Information Technology Reference
In-Depth Information
6
Related Work
Independently, Heelan and Gianni [19] have explored the idea of supporting manual
vulnerability detection in their work called Pinnacle. However, Pinnacle is limited to
taint tracking on the x86 instruction set only. In contrast, our system can handle bi-
nary code from multiple platforms. Furthermore, our interactive analysis is significantly
broader than the scope of Pinnacle, including not only vulnerability analysis but also ex-
ploitation analysis and malware analysis. Our system also supports symbolic execution
and replay, which Pinnacle does not. Among the offline binary analysis tools, SAGE [1]
is the closest to ours. However, SAGE is designed primarily for white-box fuzzing and
works only for the x86 instruction set. It does not focus on interactive analysis and does
not support multiple platforms.
Since dynamic taint analysis is independent of the vulnerability specific details, it can
analyze a broad class of attacks controllable via input. Therefore, it has become a pop-
ular technique for detecting attacks such as buffer overflow and control-flow hijacking.
However, online taint analysis often has high runtime overhead and requires intrusive
code instrumentation. To make taint analysis more efficient for online intrusion detec-
tion, Sekar proposed taint inference [20] for web applications by using approximate
string match. Li and Sekar [21] later demonstrated that taint inference could be used to
detect buffer-overflow attacks in low-level binary code.
Dytan [2] extended the data-flow based taint tracking to also include control depen-
dency, and developed a framework to support the x86 instruction set. Ganai
et al.
[22]
extended this framework to support multithreaded applications. Predictive dynamic
analysis provides a new way of conducting trace-based analysis for multithreaded ap-
plications [23]. It can detect not only security vulnerabilities in the observed execution
traces, but also security vulnerabilities that may appear in some alternative thread inter-
leavings. Wang and Ganai [24] developed a tool for predicting concurrency failures in
the generalized execution traces of x86 executables.
Newsome and Song proposed TaintCheck [4], which used dynamic taint analysis
for detecting vulnerabilities and for generating vulnerability signatures. TaintCheck
was implemented using Valgrind [9]. Portokalidis
et al.
developed Argos [5] based on
QEMU to generate fingerprints for zero-day attacks. However, none of these existing
tools supports cross-platform interactive security analysis.
7
Conclusions
We have presented a
cross-platform interactive analysis
framework, which integrates
state-of-the-art dynamic analysis techniques with a mainstream reverse engineering
tool to meet the demand in security practice. Our framework, comprising CBASS and
TREE, supports interactive analysis through on-demand symbolic execution and taint
tracking. It also supports cross-platform analysis, by separating online trace generation
from offline trace analysis and by using a reverse engineering intermediate representa-
tion. We have implemented the proposed framework and conducted some preliminary
experimental evaluation. Our results have demonstrated its effectiveness in identifying
root causes of security vulnerabilities in real applications.
