Information Technology Reference
In-Depth Information
Fig. 4.
TREE Uses REIL IR for Comprehensive Taint Analysis
shows a comparison of the native x86 instructions and the corresponding REIL in-
structions. The REIL instructions capture the side effects of the native instructions on
eflags
including
SF
,
OF
,
CF
and
ZF
.
REIL also supports static analysis that can provide hints for dynamic analysis. They
can be useful for x86 instructions that have embedded conditions or loop structures.
For example,
cmpxchg
compares the values in the
AL
,
AX
or
EAX
registers with the
destination
operand, and depending on the comparison result, different operands may
be loaded into the
destination
operand. Some x86 instructions with prefix such as
rep
behave like a loop. Fig. 4 (2) shows the REIL instructions for x86 instruction
rep
movsb
. Since dynamic analysis can only follow one path at a time, in general, it cannot
handle the branch and loop dependency. However, a conservative static analysis on
REIL IR often can reveal the branch and loop structure. This is the case for
rep movsb
where such analysis can identify
ecx
as the loop counter. We have incorporated such
analysis into our REIL-based dynamic taint analysis.
We use the same example for CBASS symbolic execution to show the major steps
in dynamic taint analysis. Fig. 5 shows the details of this algorithm. After merging the
temporary register nodes, the final taint graph for native instructions is shown in the last
column of this table.
4.3
Replay with Taint-Enabled Breakpoints
In an interactive analysis session, the user may want to scrutinize a particular program
behavior repeatedly. TREE provides a replay mechanism to support such analysis. One
application is to reconstruct the execution states. Comparing to tools such as
gdb
and
IDA
, the replay mechanism in TREE is significantly more powerful. For example, it
allows the user to break at any tainted points, after the user marks the initial taint source
and specifies the type of impact (taint policy). This new feature of
break by data relation
is key to interactive analysis. It essentially allows the user to break at any point that she
