Taint Analysis of Security Code in the KLEE Symbolic Execution Engine
We analyse the security of code by extending the KLEE symbolic execution engine with a tainting mechanism that tracks information flows of data. We consider both simple flows from direct assignment operations, and (more subtle) indirect flows inferred from the control flow. Our mechanism prevents overtainting by using a region-based static analysis provided by LLVM, the compiler infrastructure machine on which KLEE runs. We rigorously define taint propagation in a formal LLVM intermediate representation semantics, and show the correctness of our method. We illustrate the mechanism with several examples, showing how we use tainting to prove confidentiality and integrity properties.
Unable to display preview. Download preview PDF.
- 2.Brumley, D., Caballero, J., Liang, Z., Newsome, J., Song, D.: Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation. In: USENIX, SS 2007, pp. 15:1–15:16. USENIX Association, Berkeley (2007)Google Scholar
- 3.Cadar, C., Dunbar, D., Engler, D.R.: Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of OSDI, pp. 209–224 (2008)Google Scholar
- 4.Corin, R., Manzano, F.: Dynamic taint analysis for the klee symbolic execution engine (extended version), http://cs.famaf.unc.edu.ar/~rcorin/kleecrypto
- 7.Johnson, R., Pearson, D., Pingali, K.: The program structure tree: Computing control regions in linear time, pp. 171–185 (1994)Google Scholar
- 9.Lattner, C., Adve, V.: The LLVM language reference manual, http://llvm.org/docs/LangRef.html
- 10.Rizzo, J., Duong, T.: Practical padding oracle attacks. In: Proceedings of the 4th USENIX Conference on Offensive Technologies, WOOT 2010, pp. 1–8. USENIX Association, Berkeley (2010)Google Scholar
- 11.Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE JSAC 21(1), 5–19 (2003)Google Scholar
- 12.Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask) (2010)Google Scholar
- 14.Zhao, J., Nagarakatte, S., Martin, M.M.K., Zdancewic, S.: Formalizing the llvm intermediate representation for verified program transformations. In: Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2012, pp. 427–440. ACM, New York (2012)CrossRefGoogle Scholar