taint is introduced, rivaling state-of-the-art dynamic taint analysis platforms, and only up to ∼40x slowdown when taint is introduced.

show abstract

“…Understanding dependencies between program elements is a fundamental task in software engineering [1], [2]. It provides a basis for many software engineering tasks including program comprehension [3], software testing [4], maintenance [5], [6], refactoring [7], security [8], and debugging [9]. The traditional static approach based on dependence graphs [10] has been widely adopted but suffers from issues such as its inability to handle multi-lingual systems (combining analyses for multiple languages is too complicated) and limited scalability (partial analysis of a large system is not viable using static approaches that require whole-program analyses).…”

Section: Introductionmentioning

confidence: 99%

MOAD: Modeling Observation-Based Approximate Dependency

Lee

Binkley

Feldt

et al. 2019

2019 19th International Working Conference on Source Code Analysis and Manipulation (SCAM)

View full text Add to dashboard Cite

While dependency analysis is foundational to many applications of program analysis, the static nature of many existing techniques presents challenges such as limited scalability and inability to cope with multilingual systems. We present a novel dependency analysis technique that aims to approximate program dependency from a relatively small number of perturbed executions. Our technique, called MOAD (Modeling Observation-based Approximate Dependency), reformulates program dependency as the likelihood that one program element is dependent on another, instead of a more classical Boolean relationship. MOAD generates a set of program variants by deleting parts of the source code, and executes them while observing the impacts of the deletions on various program points. From these observations, MOAD infers a model of program dependency that captures the dependency relationship between the modification and observation points. While MOAD is a purely dynamic dependency analysis technique similar to Observation Based Slicing (ORBS), it does not require iterative deletions. Rather, MOAD makes a much smaller number of multiple, independent observations in parallel and infers dependency relationships for multiple program elements simultaneously, significantly reducing the cost of dynamic dependency analysis. We evaluate MOAD by instantiating program slices from the obtained probabilistic dependency model. Compared to ORBS, MOAD's model construction requires only 18.7% of the observations used by ORBS, while its slices are only 16% larger than the corresponding ORBS slice, on average.

show abstract

Platform-Independent Dynamic Taint Analysis for JavaScript

Cited by 39 publications

References 30 publications

A Dynamic Taint Analysis Framework Based on Entity Equipment

A Dynamic Taint Analysis Framework Based on Entity Equipment

Multi-language dynamic taint analysis in a polyglot virtual machine

MOAD: Modeling Observation-Based Approximate Dependency

Contact Info

Product

Resources

About