Upload File

precise dynamic data flow tracking with proximal gradients · 2020-04-30 · huffman decoding index...

  • Home
  • Documents
  • Precise Dynamic Data Flow Tracking with Proximal Gradients · 2020-04-30 · Huffman decoding index in gzip decompression. taint source: x taint sink: y // x is a 4 byte int int x
1
Gabriel Ryan 1 , Abhishek Shah 1 , Dongdong She 1 , Koustubha Bhat 2 , Suman Jana 1 1 Columbia University 2 Vrije Universiteit [email protected], [email protected], [email protected], [email protected], [email protected] References: [1] LeCun, Yann, Yoshua Bengio, and Geoffrey Hinton. "Deep learning." nature 521.7553 (2015): 436. [2] Selvaraju, Ramprasaath R., et al. "Grad-cam: Visual explanations from deep networks via gradient- based localization." Proceedings of the IEEE International Conference on Computer Vision. 2017. [3] Parikh, Neal, and Stephen Boyd. "Proximal algorithms." Foundations and Trends® in Optimization 1.3 (2014): 127-239. Gradient provides more precise and meaningful information about program behavior than taint based dataflow tracking. Gradient can be used to guide searches over large input spaces. Evaluation: - Achieved up to 39% better dataflow precision than state of the art method (Taint Analysis) on 7 programs. - Overhead is comparable to Taint Analysis on average (<5%). - Example application: Dataflow guided fuzzing. - Increase of 57% edge coverage on 2 programs Figure 1. Gradient avoids approximation errors and identifies where x has the greatest effect on y. Precise Dynamic Data Flow Tracking with Proximal Gradients Problem: Programs are not Differentiable Solution: Nonsmooth Optimization Programs contain nonsmooth operations like Bitwise And, making it impossible to compute gradients normally. Proximal Gradients are an application of nonsmooth optimization methods that base the gradient on the local minimum of a function. 3 int f(int x) { return x & 4; } x=6 Local gradient is flat! x=6 x=6 Proximal Minimization Proximal Gradient Proximal Operator finds nearby minimum Proximal Gradient is computed from nearby minimum input byte decoding byte Gradient Analysis identifies which input bytes are used to look up each Huffman decoding index in gzip decompression. taint source: x taint sink: y // x is a 4 byte int int x = 0x12345678; for (int i=0; i<6; i++){ y[i] = x; x = x<<8; } Taint to y from x Gradient of y wrt. x y 1 1 1 1 1 1 1 256 2^16 2^24 0 0 gradient input[0] input[1] Error! y=2*x y_shad = alloc_shadow() y_grad = gradient(2 * x) Application Memory Gradient Table Application Code Shadow Memory Instrumentation Code Implementation: - Implemented as LLVM Sanitizer, based on DataFlowSanitizer - Each address has associated shadow memory with label - Each operation is instrumented to propagate gradient

Upload: others

Post on 14-Jul-2020

4 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Precise Dynamic Data Flow Tracking with Proximal Gradients · 2020-04-30 · Huffman decoding index in gzip decompression. taint source: x taint sink: y // x is a 4 byte int int x

Gabriel Ryan1, Abhishek Shah1, Dongdong She1, Koustubha Bhat2, Suman Jana1

1Columbia University 2Vrije [email protected], [email protected], [email protected], [email protected], [email protected]

References:[1] LeCun, Yann, Yoshua Bengio, and Geoffrey Hinton. "Deep learning." nature 521.7553 (2015): 436.[2] Selvaraju, Ramprasaath R., et al. "Grad-cam: Visual explanations from deep networks via gradient-based localization." Proceedings of the IEEE International Conference on Computer Vision. 2017.[3] Parikh, Neal, and Stephen Boyd. "Proximal algorithms." Foundations and Trends® in Optimization 1.3 (2014): 127-239.

Gradient provides more precise and meaningful information about programbehavior than taint based dataflow tracking.

Gradient can be used toguide searches over large input spaces.

Evaluation:- Achieved up to 39% better dataflow precision than

state of the art method (Taint Analysis) on 7 programs.

- Overhead is comparable to Taint Analysis on average (<5%).- Example application: Dataflow guided fuzzing.

- Increase of 57% edge coverage on 2 programs

Figure 1. Gradient avoids approximation errorsand identifies where x has the greatest effect on y.

Precise Dynamic Data Flow Tracking with Proximal Gradients

Problem: Programs are not Differentiable

Solution: Nonsmooth Optimization

Programs contain nonsmooth operations like Bitwise And,making it impossible to compute gradients normally.

Proximal Gradients are an application of nonsmoothoptimization methods that base the gradient on the localminimum of a function.3

int f(int x) return x & 4;

x=6

Local gradient is flat!

x=6 x=6

Proximal Minimization Proximal Gradient

Proximal Operator finds nearby minimum

Proximal Gradient is computed from nearby minimum

inpu

t by

te

decoding byte

Gradient Analysis identifies which input bytes are used to look up each Huffman decoding index in gzipdecompression.

taint source: xtaint sink: y// x is a 4 byte intint x = 0x12345678;for (int i=0; i<6; i++) y[i] = x; x = x<<8;

Taint to y from x

Gradient of y wrt. x

y1 1 1 1 1 1

1 256 2^16 2^24 0 0gradient

input[0]

input[1]

Error!

y = 2 * x

y_shad = alloc_shadow() y_grad = gradient(2 * x)

Application Memory

Gradient Table

Application Code

Shadow MemoryInstrumentation Code

Implementation:- Implemented as LLVM Sanitizer, based on DataFlowSanitizer- Each address has associated shadow memory with label- Each operation is instrumented to propagate gradient

Minnet (=stacken) public static int fac(int n) { if (n == 0) return 1; else return fac(n-1) * n; }..... main(String [] a) { int x; x = fac(3); System.out.println(x);

Verifying Quantitative Reliability for Programs That ...people.csail.mit.edu/misailo/papers/rely13.pdf · tion signature int f(int x, int y, int z), where 0.99*R(x,

Passing arguments by value void func (int x) { x = 4; }... int a = 10;... func(a); cout

Variable = expression type name; int x;x____________________ int y;y____________________ int z;z____________________

UniversityofWashington* Using leal*for*Arithme3c*Expressions*...UniversityofWashington* Using leal*for*Arithme3c*Expressions* int arith (int x, int y, int z) { int t1 = x+y; int t2

TDDD38/726G82- Advancedprogrammingin C++TDDD38/lecture/slides/inheritance.pdf · 4/35 Inheritance Protectedmembers class Base {public: Base(int x): x{x} { } protected: int x;}; struct

Nishi Taint Eco 090811

CS102: Functionsvenus.cs.qc.cuny.edu/~cwang/102/lecture09.pdf · Pass by reference: square(x) //prototype void square(int x, int &y); //implementation void square(int x, int &y){y=x*x;}

C++ Inheritanceweb.mit.edu/6.s096/www/iap13/lectures/6/6.s096-lecture6.pdf · C++ Inheritance. Bits & Bobs. int x; int y; int int x y struct {int x; int y;} pt; int int pt.x pt.y

X-gateway - XOLogicX-gateway Int 1. EtherNet/IP Adapter Int 2. Profibus Master CC-Link IE Field X-gateway Int 1. CC-Link IE Field Slave Int 2. Profinet Device PROFINET HMS provides

Compilers - James Madison University · – CS 327, CS 430 Graph algorithms ... def int add(int x, int y) {return x + y;} def int main() {int a; a = 3; return add(a, 2);} $ java -jar

Taint scope

Class Hierarchy Discussion D. Constructor public class X { private int capacity; public X() { capacity = 16;} public X(int i) {capacity = i;} public int

Local, Global Variables, and Scope. COMP104 Slide 2 Functions are ‘global’, variables are ‘local’ int main() { int x,y,z; … } int one(int x, …) { double

20130326Testing - University of Massachusetts Amherst · PDF file• 32767 (The&floang ... • int proc1(int x, int y, int z) ... program takes same sequence of steps for any x

AMARCORD - karmanitalia.it fileamarcord ap121 1b int ap121 bf int ap121 bs int ap121 gt int ap121 1g int ap121 gs int 220-240v 1 x max 52w - e27

Int Approach to Concrete Repair - X-Calibur

AMARCORD - karmanitalia.it · amarcord ap121 1b int ap121 bf int ap121 bs int ap121 gt int ap121 1g int ap121 gs int 220-240v 1 x max 52w - e27

Лекция 8asmcourse.cs.msu.ru/wp-content/uploads/2016/03/Slides2016-08.pdf · 2 int fib(int x) { // x >= 1 int i; int p_pred = 0; int pred = 1; int res = 1; x--; for (i = 0;

rpg.xocomp.netrpg.xocomp.net/Characters/D20InsaneCampaign/Ghaleon.pdf · Mod CON Medium Load: Lift Off Ground 2 x Max Load Ability Cha Int Dex* Cha Con Int Int Int INT Heavy Load:

Dynamic Taint Analysis

X-gateway - Webhosting made simpleduranmatic.info/HMS/MMA201 X-gateway 4_2014.pdfX-gateway Int 1. EtherNet/IP Adapter Int 2. Profibus Master CC-Link IE Field X-gateway Int 1. CC-Link

Taint Driven Crash Analysis - HITB

faculty.cse.tamu.edufaculty.cse.tamu.edu/slupoli/notes/ProgLanguages/Function... · Web viewC++ Scheme size_t add (int x, int y) {return x + y;} (define (add x y) (+ x y)) (display

Asme Sec x Int Vol 38

ADMIT TICKET WHAT DOES THIS OUTPUT? double y = 2.5; int x = 6 / (int) y; System.out.println(“x = “ + x);

Handling non-linear operations in the value analysis of Costacosta.fdi.ucm.es/papers/costa/AlonsoAG11-slides.pdf · int log2 ( int x)f int l = 0; int y = 1; while (x>y)f y = y * 2;

AMARCORD - karmanitalia.it · amarcord ct121 1b int ct121 bf int ct121 bs int ct121 gt int ct121 1g int ct121 gs int 220-240v 1 x max 52w - e27

Dynamic Taint Propagation

Taint Droid

Taint tracking - Columbia University

TaintPipe: Pipelined Symbolic Taint Analysis - Faculty Pipelined Symbolic Taint Analysis Jiang Ming, Dinghao Wu, Gaoyao Xiao, ... (DBI) to decouple dynamic taint analysis from program

X Congreso Int Metal Extract 87.pdf

Smoke Taint Removal

Review of Lecture 1 - kolosovpetro.github.io · Operators 0 Assignment 0 Rzutowanie int x = 23; x = x + 1; float f = 23; int i = (int)f; Assignment returns a value! int y = x = x