DeepSec 2020 Talk: TaintSpot: Practical Taint Analysis and Exploit Generation for Java – Dr. – Ing. Mohammadreza Ashouri
“In this talk I will introduce a scalable and practical security analysis and automatic exploit generation approach, which is called TaintSpot.
It works based on an optimized hybrid taint analysis technique that combines static and dynamic vulnerability analysis. TaintSpot generates concrete exploits based on concolic testing for programs written for the Java Virtual Machine (JVM) ecosystem.TaintSpot is specially designed for operating on large-scale proprietary executable binaries with multiple external dependencies.
TaintSpot is under development system; for now, it targets JVM binaries, but I plan to extend it to android applications.”
We asked Mohammadreza a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- Static and dynamic taint analysis have various advantages and disadvantages; I consider consolidating the best of these techniques to improve the effectiveness and scalability of TaintSpot.
- Providing concrete exploits that reproduce zero-day vulnerabilities in the lab can help developers understand the issue and provide proper patches. Thus, in TaintSpot’s design, we introduce a distributed concolic execution engine to generate test cases for the target software’s vulnerable code.
- Respecting the lack of the source code in commercial off-the-shelf software (COTS), the capability of analyzing binary files seems to be critical. Thus, our system leverages does not require the source code for security analysis and exploit generation.
- Advanced attackers often used obfuscation techniques to hide their malicious payload and circumvent static analyses scanners. Code obfuscation poses significant processing hurdles to anti-virus engines as well. In my talk, I will introduce a fine-grained dynamic taint tracking system that ignores obfuscation traps and focuses on actual execution paths during execution time.
- TaintSpot can manipulate binary files to protect a vulnerable program under analysis against zero-day attacks in closed-source software, without human intervention.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
Since my Ph.D. study, I have been working on various taint analysis techniques and their applications for program security and exploit generation. I have also published multiple papers in this field, and the idea of TaintSpot initially derived from the result of my experience in the past, especially a legendary work for android applications which is called TaintDroid.
Why do you think this is an important topic?
According to the report published by the Common Vulnerabilities and Exposures (CVE) organization, the number of reported vulnerabilities in software systems in 1999 was less than 1600, while the number of the same organization’s reports in 2019 is nearly 100.000, approximately 60 times higher.
Consequently, facing a large number of software vulnerabilities that constantly is growing, security experts have neither adequate time nor sufficient resources to analyze, detect, and fix these issues promptly and accurately. Hence, it makes an extraordinary opportunity for cyber attackers to exploit zero-day vulnerabilities and perform large-scale attacks successfully.
Is there something you want everybody to know – some good advice for our readers maybe?
Yes, new cyber-attacks’ complexities indicate the weaknesses in conventional protection systems such as firewalls, IDSIPS, and antivirus engines. That suggests proactive approaches to identify and block zero-day attacks with unseen patterns. Taint Analysis shows its effectiveness in detecting zero-days. In this talk, I try to shed light on this technique and the advantages of making the world a safer place.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
Despite taint tracking analyses’ usefulness, it is still costly due to its over tainting and substantial overhead. Tacking this issue and improving its accuracy is critical for improving the safety of software ecosystems.
Mohammadreza Ashouri (@Ashourimo) has a Ph.D. degree in Software Security. He is particularly interested in program analysis, automatic exploit generation, and fuzzing techniques.
He has published several papers in top-notch scientific conferences and received multiple grants and prizes. He used to work at CISPA (Helmholtz Center for Information Security) and the University of Potsdam. Mohammadreza currently lives in Berlin, and he likes cycling, photography, writing, and electronic music. You can get more information about him by checking out his webpage https://ashoury.de