SlideShare ist ein Scribd-Unternehmen logo

Taint-based Dynamic Analysis (CoC Research Day 2009)

James Clause
James Clause
Technologie
1 von 40
Downloaden Sie, um offline zu lesen
Taint-based Dynamic Analysis CoC Research Day - 9/25/2009 Designed at Apple in California; assembled at GeorgiaTech
Dynamic Tainting Overview C A B Z
Dynamic Tainting Overview 1 Assign taint marks C A B Z
Dynamic Tainting Overview 1 Assign taint marks C A B 312 Z
Dynamic Tainting Overview 1 Assign taint marks 2 Propagate taint marks C A B 312 Z
Dynamic Tainting Overview 1 Assign taint marks 2 Propagate taint marks C A B 312 Z
Dynamic Tainting Overview 1 Assign taint marks 3 Check taint marks 2 Propagate taint marks C A B 312 Z
Dynamic Tainting Overview 1 Assign taint marks 3 Check taint marks 2 Propagate taint marks C A B 312 Z C A B 312 Z 3
Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
Dynamic Tainting Applications Attack detection / prevention Prevent stack smashing, SQL injection, buffer overruns, etc. Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
Dynamic Tainting Applications Information policy enforcement ensure classified information does not leave the system Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
Dynamic Tainting Applications Testing Coverage metrics, test data generation heuristic, etc. ✔/✘ Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Data lifetime track how long sensitive data remains in an application Memory errors Data lifetime
Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Detect illegal memory access, leak detection, etc. Memory errors Data lifetime
Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Detect illegal memory access, leak detection, etc.leak detection Memory errors Data lifetime
addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy; fixing them is not
Discover where the last pointer to un-freed memory is lost Leak Detection Overview
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview # of pointers tainted with this color
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 1 1 1 1 2 2 2 1 1 2 2 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 1 1 1 1 2 2 2 1 1 2 2 In general propagation follows standard pointer arithmetic rules Discover where the last pointer to un-freed memory is lost Leak Detection Overview
Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 3 1 1 1 1 2 2 2 1 1 2 2 In general propagation follows standard pointer arithmetic rules Discover where the last pointer to un-freed memory is lost Leak Detection Overview
addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; } Detecting leaks is easy
46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); Detecting leaks is easy; fixing them is, too delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; }
46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); Detecting leaks is easy; fixing them is, too delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; } free(hptr->hname)
Leakpoint implementation
Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
Evaluation
Evaluation Transmission
Evaluation Transmission Locations identified by Leakpoint correspond to where the leaks were fixed by developers.
Evaluation Transmission Also found thousands of leaks in the SPEC INT benchmarks Locations identified by Leakpoint correspond to where the leaks were fixed by developers.
static void processCompletedTasks(tr_web *web) { ... task->done_func(web->session, ..., task->done_func_user_data); ... evbuffer_free(task->response); tr_free(task->url); tr_free(task); ... } static void invokeRequest(void * vreq) { ... hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH); memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH); tr_webRun(req->session, req->url, req->done_func, hash); ... } static void onStoppedResponse(tr_session *session, ..., void *torrent_hash) { dbgmsg(NULL, "got a response ... message"); // tr_free(torrent_hash); onReqDone(session); }
Overhead Powerful but expensive 50 - 100x overheads are common • Execution time is completely automated • Developers have to think less
Questions?

Empfohlen

Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)James Clause
 
03
0303
03moodle_annotation
 
Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...
Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...
Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...DevGAMM Conference
 
Knight's Tour
Knight's TourKnight's Tour
Knight's TourVeysi Ertekin
 
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019corehard_by
 
Basic C++ 11/14 for Python Programmers
Basic C++ 11/14 for Python ProgrammersBasic C++ 11/14 for Python Programmers
Basic C++ 11/14 for Python ProgrammersAppier
 
Program Language - Fall 2013
Program Language - Fall 2013 Program Language - Fall 2013
Program Language - Fall 2013 Yun-Yan Chi
 
Ch11.2&3(1)
Ch11.2&3(1)Ch11.2&3(1)
Ch11.2&3(1)emilyharu
 

Empfohlen

Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)James Clause
 
03
0303
03moodle_annotation
 
Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...
Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...
Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...DevGAMM Conference
 
Knight's Tour
Knight's TourKnight's Tour
Knight's TourVeysi Ertekin
 
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019corehard_by
 
Basic C++ 11/14 for Python Programmers
Basic C++ 11/14 for Python ProgrammersBasic C++ 11/14 for Python Programmers
Basic C++ 11/14 for Python ProgrammersAppier
 
Program Language - Fall 2013
Program Language - Fall 2013 Program Language - Fall 2013
Program Language - Fall 2013 Yun-Yan Chi
 
Ch11.2&3(1)
Ch11.2&3(1)Ch11.2&3(1)
Ch11.2&3(1)emilyharu
 
MongoDB Analytics
MongoDB AnalyticsMongoDB Analytics
MongoDB Analyticsdatablend
 
The Ring programming language version 1.8 book - Part 66 of 202
The Ring programming language version 1.8 book - Part 66 of 202The Ring programming language version 1.8 book - Part 66 of 202
The Ring programming language version 1.8 book - Part 66 of 202Mahmoud Samir Fayed
 
The Art Of Parsing @ Devoxx France 2014
The Art Of Parsing @ Devoxx France 2014The Art Of Parsing @ Devoxx France 2014
The Art Of Parsing @ Devoxx France 2014Dinesh Bolkensteyn
 
Gabriele Lana - The Magic of Elixir
Gabriele Lana - The Magic of ElixirGabriele Lana - The Magic of Elixir
Gabriele Lana - The Magic of ElixirCodemotion
 
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...MASAYUKITEZUKA1
 
A Taste of Python - Devdays Toronto 2009
A Taste of Python - Devdays Toronto 2009A Taste of Python - Devdays Toronto 2009
A Taste of Python - Devdays Toronto 2009Jordan Baker
 
Php radomize
Php radomizePhp radomize
Php radomizedo_aki
 
How to add an optimization for C# to RyuJIT
How to add an optimization for C# to RyuJITHow to add an optimization for C# to RyuJIT
How to add an optimization for C# to RyuJITEgor Bogatov
 
Programming with GUTs
Programming with GUTsProgramming with GUTs
Programming with GUTsKevlin Henney
 
Computer notes - Hashing
Computer notes - HashingComputer notes - Hashing
Computer notes - Hashingecomputernotes
 
PyCon2009_AI_Alt
PyCon2009_AI_AltPyCon2009_AI_Alt
PyCon2009_AI_AltHiroshi Ono
 
Rust concurrency tutorial 2015 12-02
Rust concurrency tutorial 2015 12-02Rust concurrency tutorial 2015 12-02
Rust concurrency tutorial 2015 12-02nikomatsakis
 
Add a 3rd field help that contains a short help string for each of t.pdf
Add a 3rd field help that contains a short help string for each of t.pdfAdd a 3rd field help that contains a short help string for each of t.pdf
Add a 3rd field help that contains a short help string for each of t.pdfinfo245627
 
Basic c++ 11/14 for python programmers
Basic c++ 11/14 for python programmersBasic c++ 11/14 for python programmers
Basic c++ 11/14 for python programmersJen Yee Hong
 
Library functions in c++
Library functions in c++Library functions in c++
Library functions in c++Neeru Mittal
 
computer notes - Data Structures - 35
computer notes - Data Structures - 35computer notes - Data Structures - 35
computer notes - Data Structures - 35ecomputernotes
 
assign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docx
assign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docxassign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docx
assign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docxfestockton
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionChristoph Matthies
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryptionhubx
 
Compiler design.pdf
Compiler design.pdfCompiler design.pdf
Compiler design.pdfNitesh Dubey
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNoSuchCon
 
ADA FILE
ADA FILEADA FILE
ADA FILEGaurav Singh
 

Weitere ähnliche Inhalte

Was ist angesagt?

MongoDB Analytics
MongoDB AnalyticsMongoDB Analytics
MongoDB Analyticsdatablend
 
The Ring programming language version 1.8 book - Part 66 of 202
The Ring programming language version 1.8 book - Part 66 of 202The Ring programming language version 1.8 book - Part 66 of 202
The Ring programming language version 1.8 book - Part 66 of 202Mahmoud Samir Fayed
 
The Art Of Parsing @ Devoxx France 2014
The Art Of Parsing @ Devoxx France 2014The Art Of Parsing @ Devoxx France 2014
The Art Of Parsing @ Devoxx France 2014Dinesh Bolkensteyn
 
Gabriele Lana - The Magic of Elixir
Gabriele Lana - The Magic of ElixirGabriele Lana - The Magic of Elixir
Gabriele Lana - The Magic of ElixirCodemotion
 
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...MASAYUKITEZUKA1
 
A Taste of Python - Devdays Toronto 2009
A Taste of Python - Devdays Toronto 2009A Taste of Python - Devdays Toronto 2009
A Taste of Python - Devdays Toronto 2009Jordan Baker
 
Php radomize
Php radomizePhp radomize
Php radomizedo_aki
 
How to add an optimization for C# to RyuJIT
How to add an optimization for C# to RyuJITHow to add an optimization for C# to RyuJIT
How to add an optimization for C# to RyuJITEgor Bogatov
 
Programming with GUTs
Programming with GUTsProgramming with GUTs
Programming with GUTsKevlin Henney
 

Was ist angesagt? (9)

MongoDB Analytics
MongoDB AnalyticsMongoDB Analytics
MongoDB Analytics
 
The Ring programming language version 1.8 book - Part 66 of 202
The Ring programming language version 1.8 book - Part 66 of 202The Ring programming language version 1.8 book - Part 66 of 202
The Ring programming language version 1.8 book - Part 66 of 202
 
The Art Of Parsing @ Devoxx France 2014
The Art Of Parsing @ Devoxx France 2014The Art Of Parsing @ Devoxx France 2014
The Art Of Parsing @ Devoxx France 2014
 
Gabriele Lana - The Magic of Elixir
Gabriele Lana - The Magic of ElixirGabriele Lana - The Magic of Elixir
Gabriele Lana - The Magic of Elixir
 
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...
Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchr...
 
A Taste of Python - Devdays Toronto 2009
A Taste of Python - Devdays Toronto 2009A Taste of Python - Devdays Toronto 2009
A Taste of Python - Devdays Toronto 2009
 
Php radomize
Php radomizePhp radomize
Php radomize
 
How to add an optimization for C# to RyuJIT
How to add an optimization for C# to RyuJITHow to add an optimization for C# to RyuJIT
How to add an optimization for C# to RyuJIT
 
Programming with GUTs
Programming with GUTsProgramming with GUTs
Programming with GUTs
 

Ähnlich wie Taint-based Dynamic Analysis (CoC Research Day 2009)

Computer notes - Hashing
Computer notes - HashingComputer notes - Hashing
Computer notes - Hashingecomputernotes
 
PyCon2009_AI_Alt
PyCon2009_AI_AltPyCon2009_AI_Alt
PyCon2009_AI_AltHiroshi Ono
 
Rust concurrency tutorial 2015 12-02
Rust concurrency tutorial 2015 12-02Rust concurrency tutorial 2015 12-02
Rust concurrency tutorial 2015 12-02nikomatsakis
 
Add a 3rd field help that contains a short help string for each of t.pdf
Add a 3rd field help that contains a short help string for each of t.pdfAdd a 3rd field help that contains a short help string for each of t.pdf
Add a 3rd field help that contains a short help string for each of t.pdfinfo245627
 
Basic c++ 11/14 for python programmers
Basic c++ 11/14 for python programmersBasic c++ 11/14 for python programmers
Basic c++ 11/14 for python programmersJen Yee Hong
 
Library functions in c++
Library functions in c++Library functions in c++
Library functions in c++Neeru Mittal
 
computer notes - Data Structures - 35
computer notes - Data Structures - 35computer notes - Data Structures - 35
computer notes - Data Structures - 35ecomputernotes
 
assign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docx
assign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docxassign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docx
assign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docxfestockton
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionChristoph Matthies
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryptionhubx
 
Compiler design.pdf
Compiler design.pdfCompiler design.pdf
Compiler design.pdfNitesh Dubey
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNoSuchCon
 
ภาษาซี
ภาษาซีภาษาซี
ภาษาซีkramsri
 
Assignment on Numerical Method C Code
Assignment on Numerical Method C CodeAssignment on Numerical Method C Code
Assignment on Numerical Method C CodeSyed Ahmed Zaki
 
How multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsHow multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsRiscure
 
Seminar Hacking & Security Analysis
Seminar Hacking & Security AnalysisSeminar Hacking & Security Analysis
Seminar Hacking & Security AnalysisDan H
 

Ähnlich wie Taint-based Dynamic Analysis (CoC Research Day 2009) (20)

Computer notes - Hashing
Computer notes - HashingComputer notes - Hashing
Computer notes - Hashing
 
PyCon2009_AI_Alt
PyCon2009_AI_AltPyCon2009_AI_Alt
PyCon2009_AI_Alt
 
Rust concurrency tutorial 2015 12-02
Rust concurrency tutorial 2015 12-02Rust concurrency tutorial 2015 12-02
Rust concurrency tutorial 2015 12-02
 
Add a 3rd field help that contains a short help string for each of t.pdf
Add a 3rd field help that contains a short help string for each of t.pdfAdd a 3rd field help that contains a short help string for each of t.pdf
Add a 3rd field help that contains a short help string for each of t.pdf
 
Basic c++ 11/14 for python programmers
Basic c++ 11/14 for python programmersBasic c++ 11/14 for python programmers
Basic c++ 11/14 for python programmers
 
Library functions in c++
Library functions in c++Library functions in c++
Library functions in c++
 
computer notes - Data Structures - 35
computer notes - Data Structures - 35computer notes - Data Structures - 35
computer notes - Data Structures - 35
 
assign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docx
assign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docxassign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docx
assign4-2.DS_Storeassign4-2assign4_part2mymem.h#include.docx
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryption
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryption
 
Compiler design.pdf
Compiler design.pdfCompiler design.pdf
Compiler design.pdf
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
 
ADA FILE
ADA FILEADA FILE
ADA FILE
 
C lab manaual
C lab manaualC lab manaual
C lab manaual
 
Ch3 selection
Ch3 selectionCh3 selection
Ch3 selection
 
ภาษาซี
ภาษาซีภาษาซี
ภาษาซี
 
Assignment on Numerical Method C Code
Assignment on Numerical Method C CodeAssignment on Numerical Method C Code
Assignment on Numerical Method C Code
 
Circular queue
Circular queueCircular queue
Circular queue
 
How multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsHow multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cards
 
Seminar Hacking & Security Analysis
Seminar Hacking & Security AnalysisSeminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
 

Mehr von James Clause

Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...James Clause
 
Energy-directed Test Suite Optimization (GREENS 2013)
Energy-directed Test Suite Optimization (GREENS 2013)Energy-directed Test Suite Optimization (GREENS 2013)
Energy-directed Test Suite Optimization (GREENS 2013)James Clause
 
Enabling and Supporting the Debugging of Field Failures (Job Talk)
Enabling and Supporting the Debugging of Field Failures (Job Talk)Enabling and Supporting the Debugging of Field Failures (Job Talk)
Enabling and Supporting the Debugging of Field Failures (Job Talk)James Clause
 
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...James Clause
 
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)James Clause
 
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)James Clause
 
Initial Explorations on Design Pattern Energy Usage (GREENS 12)
Initial Explorations on Design Pattern Energy Usage (GREENS 12)Initial Explorations on Design Pattern Energy Usage (GREENS 12)
Initial Explorations on Design Pattern Energy Usage (GREENS 12)James Clause
 
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)James Clause
 
Effective Memory Protection Using Dynamic Tainting (ASE 2007)
Effective Memory Protection Using Dynamic Tainting (ASE 2007)Effective Memory Protection Using Dynamic Tainting (ASE 2007)
Effective Memory Protection Using Dynamic Tainting (ASE 2007)James Clause
 
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)James Clause
 
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)James Clause
 
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)James Clause
 
Camouflage: Automated Anonymization of Field Data (ICSE 2011)
Camouflage: Automated Anonymization of Field Data (ICSE 2011)Camouflage: Automated Anonymization of Field Data (ICSE 2011)
Camouflage: Automated Anonymization of Field Data (ICSE 2011)James Clause
 

Mehr von James Clause (13)

Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
 
Energy-directed Test Suite Optimization (GREENS 2013)
Energy-directed Test Suite Optimization (GREENS 2013)Energy-directed Test Suite Optimization (GREENS 2013)
Energy-directed Test Suite Optimization (GREENS 2013)
 
Enabling and Supporting the Debugging of Field Failures (Job Talk)
Enabling and Supporting the Debugging of Field Failures (Job Talk)Enabling and Supporting the Debugging of Field Failures (Job Talk)
Enabling and Supporting the Debugging of Field Failures (Job Talk)
 
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
 
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
 
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
 
Initial Explorations on Design Pattern Energy Usage (GREENS 12)
Initial Explorations on Design Pattern Energy Usage (GREENS 12)Initial Explorations on Design Pattern Energy Usage (GREENS 12)
Initial Explorations on Design Pattern Energy Usage (GREENS 12)
 
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
 
Effective Memory Protection Using Dynamic Tainting (ASE 2007)
Effective Memory Protection Using Dynamic Tainting (ASE 2007)Effective Memory Protection Using Dynamic Tainting (ASE 2007)
Effective Memory Protection Using Dynamic Tainting (ASE 2007)
 
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
 
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
 
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
 
Camouflage: Automated Anonymization of Field Data (ICSE 2011)
Camouflage: Automated Anonymization of Field Data (ICSE 2011)Camouflage: Automated Anonymization of Field Data (ICSE 2011)
Camouflage: Automated Anonymization of Field Data (ICSE 2011)
 

Kürzlich hochgeladen

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Kürzlich hochgeladen (20)

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Taint-based Dynamic Analysis (CoC Research Day 2009)

  • 1. Taint-based Dynamic Analysis CoC Research Day - 9/25/2009 Designed at Apple in California; assembled at GeorgiaTech
  • 3. Dynamic Tainting Overview 1 Assign taint marks C A B Z
  • 4. Dynamic Tainting Overview 1 Assign taint marks C A B 312 Z
  • 5. Dynamic Tainting Overview 1 Assign taint marks 2 Propagate taint marks C A B 312 Z
  • 6. Dynamic Tainting Overview 1 Assign taint marks 2 Propagate taint marks C A B 312 Z
  • 7. Dynamic Tainting Overview 1 Assign taint marks 3 Check taint marks 2 Propagate taint marks C A B 312 Z
  • 8. Dynamic Tainting Overview 1 Assign taint marks 3 Check taint marks 2 Propagate taint marks C A B 312 Z C A B 312 Z 3
  • 9. Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
  • 10. Dynamic Tainting Applications Attack detection / prevention Prevent stack smashing, SQL injection, buffer overruns, etc. Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
  • 11. Dynamic Tainting Applications Information policy enforcement ensure classified information does not leave the system Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
  • 12. Dynamic Tainting Applications Testing Coverage metrics, test data generation heuristic, etc. ✔/✘ Attack detection / prevention Information policy enforcement Testing Memory errors Data lifetime
  • 13. Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Data lifetime track how long sensitive data remains in an application Memory errors Data lifetime
  • 14. Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Detect illegal memory access, leak detection, etc. Memory errors Data lifetime
  • 15. Dynamic Tainting Applications Attack detection / prevention Information policy enforcement Testing Memory errors Detect illegal memory access, leak detection, etc.leak detection Memory errors Data lifetime
  • 16. addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
  • 17. addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
  • 18. addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy; fixing them is not
  • 19. Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 20. Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 21. Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview # of pointers tainted with this color
  • 22. Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 23. Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 1 1 1 1 2 2 2 1 1 2 2 Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 24. Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 1 1 1 1 2 2 2 1 1 2 2 In general propagation follows standard pointer arithmetic rules Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 25. Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 3 1 1 1 1 2 2 2 1 1 2 2 In general propagation follows standard pointer arithmetic rules Discover where the last pointer to un-freed memory is lost Leak Detection Overview
  • 26. addhash(char hname[]) { 35. int i; 36. HASHPTR hptr; 37. unsigned int hsum = 0; 38. for(i = 0 ; i < strlen(hname) ; i++) { 39. sum += (unsigned int) hname[i]; 40. } 41. hsum %= 3001; 42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) { 43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX)); 44. hptr->hnext = (HASHPTR) NULL; 45. hptr->hnum = ++netctr; 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); 47. sprintf(hptr->hname , "%s" , hname); 48. return(1); 49. } else { ! ... 67. } } Detecting leaks is easy
  • 27. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; } Detecting leaks is easy
  • 28. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); Detecting leaks is easy; fixing them is, too delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; }
  • 29. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) * ! ! ! ! ! ! ! ! ! ! sizeof(char)); Detecting leaks is easy; fixing them is, too delHtab() { 15. int i; 16. HASHPTR hptr , zapptr; 17. for(i = 0; i < 3001; i++) { 18. hptr = hashtab[i]; 19. if(hptr != (HASHPTR) NULL) { 20. zapptr = hptr ; 21. while(hptr->hnext != (HASHPTR) NULL) { 22.! ! hptr = hptr->hnext; 23.! ! free(zapptr); 24.! ! zapptr = hptr ; 25.! ! } 26.! ! free(hptr); 27.! } 28. }! 29. free(hashtab); 30. return; } free(hptr->hname)
  • 31. Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
  • 32. Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
  • 33. Leakpoint implementation Pointer to memory area 0x1C93AC0 (16 bytes) allocated:   at malloc   by addhash (hash.c:50) by parser (parser.c:210) by readcell (parser.c:34)   by main (main.c:98)   was leaked:    at free    by delHtab (hash.c:28)    by grdcell(grdcell.c:354)    by main (main.c:227)
  • 36. Evaluation Transmission Locations identified by Leakpoint correspond to where the leaks were fixed by developers.
  • 37. Evaluation Transmission Also found thousands of leaks in the SPEC INT benchmarks Locations identified by Leakpoint correspond to where the leaks were fixed by developers.
  • 38. static void processCompletedTasks(tr_web *web) { ... task->done_func(web->session, ..., task->done_func_user_data); ... evbuffer_free(task->response); tr_free(task->url); tr_free(task); ... } static void invokeRequest(void * vreq) { ... hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH); memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH); tr_webRun(req->session, req->url, req->done_func, hash); ... } static void onStoppedResponse(tr_session *session, ..., void *torrent_hash) { dbgmsg(NULL, "got a response ... message"); // tr_free(torrent_hash); onReqDone(session); }
  • 39. Overhead Powerful but expensive 50 - 100x overheads are common • Execution time is completely automated • Developers have to think less