10PRINCIPLES OF DYNAMIC TAINT ANALYSIS
Imagine that you’re a hydrologist who wants to trace the flow of a river that runs partly underground. You already know where the river goes underground, but you want to find out whether and where it emerges. One way to solve this problem is to color the river’s water using a special dye and then look for locations
where the colored water reappears. The topic of this chapter, dynamic taint analysis (DTA), applies the same idea to binary programs. Similar to coloring and tracing the flow of water, you can use DTA to color, or taint, selected data in a program’s memory and then dynamically track the data flow of the tainted bytes to see which program locations they affect.
In this chapter, you’ll learn the ...