All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask)
read more
Citations
TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones
SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis
Symbolic execution for software testing: three decades later
Unleashing Mayhem on Binary Code
References
KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs
The program dependence graph and its use in optimization
DART: directed automated random testing
Language-based information-flow security
Related Papers (5)
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software
Frequently Asked Questions (8)
Q2. Why did binary instrumentation techniques become so popular?
Due to the high overhead of binary instrumentation techniques, more efficient compiler-based [42, 64] and hardware-based [25, 26, 59, 60] approaches were later proposed.
Q3. What are the advantages of a concolic-based approach?
The central advantages of a concolic-based approach is it is simple, easy to implement, and sidesteps the problem of reasoning about how a program interacts with its environment.
Q4. Why does dynamic analysis not compute control dependencies?
The reason is simple: reasoning about control dependencies requires reasoning about multiple paths, and dynamic analysis executes on a single path at a time.
Q5. What is the context used to store function-local variables?
Note that several new contexts were introduced to support functions, including a stack context (λ) to store return addresses, a scope context (ζ) to store function-local variable contexts and a map from function names to addresses (φ).
Q6. What are the execution contexts of a language?
The execution context is described by five parameters: the list of program statements (Σ), the current memory state (µ), the current value for variables (∆), the program counter (pc), and the current statement (ι).
Q7. What is the problem of taint spread?
This leads to the problem of taint spread: as the program executes, more and more values become tainted, often with less and less taint precision.
Q8. What are the three standard ways to handle symbolic jumps?
Three standard ways to handle symbolic jumps are: 1) Use concrete and symbolic (concolic) analysis [57]to run the program and observe an indirect jump target.