Information Technology Reference
In-Depth Information
We have implemented the
debug breakpoint
based trace collection framework in
IDA and integrated it seamlessly with the existing features of IDA. Our experience
shows that the debug breakpoint based approach works well in supporting interactive
trace generation, which typically involves short traces. For lengthy traces and large
interactive sessions, we rely on the traces generated from the more traditional DBI tools
such as PIN, and whole-system emulators such as QEMU.
Compared to the existing tools, the dynamic trace generator in TREE has the follow-
ing features:
-
Interactive tracing:
The user can select a starting point and an end point at any time
during the analysis and request the tool to conduct a deeper analysis on a relatively
short trace segment. This feature can be used by security analysts to quickly verify
or refute a hypothesis.
-
Kernel tracing:
The trace generator in TREE can generate traces on any platform
that supports
windbg
and
gdb
server, allowing kernel mode traces to be generated
from both Windows and Linux.
-
Mobile tracing:
The trace generator in TREE can generate traces on Android/ARM
platforms through IDA's debug agent. IDA supports real devices such as Android
phones and tablets. IDA also supports some versions of iPhone, Windows CE, and
Symbian OS, although these platforms have not been integrated with TREE.
4.2
On-Demand Taint Analysis
Broadly speaking, taint dependencies fall into three categories: data dependency, ad-
dress dependency, and control dependency.
-
Data dependency means that the taint source affects the taint sink through data
movement, mathematical operations, or logical operations. The value of the taint
source often directly affects the value of the taint sink.
-
Address dependency means that the taint source affects the taint sink through its
address for read or write, but the taint source does not directly affect the value of
the taint sink. One example for address dependency is the use of a tainted data as
the index to access a look-up table. Without tracking the address dependency, we
would lose track of the tainted data after such a table lookup.
-
Control dependency is a form of implicit information flow. Although it can happen
in benign programs, it is often more deliberately used by malware. It can be of the
form
if x =0 then y=0 else y=1
.If
x
is tainted, the value of
y
is dependent
of
x
. But there is no direct link between the value of
x
and the value of
y
.
In security analysis, it is often challenging to keep track of all three types of dependen-
cies. In the remainder of this section, we will show how TREE can make it easier.
The main difficulty in taint tracking for the x86 instruction set is to handle the large
number of instructions and their variants, since these native instructions often have com-
plex side effects. REIL provides a unified framework for capturing these side effects,
e.g. by breaking down a native x86 instruction into a sequence of simple REIL instruc-
tions. Notice that there are only seventeen REIL instructions. Furthermore, each REIL
instruction has only one effect, making taint tracking easy to implement. Fig. 4 (1)
