Add runtime-instrumented dynamic taint tracking to PolyTracker

[ESultanik]

• [ ] Formally define a high-level use-case that will be solved by this method
• [ ] What tracing/instrumentation tool will we use? PIN? DynamoRIO?
• [ ] What data structures will we use for tracking taints? Can we reuse any of the ideas or implementation from DFSAN-based PolyTracker?

[josephsweeney]

Prior Art

Taintgrind: Valgrind plugin for taint-tracking using its process emulation based approach. Seems reasonable and could fit our use case.

PANDA: Dynamic analysis platform built on top of QEMU. Includes a taint-tracking plugin.

DECAF(++): Another dynamic code analysis framework built on QEMU. It also has taint analysis as described in a 2019 paper. Claims to be the fastest dynamic code platform. Between this and PANDA, I would be inclined to try PANDA first as it seems more maintained (last commit 3 days ago vs DECAF's last commit in 2021) even though this one makes bigger claims.

DynamoRIO: a runtime code manipulation system that we may be able to build taint tracking on top of. This tutorial covers the API and the Dr. Memory tool that it includes which may be able to be leveraged for taint tracking. A grad student who started trying to do taint analysis with it in 2017 wrote two parts to a blog post and has a github repo where they started it for ARM.

Triton: Dynamic binary analysis library that include some taint analysis funcitonality. Seems like it does a bunch of other stuff as well like (dynamic?) symbolic execution and does the emulation itself. There is an example of forward tainting using the Python API. I can't tell if this is a good fit or not.

Pin: A dynamic binary instrumentation tool by Intel for the IA-32, x86-64 and MIC instruction-set architectures. I think the lack of ARM and the fact that it isn't open source probably eliminates this as an option.

The broad approaches for dynamic taint tracking fall into two camps, full system emulation (PANDA, DECAF) or process based emulation (Taintgrind, DynamoRIO, Triton, Pin).

Evaluation Approach

The best way evaluate which approach solves the problems we have (identifying data structures in black box binaries) is to create a standard testing framework so that we can measure how each approach performs on both a small example program (something like cat with extra logic) and a real program we may want to do taint tracking on (LibTIFF). To do this with my current knowledge I would need to just start trying to get taint tracking working with each tool so that I can identify problems.

Feedback is encouraged here as I am still in the very early stages of figuring out how to best tackle dynamic taint tracking.

[kaoudis]

How much QEMU hacking would you like to do @josephsweeney if we end up needing to modify one of these tools? That might be a potential determining factor in what we choose to apply here. Nothing wrong with it if we're up for it or a QEMU-related tool ends up being the most useful, but my prior QEMU experience has been it gets complex exactly when you don't want it to

[josephsweeney]

My instinct is that if the QEMU based frameworks won't work, then it is probably a complexity demon we don't want to touch. Honestly though, I don't have well formed enough opinions on these approaches to really know which is simplest.

[kaoudis]

Me neither! I just saw QEMU and your comments on whole system emulation and smelled complexity as well~