Taint-Enhanced Policy Enforcement

See our 15th USENIX Security Symposium (2006) paper for an overview of this approach.


TaintPolicy provides a practical fine-grained (byte-level) dynamic taint analysis for attack detection. By combining expressive security policies with fine-grained taint information, this approach can be applied to detect a wide range of common attacks, including buffer overflows, format-string attacks, SQL injection, cross-site scripting, command and shell-code injection, and directory traversal.

TaintPolicy is developed based on two important observations:

TaintPolicy instruments C programs through a source-to-source transformation to perform runtime taint tracking. Taint originates at specified input functions, e.g. a read or recv function used by a server to read network inputs. In the transformed program, each byte of memory is associated with one tag of taint information. As data propagates through memory, the associated taint information is propagated as well. TaintPolicy can track explicit information flows that take place through assignments as well as limited forms of implicit information flows that take place through control flows. User-provided taint-enhanced policies that can distinguish between benign uses of untrusted (tainted) data from attacks are applied right before each call to security-critical functions, e.g. popen.

TaintPolicy ensures that the taint tracking is correct even in the presence of memory errors, aliasing, type casts, and so on. It also employs a number of optimizations to significantly reduce the performance overheads associated with the maintenance of taint information.

TaintPolicy is directly applicable to programs written in C, and several other scripting languages (e.g. PHP, Bash) whose interpreters are implemented in C.

TaintPolicy is implemented in Objective Caml (http://caml.inria.fr) and uses CIL (http://manju.cs.berkeley.edu/cil/) as the front end to manipulate C constructs.


Coming soon.


This work is supported in part by an ONR grant N000140110967 and NSF grants CNS-0208877 and CCR-0205376.