to execution • no impact on runtime performance • under-tainting or over-tainting • Dynamic taint analysis (DTA) • more accurate • high runtime overhead (Pin: > 6X slowdown)
extra instructions to propagate a taint tag in shadow memory • strict coupling of program execution and data flow tracking logic • frequent “context-switches” • register spilling • data cache pollution
a program trace and delivering it to other idle cores for inspection • hardware first-in first-out buffer for speeding up communication between cores • Software-only methods • rely on dynamic binary instrumentation (DBI) • decouple dynamic taint analysis from program execution • ShadowReplica: “primary & secondary” thread model
symbolic taint states, the input value size and num are labeled as symbol1 and symbol2 • (c) resolving symbolic taint states when size is tainted as tag1 and num is a constant value (num = 0xffffffff)
code • targets of direct and indirect jumps have been resolved • most addresses of memory operations can be inferred from the straight-line code • pipelining design (asynchronous) • may detect an attack some time after the real attack has happened
format) • concrete execution state when taint seeds are first introduced, including registers and memory (e.g., CR0~CR4, EFLAGS and addresses of initial taint seeds)