Information Technology Reference
In-Depth Information
is interested, without the need to construct the chain of events mentally. In addition,
TREE can presents the chain of events within the proper semantic context visually.
We illustrate the replay process by using the same buffer overflow example in Fig. 2.
When this program runs with a 16-byte input that triggers the
StackOverflow
func-
tion, the input bytes at offsets 13 to 16 would overwrite the
EIP
bytes. This chain of
events can be tracked by TREE, for which a user-clickable graph is shown in Fig. 6. In
this graph, each node represents a byte, annotated by its transformation instruction and
followed by its edge type. D is the default edge type that stands for data dependency.
Thefirstbyteof
EIP
(id =207) is overwritten by input bytes 13 and 14 (id=13,14) after
a few steps.
First, these two bytes are added to form a new byte at memory
mem 0x14fe1c(id
=159)
. Then the byte is moved to a local buffer at
0x14fdfc
and overflowed the buffer
at function
stackOverflow()
. When the call to this function returns, the byte, at the
top of the stack at
mem 0x14fdfc[id=196]
is popped into the first byte of register
EIP [id =207]
. For this trivial example, there are already
477
instructions logged
in the trace, but only 8 unique instructions are involved in the handling of the input
bytes. In such cases, the taint graph allows the user to focus on the most relevant set of
instructions quickly.
Fig. 6.
Taint Graph and Visualization of Running Example
5
Evaluation
We have implemented the proposed
cross-platform interactive analysis
system using
the client/server architecture. More specifically, CBASS runs as the back-end server,
responding to requests from the front-end. It shares the REIL IR with TREE. TREE
is responsible for handling OS level differences and mapping the analysis results back
