Anti Taint Analysis

The goal of this transformation is to disrupt analysis tools that make use of dynamic taint analysis.

 

Diversity

We use two basic ways to copy a variable using control-, rather than data-flow:

1

counting up to the value of the variable, and

2

copying it bit by bit, tested in an if-statement.

This can be done in a simple loop, an unrolled loop, or by throwing exceptions caught in a signal handler. This leads to a total of five different copy methods.

 

Usage

If you want to copy using signals you must first generate the signal handlers using the InitImplicitFlow transformation.

OptionArgumentsDescription
--Transform AntiTaintAnalysis Transform the code by inserting implicit flow such that dynamic taint analysis becomes less precise.
--AntiTaintAnalysisKinds argv, sysCalls, vars, * Comma-separated list of the kinds of anti-taint analysis transformations to employ. Default=none.
  • argv = Insert implicit flow from argv and argc in main.
  • sysCalls = Insert implicit flow from output variables of common system calls.
  • vars = Insert implicit flow to a variable whenever it is written to. Use --LocalVariables=.. and --GlobalVariables=... to specify which variables should be copied.
  • * = Same as all options turned on.
--AntiTaintAnalysisSysCalls getpid, scanf, * Comma-separated list of the system calls whose output should be passed through implicit flow. Only two calls are currently implemented. Default=all system calls.
  • getpid = Insert implicit flow to the output of getpid.
  • scanf = Insert implicit flow to the output of scanf.
  • * = Same as all options turned on.
--AntiTaintAnalysisImplicitFlow single, compose, select, majority, repeat, until S-expression of the implicit flow combiners to use. Default=none.
  • single = The expression (single a) inserts a simple implicit flow, where a is one of
  • compose = The S-expression (compose a b c) inserts an implicit flow where the output of a
  • select = The S-expression (select a b c) inserts an implicit flow that picks among a,b,c
  • majority = The S-expression (majority a b c) inserts an implicit flow that uses majority logic
  • repeat = The S-expression (repeat a n) (where n is an integer) is equivalent to
  • until = The S-expression (until a m n) (where m,n are integers, m)
 

Examples

The code to copy argc using bit-by-bit copy and signals would look something like this: 

  argc_origPtr13 = (unsigned char *)(& argc);
  argc_copyPtr15 = (unsigned char *)(& argc_copy14);
  size_iter16 = 0;
  while (size_iter16 < 4) {
    TempVar = 0;
    signal(31, handler);
    BitVar = 0;
    while (BitVar < 8) {
      if ((*argc_origPtr13 >> BitVar) & 1) {
        raise(31);
      } 
      BitVar ++;
    }
    signal(31, (void (*)(void *sig ))1);
    *argc_copyPtr15 = TempVar;
    argc_origPtr13 ++;
    argc_copyPtr15 ++;
    size_iter16 ++;
  }

with this signal handler and these global variables: 

unsigned char TempVar;
int BitVar;
void handler(int sig ) { 
  TempVar |= 1 << BitVar;
}

 

Issues

Currently, we can only un-taint a few variables:

1

argc and argv in main,

2

the output values of a few system and library calls: getpid and scanf,

3

the virtual PC in a virtualized function (using the --VirtualizeImplicitFlowVPC option).

4

The function handler to a jitted function (using the --JitImplicitFlow option).

We will add more as requested!

 

References

The implementation is based on ideas from Anti-Taint-Analysis: Practical Evasion Techniques Against Information Flow Based Malware Defense by Lorenzo Cavallaro, Prateek Saxena, and R. Sekar and On the Effectiveness of Dynamic Taint Analysis for Protecting Against Private Information Leaks on Android-based Devices by Golam Sarwar, Olivier Mehani, Roksana Boreli, and Mohamed-Ali Kaafar.