|
From: Giovanni F. <gaf...@gm...> - 2008-02-28 16:42:36
|
I've been reading about propagation of taintedness and information flow. Perhaps you will find this interesting... I noticed that the Flayer plugin for Valgrind is not capable of detecting implicit taintedness flow, although it does detect some cases by replacing some functions like strlen [1]. With some further research I found out that it is not possible to detect implicit flow in the general case using dynamic binary instrumentation [2]. For example, if y = 0 and is tainted, one cannot detect at run time that x should be tainted in the program below: x = 1; if(y) x = 0; However it is possible to do that by instrumenting the whole binary statically [3]. I know that's not what Valgrind was designed for but anyway, I wonder if it would be possible to Valgrind to instrument the whole program without running it (maybe under some hypothesis like that the code does not modify itself etc). Giovanni [1] Will Drewry and Tavis Ormandy, Flayer: Exposing Application Internals, page 2. [2] Andrei Sabelfeld and Andrew Myers, Language-Based Information-Flow Security, page 3. [3] Dorothy Denning and Peter Denning, Certification of Programs for Secure Information Flow. |
|
From: Nicholas N. <nj...@cs...> - 2008-02-29 09:03:23
|
On Thu, 28 Feb 2008, Giovanni Funchal wrote: > I've been reading about propagation of taintedness and information > flow. Perhaps you will find this interesting... > > I noticed that the Flayer plugin for Valgrind is not capable of > detecting implicit taintedness flow, although it does detect some > cases by replacing some functions like strlen [1]. With some further > research I found out that it is not possible to detect implicit flow > in the general case using dynamic binary instrumentation [2]. > > For example, if y = 0 and is tainted, one cannot detect at run time > that x should be tainted in the program below: > > x = 1; > if(y) x = 0; Yes, my understanding is that it is because dynamically you don't know where the 'else' branch ends and the subsequent code begins. > However it is possible to do that by instrumenting the whole binary > statically [3]. I know that's not what Valgrind was designed for but > anyway, I wonder if it would be possible to Valgrind to instrument the > whole program without running it (maybe under some hypothesis like > that the code does not modify itself etc). This would require very large changes -- I suspect you could create a program that does this, and it could utilise a large chunk of the Valgrind code, but you'd have to write an awful lot of new code to make it work. Nick |