Main navigation | Main content
Asia Slowinska and Herbert Bos. “Pointless tainting?: evaluating
the practicality of pointer tainting”. In ACM European
Conference on Computer Systems (EuroSys), pages 61-74, Nuremberg,
Germany, April 2009.
[ACM]
Erik Bosman, Asia Slowinska, and Herbert Bos. “Minemu: The
world's fastest taint tracker”. In Recent Advances in
Intrusion Detection (RAID), pages 1-20, Menlo Park, CA, USA,
September 2011.
[Author's version]
Question: It's relatively rare in the systems-building kind of CS research to see a paper structured around a negative result. After all just because you failed when you tried to do something doesn't mean that it's impossible. The "pointless tainting" paper is an exception in this regard, since one of its main points is to argue that a particular technique is unlikely to ever be effective. What do you think of the value of a paper like this? Would it be valuable to have more papers like it?
Larry Wall. perl — Practical Extraction and Report Language,
release 3.0 edition, October 1989.
[Local copy]
Perl is the oldest system I know of to use "tainting" as the name for a security mechanism, which appeared in version 3 released on October 18th 1989. The mechanism is described in the section on "Setuid Scripts" on pages 59-60 of this manual. It started out as a mechanism for preventing injection of shell commands into setuid Unix scripts, something closely analogous to the more modern problem of SQL injection in web sites.
Tao Bao, Yunhui Zheng, Zhiqiang Lin, Xiangyu Zhang, and Dongyan
Xu. “Strict control dependence and its effect on dynamic
information flow analyses”. In International Symposium on
Software Testing and Analysis (ISSTA), pages 13-24, Trento, Italy,
July 2010.
[ACM]
This paper demonstrates one approach for dealing with the problem of control dependencies (implicit flows) in taint analysis. The brute force alignment technique they use as a point of comparison ("Ideal" in the graphs) is also interesting in its own right.
Min Gyung Kang, Stephen McCamant, Pongsin Poosankam, and Dawn
Song. “DTA++: Dynamic taint analysis with targeted control-flow
propagation”. In Network and Distributed System Security
Symposium (NDSS), pages 269-282, San Diego, CA, USA, February
2011.
[Conference page]
This paper from my previous research group at UC Berkeley takes a related approach to handling control-dependencies, using symbolic execution.
Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. “All
you ever wanted to know about dynamic taint analysis and forward
symbolic execution (but might have been afraid to ask)”. In
IEEE Symposium on Security and Privacy “Oakland”,
pages 317-331, Oakland, CA, USA, May 2010.
[Author's copy]
This survey paper (to be precise, from a track named "systematization of knowledge") given an operational-semantics-style presentation of taint analysis more in the style of a PL paper. You can save the sections on (forward) symbolic execution for next week.
Indrajit Roy, Donald E. Porter, Michael D. Bond, Kathryn S. McKinley,
and Emmett Witchel. “Laminar: practical fine-grained
decentralized information flow control”. In Programming
Language Design and Implementation (PLDI), pages 63-74, Dublin,
Ireland, June 2009.
[ACM]
Though it uses the terminology of "information flow," the dynamic techniques used in this system are more like taint analysis than they are like the static systems we'll be reading about later. The purely OS-based systems they mention in the related work are also interesting, though they're out of scope for this course because they don't use any program analysis.