Taint Analysis

Effective Information Control Flow via Function Summarization Earlence Fernandes Ajit Aluri Nirav Mehta

In the next few minutes … O Introduction O Motivation O Goals of the project O Implementation O Performance evaluation O Conclusion

Introduction O Dynamic Taint Analysis O What is DTA ? O Tracking flow of sensitive data Sensitive data a = system_IMEI_number ; . . . . send(sockfd, a, len, flags); Sensitive data leaked over the network

Taint Policy O Taint Propagation policies O Taint rules : source, sink , propagation O OR-ing the taint value of the operands.

O A = B, C, D, …. O Taint_A = Taint_B v Taint_C v Taint_D v …..

Motivation O Challenges with dynamic taint analysis - Analysis increases code size and execution

time, making it unaffordable on smartphones (limited resources). - Unnecessary/extraneous taint propagation can be avoided.

Goals of the project O Fine-grained LLVM instrumentation pass O element-level granularity for arrays, and

instruction-level granularity for function

O Shunting mechanism to improve

performance

O Erasing function

O Performance evaluation on real world

examples

O Improvement in performance.

Implementation O Taint instructions storing 1 bit boolean for

every program variable.

O Enforce Instruction policies using LLVM’s

InstVisitor

Processing Arrays

O Create a 1-bit array for storing the taints of elements of the

array

array a[ ]

a[i i ]

Taint_a[ i ] Global Boolean Taint_array

Processing PHI instructions Two - pass processing %1 = phi %2, ..

1st

pass – create dummy taint-PHI instructions

2nd pass – set taint values of variables in taintPhi instructions.

BB 2

BB 3

%2 = phi %1, .. %taint_i.0 = phi [%taint_2, %entry] [%taint_inc1, %for.end] %i.0 = phi [%inc, %entry] [%inc1, %for.end]

Processing Function calls

O Correct taint value of the result is returned in caller function O Proper taint propagation for arguments passed by reference.

Taint variables for the n arguments to the function

- Global 1 bit array for arguments and result - Handling pass-by-reference and arrays

Taint variable for the return value

Shunting Tables O Sample Shunt table and its use String s = “abcd” ; bool i ; . . . . i = islower(s);

Function name

Taint of return value

islower( )

false

isupper( )

false

isalpha( )

false

wc()

false

Organization of the Pass O Initialization O Populate data-structures like maps for shunting tables, seen instruction list O Iterate Global Variables O Create taint-tracking variables for globals O ArrayDefVisitor O Process array definitions O FunctionDefVisitor O Process function definitions O TainterVisitor O Visit every instruction and generate taint tacking logic O PhiTaintVisitor O Proces PHI instructions

Organization of the Pass

Initialization

Populate datastructures like maps for shunting tables, seen instruction list

PhiTaintVisitor

Process PHI instructions

iterateGlobalVariables

Create taint-tracking variables for globals

TainterVisitor

Visit every instruction and generate taint tacking logic

ArrayDefVisitor

Process array definitions

FunctionDefVisitor

Process function definitions

Performance Evaluation O One Time Pad Sample Tainted_Mean Shunted_Mean (ms) (ms) Size (kB)

Speedup

2000

30.79

12.82

2.39

6000

64.38

13.06

5.34

10000

91.86

34.54

2.75

14000

132.30

34.40

3.92

18000

156.14

35.83

4.43

22000

187.80

51.59

3.73

O Enhanced wc

Loop Count

Tainted_Mean (ms)

Shunted_Mean (ms)

Speedup

1000

2126.52

539.91

3.94

5000

10619.62

2671.84

3.97

10000

21394.49

5329.44

4.01

20000

43718.73

10666.90

4.10

50000

106648.69

26735.95

3.98

100000

215899.79

53402.94

4.04

Conclusions

O Advantages of Shunting

O Advantages of Fine grained taint propagation for arrays. O Reasonable increase in code size and compilation time O Required to cover a large number of instructions while

instrumenting taint instructions 

Future Work O Taint Memoization O Caching taint values along with input and

return values.

O SIMD-ization of Taints O Parallelizing taint propagation instructions

with normal instructions in a Basic Block.

DEMO

Comments and Questions Thank You ! 