AirTaint: Making Dynamic Taint Analysis Faster and Easier

Dynamic Taint Analysis (DTA) is a widely used data flow tracking technique and helps security researchers in various applications, such as fuzzing and vulnerability analysis. One critical problem that affects its practicability is the significant overhead. According to our analysis, in some scenarios, the state-of-the-art works even slow the program execution efficiency by more than 100x. The high overhead is mainly because most of them conduct taint analysis at the instruction level and use just-in-time instrumentation methods to insert the tracking codes into the original program.In this paper, we propose AirTaint, a novel approach that combines the basic block-level abstraction of taint rules and assembly code-level instrumentation to conduct high-level dynamic taint analysis. Specifically, AirTaint leverages instruction-level emulation to identify the in and out operands (i.e., registers and memory variables) of each basic block, and then uses the existing taint engine to infer the taint rule abstraction for each basic block. Finally, it inserts the assembly code of the taint rule abstraction into the original program. While running, the program will execute the inserted taint analysis code quickly. In our evaluation based on 14 CVEs in 9 real-world applications, AirTaint detects all these vulnerabilities successfully. And in the comparison experiments, AirTaint performs much better than the existing tools in efficiency on 29 real-world applications, with maximum improvements of 931.0x, 5.97x, and 328.3x than libdft, SelectiveTaint, and TaintRabbit, respectively.