DTaint: taint analysis based on DFSan and llvm instrumentation

This project contains propagation-based taint analysis based on llvm DFSan, and inference-based taint analysis Memlog based on llvm Pass, which are used for support memory feedback fuzzing.

DFSan

一個沒有什麼卵用的玩具。
估計原因:外部呼叫跟隱性control flow
最近才發現Greyone中已經有討論過DFSan在實際應用中的效果，跟我實際實作後的結論差不多。由於DFSan是透過編譯階段插樁實現的，對於許多外部呼叫缺乏對應的實作，造成propagation容易在程式執行初期便失去作用。導致這東西變成了無法在real world使用的花架子。

Features

Label Propagation

Each memory byte is binded with a label, which represents the state of this byte(ex. tainted or non tainted).
These labels will be propagated in run time.
DFSan maps a large region of shadow memory to record labels for all memory bytes in target program.

Abilist

Determine how DFSan handles each external function call.
- discard
  - Do nothing, discard return value label.
- functional
  - Do nothing, reserve return value label.
- custom
  - Replace original function call with custom function call.
  - func -> __dfsan_func
  - DFSan already defined some glib functions.
  - This project covers common I/O functions.
  - user-defined.

What I modified

Original
- DFSan only records 2 bytes of label, user needs to define the meaning of label itself(ex. 1 represent tainted, 0 means non tainted).
Modified
- Similiar to Angora, to understand the concept you can refer to Angora.
- Each label is binded with an unique input offset. When we found some instruction's operands is tainted with certain label, we also know which input offset can affect these operands.
- details
  - Change label size from 2 bytes to 4 bytes.
  - Maintain a union table to record mapping between label and input offset.
  - New union operation.
  - Modify DFSan label API ot update new union table.
  - I/O wrapper, especially input, create each input offset, label for each input byte.

Environment

llvm-11
test on Ubuntu 20.04

How to build

Build DFSan, and Memlog passes with following commands.

 cd ~/DTaint
 mkdir build
 cd build
 cmake ..

Option
- -DDTAINT_DEBUG=ON/OFF
  - Output dtaint debug message.
- -DMEMLOG_DEBUG=ON/OFF
  - Output memlog debug message.
- ```
cmake -DMEMLOG_DEBUG=ON ..
```

Use DTaint/Memlog to compile target program

default
- memlog mode
use dtaint mode
- export DTAINT_MODE=1

export CC=build/clang-wrapper
export CXX=build/clang-wrapper++
// default use memlog mode
...
build target
// use dtaint mode
export DTAINT_MODE=1
...
build target

Auto-generated abilist

Auto-generated target_abilist.txt from src/abilist/target in compiler time.
user-defined
- you can use scripts in tools/.
- gen_library_abilist.sh
  - When we want to test library, and harness will need certain abilist for library API. Auto-generated abilist from library .a, .so.
  - usage
    - ./gen_library_abilist.sh [library .a, .so] > [output_file] [option]
    - option
      - functional
      - discard
      - custom
  - Modified from Angora.
- gen_udr_abilist.sh
  - Auto-generate abilist when we encounter undefind reference in compile time.
  - Store the error message manually.
    - make 2> erro_message
  - usage
    - ./gen_udr_abilist.sh [error message file] [output_file]
- Import generaged abilist into project.
  - three ways
    - Move generated abilist to src/abilist manually, and rebuild DFSan.
    - When compiling target program adds compiler option.
      - -mllvm -dtaint-dfsan-abilist=gen_abilist.txt
    - gen_target_abilist.sh
      - Combine all abilist files in choosed directory. Since we have set clang-wrapper to import target_abilist defaultly. Similiar to way 1, we just generate target_abilist without rebuild DFSan.
      - usage - ./gen_target_abilist.sh [input_dir] [output_file]
        
        default output directory
        
        build/lib/share

See the output of DFSan

dump debug info
- DFSan supports a feature to store some information to file.
- export DFSAN_OPTIONS=dump_labels_at_exit=filename

Example

test/hook_test/va_arg_hook1_test.c

#define MAXSIZE 512
...
// read file to buf src[MAXSIZE]
fread(src, 1, MAXSIZE, f);
...

// size is affected by input
size = (unsigned char)src[2] + (unsigned char)src[8];

...
for(int i = 0; i < MAXSIZE; i++) {
  if (i >= MAXSIZE - 2) {
    // pointer index is controllable
    src[size + i] = '8';
  }
}

input
- 2434127653dsasdawqewqqw
when -DDTAINT_DEBUG=ON
output
input offset 2, 8 are tainted.

Use with Fuzzer

本來是設計來搭配AFLplusplus使用，需要的runtime code也已經編進去了，包含shared memory跟forkserver的code，可以透過改過的AFLplusplus用另一個forkserver啟動DFSan插樁的target。
但現在已經是廢棄狀態，AFLplusplus那邊的code也打算廢棄掉了。

Memlog

Inference-based taint analysis需要的插樁code。

Reference

tl455047 / dtaint Goto Github PK

dtaint's Introduction

DTaint: taint analysis based on DFSan and llvm instrumentation

DFSan

Features

Label Propagation

Abilist

What I modified

Environment

How to build

Use DTaint/Memlog to compile target program

Auto-generated abilist

See the output of DFSan

Example

Use with Fuzzer

Memlog

Reference

dtaint's People

Contributors

Stargazers

Watchers

Forkers

dtaint's Issues

Recommend Projects

Recommend Topics

Recommend Org