12. Dynamic taint analysis
1 Assign
taint marks
3 Check
taint marks
2 Propagate
taint marks
C
A
B
312
Z
13. Dynamic taint analysis
1 Assign
taint marks
3 Check
taint marks
2 Propagate
taint marks
C
A
B
312
Z
C
A
B
312
Z
3
14. Attack detection / prevention
Information policy enforcement
Testing
Data lifetime
Applications of dynamic tainting
Memory errors
15. Attack detection / prevention
Prevent stack smashing, SQL injection, buffer overruns, etc.
Attack detection / prevention
Information policy enforcement
Testing
Data lifetime
Applications of dynamic tainting
Memory errors
16. Information policy enforcement
ensure classified information does not leave the system
Attack detection / prevention
Information policy enforcement
Testing
Data lifetime
Applications of dynamic tainting
Memory errors
17. Testing
Coverage metrics, test data generation heuristic, etc.
✔/✘
Attack detection / prevention
Information policy enforcement
Testing
Data lifetime
Applications of dynamic tainting
Memory errors
18. Data lifetime
track how long sensitive data remain in the application
Attack detection / prevention
Information policy enforcement
Testing
Data lifetime
Applications of dynamic tainting
Memory errors
19. Attack detection / prevention
Information policy enforcement
Testing
Data lifetime
Applications of dynamic tainting
Memory errorsMemory errors
Detect illegal memory access, leak detection, etc.
20. Attack detection / prevention
Information policy enforcement
Testing
Data lifetime
Applications of dynamic tainting
Memory errorsMemory errors
Detect illegal memory access, leak detection, etc.leak detection
26. Leakpoint overview
Assign
taint marks
Propagate
taint marks
Check
taint marks
ptr1 = malloc(...) ➔ ptr1
ptr2 = calloc(...) ➔ ptr2
ptr3 = ptr1 ➔ ptr3 , ptr1
ptr1 = NULL ➔ ptr1 , ptr3
ptr4 = ptr2 + 1 ➔ ptr4 , ptr2
Report error if taint mark’s count is zero and
memory has not been freed.
1 1
1
Discover where the last pointer to un-freed memory is lost
27. Leakpoint overview
Assign
taint marks
Propagate
taint marks
Check
taint marks
ptr1 = malloc(...) ➔ ptr1
ptr2 = calloc(...) ➔ ptr2
ptr3 = ptr1 ➔ ptr3 , ptr1
ptr1 = NULL ➔ ptr1 , ptr3
ptr4 = ptr2 + 1 ➔ ptr4 , ptr2
Report error if taint mark’s count is zero and
memory has not been freed.
2
1 1
1
1 2
2
2
1
1 2 2
Discover where the last pointer to un-freed memory is lost
28. Leakpoint overview
Assign
taint marks
Propagate
taint marks
Check
taint marks
ptr1 = malloc(...) ➔ ptr1
ptr2 = calloc(...) ➔ ptr2
ptr3 = ptr1 ➔ ptr3 , ptr1
ptr1 = NULL ➔ ptr1 , ptr3
ptr4 = ptr2 + 1 ➔ ptr4 , ptr2
Report error if taint mark’s count is zero and
memory has not been freed.
2
1 1
1
1 2
2
2
1
1 2 2
In general propagation follows standard pointer arithmetic rules
Discover where the last pointer to un-freed memory is lost
29. Leakpoint overview
Assign
taint marks
Propagate
taint marks
Check
taint marks
ptr1 = malloc(...) ➔ ptr1
ptr2 = calloc(...) ➔ ptr2
ptr3 = ptr1 ➔ ptr3 , ptr1
ptr1 = NULL ➔ ptr1 , ptr3
ptr4 = ptr2 + 1 ➔ ptr4 , ptr2
Report error if taint mark’s count is zero and
memory has not been freed.
2
3
1 1
1
1 2
2
2
1
1 2 2
In general propagation follows standard pointer arithmetic rules
Discover where the last pointer to un-freed memory is lost
35. Lost pointer to 0x1C93AC0 (16 bytes)
allocated at:
at calloc+105
by _internal_class_createInstanceFromZone+149
by _internal_class_createInstance+31
by +[NSObject allocWithZone:]+155 (NSObject.m:445)
by +[NSObject alloc]+41 (NSObject.m:432)
by create+97 (main.m:29)
by main+17 (main.m:38)
leaked at:
at free+103
by _internal_object_dispose+81
by NSDeallocateObject+223 (NSObject.m:207)
by -[Container dealloc]+53 (container.m:13)
by main+43 (main.m:40)
Leakpoint implementation
• Implemented as aValgrind tool (www.valgrind.org)
■ intercept libc memory management functions
■ instrument binary instructions to perform propagation
36. leaks
Lost pointer to 0x1C93AC0 (16 bytes)
allocated at:
at calloc+105
by _internal_class_createInstanceFromZone+149
by _internal_class_createInstance+31
by +[NSObject allocWithZone:]+155 (NSObject.m:445)
by +[NSObject alloc]+41 (NSObject.m:432)
by create+97 (main.m:29)
by main+17 (main.m:38)
leaked at:
at free+103
by _internal_object_dispose+81
by NSDeallocateObject+223 (NSObject.m:207)
by -[Container dealloc]+53 (container.m:13)
by main+43 (main.m:40)
Leakpoint implementation
• Implemented as aValgrind tool (www.valgrind.org)
■ intercept libc memory management functions
■ instrument binary instructions to perform propagation
37. leakpoint
leaks
Lost pointer to 0x1C93AC0 (16 bytes)
allocated at:
at calloc+105
by _internal_class_createInstanceFromZone+149
by _internal_class_createInstance+31
by +[NSObject allocWithZone:]+155 (NSObject.m:445)
by +[NSObject alloc]+41 (NSObject.m:432)
by create+97 (main.m:29)
by main+17 (main.m:38)
leaked at:
at free+103
by _internal_object_dispose+81
by NSDeallocateObject+223 (NSObject.m:207)
by -[Container dealloc]+53 (container.m:13)
by main+43 (main.m:40)
Leakpoint implementation
• Implemented as aValgrind tool (www.valgrind.org)
■ intercept libc memory management functions
■ instrument binary instructions to perform propagation
44. Need to investigate approximately 40
false positive (probably) leak reports
• Interface Builder unarchiving
• CoreData
Leakpoint: current status
Handle basic C / C++ / Objective C
Handle Cocoa
✔
Handle CoreFoundation✔
45. Need to investigate approximately 40
false positive (probably) leak reports
• Interface Builder unarchiving
• CoreData
Leakpoint: current status
Handle basic C / C++ / Objective C
Handle Cocoa
✔
Handle CoreFoundation✔
64bit compatible
46. Need to investigate approximately 40
false positive (probably) leak reports
• Interface Builder unarchiving
• CoreData
Leakpoint: current status
Handle basic C / C++ / Objective C
Handle Cocoa
✔
Handle CoreFoundation✔
64bit compatible✔
47. A real leak?: _NSImageMalloc
void *_NSImageMalloc(NSZone* zone, size_t size) {
// allocate storage aligned to 32 bytes. we do this by
// allocating an extra 32 bytes, finding the address in the proper
// location and storing the delta in one of the previous 32 bytes.
void *unaligned = NSZoneMalloc(zone, size + BITMAP_DATA_ALIGNMENT);
if(unaligned != NULL) {
uintptr_t aligned = ((uintptr_t)unaligned + BITMAP_DATA_ALIGNMENT)
& ~(BITMAP_DATA_ALIGNMENT - 1);
(unsigned char*)aligned[-1] = aligned - (uintptr_t) unaligned;
return (void*)aligned;
}
else {
return NULL;
}
}
49. Overhead
Powerful but expensive
50 -100x overheads are common
Recommended usage:
run cheap tools to check for errors
run expensive tools to diagnose errors
52. Future work
• Apple
■ new leak detection tool
■ experience with dynamic taint analysis
Impact
+ Leakpoint
( )
53. Future work
• Apple
■ new leak detection tool
■ experience with dynamic taint analysis
• Me
■ experience withValgrind
■ experience analyzing large commercial code base
Impact
+ Leakpoint
( )