Uninformed: Informative Information for the Uninformed

Vol 7» 2007.May

Data Propagation

Being able to gain knowledge about the way that data propagates throughout an application can provide extremely useful insights. For example, understanding data propagation can give security researchers an idea of the areas of code that are affected, either directly or indirectly, by a buffer that is received from a network socket. In this context, having knowledge about areas affected by data would be much more valuable than simply understanding the code paths that are taken as a result of the buffer being received. Though the two may seem closely related, the areas of code affected by a buffer that is received should actually be restricted to a subset of the overall code paths taken.

Even if understanding data propagation within an application is beneficial, it may not be clear exactly how analyzing memory access behavior could make this possible. To understand how this might work, it's best to think of memory access in terms of its two basic operations: read and write. In the course of normal execution, any instruction that reads from a location in memory can be said to be dependent on the last instruction that wrote to that location. When an instruction writes to a location in memory, it can be said that any instructions that originally wrote to that location no longer have claim over it. Using these simple concepts, it is possible to build a dependency graph that shows how areas of code become dependent on one another in terms of a reader/writer relationship. This dependency graph would be dynamic and would change as a program executes just the same as the data propagation within an application would change.

At this point in time, the author has developed a very simple implementation based on the DBI strategy outlined in this paper. The current implementation is in need of further refinement, but it is capable of showing reader/writer relationships as the program executes. This area is ripe for future research.