南京大学：《软件安全 Software Security》课程教学资源（PPT课件讲稿）Taint Analysis

Taint Analysis

Taint Analysis

Contents Pin Tool Introduction Instrumentation granularity Trace instrumentation Example >Other important features Dynamic Taint Analysis Introduction > Classify of taint analysis Taint procedure Taint analysis for security 2

Contents 2 • Pin Tool ➢ Introduction ➢ Instrumentation granularity ➢ Trace instrumentation ➢ Example ➢ Other important features • Dynamic Taint Analysis ➢ Introduction ➢ Classify of taint analysis ➢ Taint procedure ➢ Taint analysis for security

Pin tools 3

Pin tools 3

Instrumentation A technique that inserts code into a program to collect run- time information Program analysis:performance profiling,error detection,capture replay Architectural study:processor and cache simulation,trace collection Source-Code Instrumentation Static Binary Instrumentation Dynamic Binary Instrumentation Instrumentcode just before itruns (Just In Time-JIT) No need to recompile or re-link Discover code at runtime Handle dynamically-generated code-Attach to running processes 4

Instrumentation • A technique that inserts code into a program to collect run￾time information ➢ Program analysis : performance profiling, error detection, capture & replay ➢ Architectural study : processor and cache simulation, trace collection • Source-Code Instrumentation • Static Binary Instrumentation • Dynamic Binary Instrumentation ➢ Instrument code just before it runs ( Just In Time - JIT) ✓ No need to recompile or re-link ✓ Discover code at runtime ✓ Handle dynamically-generated code -Attach to running processes 4

Pin Instrumentation Capability Use Pin APIs to write PinTools that: Replace application functions with your own Call the original application function from within your replacementfunction Fully examine any application instruction,and insert a call to your instrumenting function to be executed whenever that instruction executes Pass parameters to your instrumenting function from a large set of supported parameters Register values(including IP),Register values by reference(for modification) Memory addresses read/written by the instruction Full register context Track function calls including syscalls and examine/change arguments Track application threads ·Interceptsignals .Instrumenta process tree 5 .Many other capabilities

Pin Instrumentation Capability Use Pin APIs to write PinTools that: • Replace application functions with your own ➢ Call the original application function from within your replacement function • Fully examine any application instruction, and insert a call to your instrumenting function to be executed whenever that instruction executes ➢ Pass parameters to your instrumenting function from a large set of supported parameters ✓ Register values (including IP), Register values by reference (for modification) ✓ Memory addresses read/written by the instruction ✓ Full register context ✓ …… • Track function calls including syscalls and examine/change arguments • Track application threads • Intercept signals • Instrument a process tree • Many other capabilities... 5

Modifying Program Behavior Pin allows you not only to observe but also change program behavior Ways to change program behavior: Add/delete instructions Change register values > Change control flow Change memory values 6

Modifying Program Behavior Pin allows you not only to observe but also change program behavior • Ways to change program behavior: ➢ Add/delete instructions ➢ Change register values ➢ Change control flow ➢ Change memory values 6

Pin Invocation Launcher Process ● ● pin.exe -t inscountung26830pt.txt 8 PIN.EXE ● ● ● cation instructions executed, ● ● 上ncprints Gountatcend ● Launcher the eude ● et ● ● icode the into.the Coue Cache ●●●●●●●● kecute Jltfed code Boot Routine inscount.dll Application Process Data: ● First firstApplp, PIN.LIB “nscount.dlI app ● PINVM.DLL Decoder Encoder Code Cache ● Application ● Code and Data ● ● ● System Call Event Thread Dispatcher Dispatcher Dispatcher NTDLL.DLL app lp of 。●.Trace's。● target Windows kernel

Starting at first application IP Read a Trace from Application Code Jit it, adding instrumentation code from inscount.dll Encode the trace into the Code Cache Execute Jitted code Execution of Trace ends Call into PINVM.DLL to Jit next trace Pass in app IP of Trace’s target Source Trace exit branch is modified to directly branch to Destination Trace Pin Invocation gzip.exe input.txt Application Code and Data Application Process System Call Dispatcher Event Dispatcher Thread Dispatcher PINVM.DLL inscount.dll PIN.LIB Code Cache NTDLL.DLL Windows kernel CreateProcess (gzip.exe, input.txt, suspended) Launcher PIN.EXE Launcher Process Boot Routine + Data: firstAppIp, “Inscount.dll” Load PINVM.DLL Inject Pin BootRoutine and Data into application Load inscount.dll and run its main() Start PINVM.DLL running (firstAppIp, “inscount.dll”) pin.exe –t inscount.dll Count 258743109 – gzip.exe input.txt PinTool that counts application instructions executed, prints Count at end Resume at BootRoutine First app IP app Ip of Trace’s target Read a Trace from Application Code Jit it, adding instrumentation code from inscount.dll Encode the jitted trace into the Code Cache WriteProcessMemory(BootRoutine, BootData) SetContext(BootRoutineIp) GetContext(&firstAppIp) Decoder Encoder

Instrumentation Granularity Instruction instrumentation ·Basic block A sequence of instructions terminated at a control-flow changing instruction Single entry,single exit Trace instrumentation A sequence of basic blocks terminated at an unconditional control-flow changing instruction Single entry,multiple exits Routine instrumentation Image instrumentation 8

Instrumentation Granularity • Instruction instrumentation • Basic block ➢ A sequence of instructions terminated at a control-flow changing instruction ➢ Single entry, single exit • Trace instrumentation ➢ A sequence of basic blocks terminated at an unconditional control-flow changing instruction ➢ Single entry, multiple exits • Routine instrumentation • Image instrumentation 8

Trace sub $Oxff,%edx cmp %esi,%edx jle mov $0x1,%edi add $0x10,%eax jmp 1 Trace,2 BBs,6 insts 9

Trace 9

Example:Instruction Counting Tool #include "pin.h" UINT64 icount 0; void docount ()icount++; Execution time routine void Instruction(INS ins,void *v) Jitting time routine:Pin CallBack INS InsertCall(ins,IPOINT BEFORE, (AFUNPTR)docount,IARG END); void Fini(INT32 code,void *v) std::cerr <"Count "<icount <endl; int main(int argc,char argv[]) PIN Init (argc,argv); INS AddInstrumentFunction(Instruction,0); PIN AddFiniFunction(Fini,0); PIN StartProgram();//Never returns return 0; 10

Example: Instruction Counting Tool 10