ConfuseTaint: Exploiting Vulnerabilities to Bypass Dynamic Taint Analysis

Dynamic taint analysis (DTA) tracks how sensitive data flows through a program at runtime, enabling the detection of security violations such as information leaks and injection attacks. However, most DTA systems assume that memory layouts are type-safe and structurally consistent—an assumption that can be violated by vulnerabilities such as type confusion. While type confusion has been studied in the context of sandbox escape, its ability to silently bypass taint tracking without altering program behavior remains unexplored. In this paper, we present ConfuseTaint, a technique that leverages type confusion vulnerabilities to corrupt taint metadata without modifying program semantics or the analysis tool. ConfuseTaint uses wide memory overwrites enabled by type confusion to corrupt taint tags, breaking the assumptions of taint tracking mechanisms that rely on shadow memory.We evaluate ConfuseTaint on two widely used taint tracking frameworks: Phosphor for the JVM and TaintDroid for Android. In both cases, ConfuseTaint successfully bypasses taint tracking, allowing sensitive data to reach designated sinks without detection. These results reveal a structural weakness in current DTA designs: their reliance on type-safe memory layouts leaves them vulnerable to low-level reinterpretation. Overall, our work reveals that runtime-level memory reinterpretation is an overlooked threat, calling for taint tracking architectures that do not rely on fragile assumptions about type and memory layout.