1 / 9

Progress Report on Taint Tracking and Indirect Control Flow Instrumentation Development

This progress report details advancements made in taint tracking, specifically focusing on adding taint sink checks for indirect control flow transfers, including returns and indirect calls. It also includes taint tag initialization for file input sources. The paper related to this research has been drafted, though further refinements are required. Additionally, significant reading has been done to inform the related work section. The journey of integrating compiler optimizations within taint tracking highlights the unique aspects differing from sandboxing techniques.

sulwyn
Télécharger la présentation

Progress Report on Taint Tracking and Indirect Control Flow Instrumentation Development

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Progress Report Bin Zeng Friday 02/07/2014

  2. Finished • Add the taint sink checking for indirect control flow transfers such as ret, indirect call etc. • Add the taint tag initialization for taint sources such as file input • read function • Wrote the paper • Still some more writing to do

  3. Indirect Call Instrumentation callq *-8(%rbp) leaq-8(%rbp), %rax shrq $3, %rax addq $17592186044416, %rax# 0x100000000000 movq (%rax), %al cmpb $0, %al jne 0 callq *-8(%rbp)

  4. Ret Instruction Instrumentation ret movq%rsp, %rcx shrq $3, %rcx addq $17592186044416, %rcx# 0x100000000000 movq (%rcx), %cl cmpb $0, %cl jne 0 ret

  5. File read instrumentation %92 = load i32* %fd, align 4 %93 = ptrtoint i8** %vbuf.addr to i64 %94 = lshr i64 %93, 3 %95 = add i64 %94, 2147450880 %96 = inttoptr i64 %95 to i8* %97 = load i8* %96 %98 = load i8** %vbuf.addr, align 8 %99 = ptrtoint i64* %count.addr to i64 %100 = lshr i64 %99, 3 %101 = add i64 %100, 2147450880 %102 = inttoptr i64 %101 to i8* %103 = load i8* %102 %104 = load i64* %count.addr, align 8 %ss_sptr_int28 = load i64* @__dtt_stack_pointer %ss_sptr29 = inttoptr i64 %ss_sptr_int28 to i8* %105 = ptrtoint i8* %ss_sptr29 to i64 %106 = sub i64 %105, 4 store i64 %106, i64* @__dtt_stack_pointer %107 = inttoptr i64 %106 to i8* %108 = getelementptr i8* %107, i32 0 store i8 0, i8* %108 %109 = getelementptr i8* %107, i32 1 store i8 %91, i8* %109 %110 = getelementptr i8* %107, i32 2 store i8 %97, i8* %110 %111 = getelementptr i8* %107, i32 3 store i8 %103, i8* %111 %call = call i64 @read(i32 %92, i8* %98, i64 %104) call void @__dtt_taint_read(i8* %98, i64 %call, i32 1)

  6. Compiler optimization on taint tracking

  7. Compiler optimization on taint tracking

  8. Paper Writing • Read lots of papers while I was writing the related work section. • Taint tracking is a different field from sandboxing, CFI etc. • The paper is in good shape

  9. Next Step • Write the paper • Number collection

More Related