10. Dynamic Tainting Applications
Attack detection / prevention
Prevent stack smashing, SQL injection, buffer overruns, etc.
Attack detection / prevention
Information policy enforcement
Testing
Memory errors
Data lifetime
11. Dynamic Tainting Applications
Information policy enforcement
ensure classified information does not leave the system
Attack detection / prevention
Information policy enforcement
Testing
Memory errors
Data lifetime
12. Dynamic Tainting Applications
Testing
Coverage metrics, test data generation heuristic, etc.
✔/✘
Attack detection / prevention
Information policy enforcement
Testing
Memory errors
Data lifetime
13. Dynamic Tainting Applications
Attack detection / prevention
Information policy enforcement
Testing
Data lifetime
track how long sensitive data remains in an application
Memory errors
Data lifetime
14. Dynamic Tainting Applications
Attack detection / prevention
Information policy enforcement
Testing
Memory errors
Detect illegal memory access, leak detection, etc.
Memory errors
Data lifetime
19. Discover where the last pointer to un-freed memory is lost
Leak Detection Overview
20. Assign
taint marks
Propagate
taint marks
Check
taint marks
ptr1 = malloc(...) ➔ ptr1
ptr2 = calloc(...) ➔ ptr2
ptr3 = ptr1 ➔ ptr3 , ptr1
ptr1 = NULL ➔ ptr1 , ptr3
ptr4 = ptr2 + 1 ➔ ptr4 , ptr2
Report error if taint mark’s count is zero and
memory has not been freed.
1 1
1
Discover where the last pointer to un-freed memory is lost
Leak Detection Overview
21. Assign
taint marks
Propagate
taint marks
Check
taint marks
ptr1 = malloc(...) ➔ ptr1
ptr2 = calloc(...) ➔ ptr2
ptr3 = ptr1 ➔ ptr3 , ptr1
ptr1 = NULL ➔ ptr1 , ptr3
ptr4 = ptr2 + 1 ➔ ptr4 , ptr2
Report error if taint mark’s count is zero and
memory has not been freed.
1 1
1
Discover where the last pointer to un-freed memory is lost
Leak Detection Overview
# of pointers
tainted with
this color
22. Assign
taint marks
Propagate
taint marks
Check
taint marks
ptr1 = malloc(...) ➔ ptr1
ptr2 = calloc(...) ➔ ptr2
ptr3 = ptr1 ➔ ptr3 , ptr1
ptr1 = NULL ➔ ptr1 , ptr3
ptr4 = ptr2 + 1 ➔ ptr4 , ptr2
Report error if taint mark’s count is zero and
memory has not been freed.
1 1
1
Discover where the last pointer to un-freed memory is lost
Leak Detection Overview
23. Assign
taint marks
Propagate
taint marks
Check
taint marks
ptr1 = malloc(...) ➔ ptr1
ptr2 = calloc(...) ➔ ptr2
ptr3 = ptr1 ➔ ptr3 , ptr1
ptr1 = NULL ➔ ptr1 , ptr3
ptr4 = ptr2 + 1 ➔ ptr4 , ptr2
Report error if taint mark’s count is zero and
memory has not been freed.
2
1 1
1
1 2
2
2
1
1 2 2
Discover where the last pointer to un-freed memory is lost
Leak Detection Overview
24. Assign
taint marks
Propagate
taint marks
Check
taint marks
ptr1 = malloc(...) ➔ ptr1
ptr2 = calloc(...) ➔ ptr2
ptr3 = ptr1 ➔ ptr3 , ptr1
ptr1 = NULL ➔ ptr1 , ptr3
ptr4 = ptr2 + 1 ➔ ptr4 , ptr2
Report error if taint mark’s count is zero and
memory has not been freed.
2
1 1
1
1 2
2
2
1
1 2 2
In general propagation follows standard pointer arithmetic rules
Discover where the last pointer to un-freed memory is lost
Leak Detection Overview
25. Assign
taint marks
Propagate
taint marks
Check
taint marks
ptr1 = malloc(...) ➔ ptr1
ptr2 = calloc(...) ➔ ptr2
ptr3 = ptr1 ➔ ptr3 , ptr1
ptr1 = NULL ➔ ptr1 , ptr3
ptr4 = ptr2 + 1 ➔ ptr4 , ptr2
Report error if taint mark’s count is zero and
memory has not been freed.
2
3
1 1
1
1 2
2
2
1
1 2 2
In general propagation follows standard pointer arithmetic rules
Discover where the last pointer to un-freed memory is lost
Leak Detection Overview
31. Leakpoint implementation
Pointer to memory area 0x1C93AC0 (16 bytes)
allocated:
at malloc
by addhash (hash.c:50)
by parser (parser.c:210)
by readcell (parser.c:34)
by main (main.c:98)
was leaked:
at free
by delHtab (hash.c:28)
by grdcell(grdcell.c:354)
by main (main.c:227)
32. Leakpoint implementation
Pointer to memory area 0x1C93AC0 (16 bytes)
allocated:
at malloc
by addhash (hash.c:50)
by parser (parser.c:210)
by readcell (parser.c:34)
by main (main.c:98)
was leaked:
at free
by delHtab (hash.c:28)
by grdcell(grdcell.c:354)
by main (main.c:227)
33. Leakpoint implementation
Pointer to memory area 0x1C93AC0 (16 bytes)
allocated:
at malloc
by addhash (hash.c:50)
by parser (parser.c:210)
by readcell (parser.c:34)
by main (main.c:98)
was leaked:
at free
by delHtab (hash.c:28)
by grdcell(grdcell.c:354)
by main (main.c:227)