Dynamic binary analysis (DBA) analyse programs at run-time at the level of machine code.
DBA tools are often implemented using dynamic binary instrumentation (DBI), whereby the analysis code is added to the original code of the client program at run-time. This is convenient for users, as no preparation (such as recompiling or relinking) is needed. Also, it gives 100% instrumentation coverage of user-mode code, without requiring source code.
One interesting group of DBA tools are those that use shadow values. These tools shadow, purely in software, every register and memory value with another value that says something about it. We call these shadow value tools.
Memcheck uses shadow values to track which bit values are undefined (i.e. uninitialised, or derived from undefined values) and can thus detect dangerous uses of undefined values. It is used by thousands of C and C++ programmers, and is probably the most widely-used DBA tool in existence.
TaintCheck tracks which byte values are tainted (i.e. from an untrusted source, or derived from tainted values) and can thus detect dangerous uses of tainted values. TaintTrace and LIFT are similar tools.
McCamant and Ernst’s secret-tracking tool tracks which bit values are secret (e.g. passwords), and determines how much
information about secret inputs is revealed by public outputs.
Hobbes tracks each value’s type (determined from operations performed on the value) and can thus detect subsequent operations inappropriate for a value of that type.
DynCompB similarly determines abstract types of byte values, for program comprehension and invariant detection purposes.
Annelid tracks which word values are array pointers, and from this can detect bounds errors.
Redux creates a dynamic dataflow graph, a visualisation of a program’s entire computation; from the graph one can see all the prior operations that contributed to the each value’s creation.
In these tools each shadow value records a simple approximation of each value’s history—e.g. one shadow bit per bit, one shadow byte per byte, or one shadow word per word—which the tool uses in a useful way; in four of the above seven cases, the tool detects operations on values that indicate a likely program defect.
阅读(1164) | 评论(0) | 转发(0) |