Hunter: Online Accurate Taint Propagation Analysis Based System for Detecting Bugs in Binaries

Dynamic test generation approach is becoming increasingly popular to find security vulnerabilities in software, and is applied to detect bugs in binaries. However, the existing such systems adopt offline symbolic analysis and execution, based on program execution trace which includes the flow of execution instructions and the operand values, with all input-related memory access replaced by their execution values. And this brings two fatal problems: first, all symbolic information of input-related memory access is missing, second, the symbolic information of other variables is not accurate, especially for variables operated with input-related memory accesses. This paper presents an online taint analysis based automatic dynamic test generation system, Hunter, which can online find unknown high-priority fatal bugs that must be fixed immediately at a pre-release stage in binaries. To yield this goal, we present a new abstract representation called Taint Single Assignment DAG (TSADAG) to depict the taint propagation information, and we present the algorithm to build TSADAG during online execution, and we build the Hunter system finally. Experimental results show that Hunter has a very low divergence rate of less than 5.4% thanks to the online accurate taint propagation Analysis, and can find pointer-related or indirect memory access-related bugs.