Dynamic taint analysis (DTA) has been widely used in various security-relevant scenarios that need to track the runtime information flow of programs. Dynamic binary instrumentation (DBI) is a prevalent technique in achieving effective dynamic taint tracking on commodity hardware and systems. However, the significant performance overhead incurred by dynamic taint analysis restricts its usage in production systems. Previous efforts on mitigating the performance penalty fall into two categories, parallelizing taint tracking from program execution and abstracting the tainting logic to a higher granularity. Both approaches have only met with limited success. In this work, we propose Sdft, an efficient approach that combines the precision of DBI-based instruction-level taint tracking and the efficiency of function-level abstract taint propagation. First, we build the library function summaries automatically with reachability analysis on the program dependency graph (PDG) to specify the control- and data dependencies between the input parameters, output parameters, and global variables of the target library. Then we derive the taint rules for the target library functions and develop taint tracking for library function that is tightly integrated into the state-of-the-art DTA framework Libdft. By applying our approach to the core C library functions of glibc, we report an average of 1.58x speed up of the tracking performance compared with Libdft64. We also validate the effectiveness of the hybrid taint tracking and the ability on detecting real-world vulnerabilities.
翻译:在需要跟踪程序运行时间信息流动的各种安全相关情景中,广泛使用了动态沙粒分析(DTA),这需要跟踪程序运行时间信息流。动态二进制仪(DBI)是实现商品硬件和系统有效动态沙粒跟踪的常用技术。然而,动态沙粒分析产生的大量业绩管理间接费用限制了其在生产系统中的使用。以往减轻业绩罚款的努力分为两类,与程序执行平行进行污点跟踪,将污点逻辑与更高颗粒度相提并论。两种方法都只取得了有限的成功。在这项工作中,我们提议采用Sdft(Sdft)这一高效方法,将基于DBI的指令级耐力跟踪的精确性与功能级抽象沙渣传播的效率结合起来。首先,我们自动建立图书馆功能摘要,对程序依赖图(PDG)进行可扩展性分析,以说明输入参数、产出参数和全球变量之间的控制和数据依赖性。然后我们为目标图书馆功能制定污染规则,并为图书馆的软性跟踪功能发展软性跟踪,将我们的平均图书馆跟踪能力与Slibt-libx的进度框架紧密地整合。