%0 Journal Article %1 flayer2007 %A Drewry, Will %A Ormandy, Tavis %D 2007 %I Citeseer %K binary mgr todo_tags %T Flayer: Exposing Application Internals %U http://valgrind.org/docs/drewry2007.pdf %X Flayer is a tool for dynamically exposing application innards for security testing and analysis. It is implemented on the dynamic binary instrumentation framework Valgrind 17 and its memory error detection plugin, Memcheck 21. This paper focuses on the implementation of Flayer, its supporting libraries, and their application to software security. Flayer provides tainted, or marked, data flow analysis and instrumentation mechanisms for arbitrarily altering that flow. Flayer improves upon prior taint tracing tools with bit-precision. Taint propagation calculations are performed for each value-creating memory or register operation. These calculations are embedded in the target application’s running code using dynamic instrumentation. The same technique has been employed to allow the user to control the outcome of conditional jumps and step over function calls. Flayer’s functionality provides a robust foundation for the implementation of security tools and techniques. In particular, this paper presents an effective fault injection testing technique and an automation library, LibFlayer. Alongside these contributions, it explores techniques for vulnerability patch analysis and guided source code auditing. Flayer finds errors in real software. In the past year, its use has yielded the expedient discovery of flaws in security critical software including OpenSSH and OpenSSL.

@article{flayer2007, abstract = {Flayer is a tool for dynamically exposing application innards for security testing and analysis. It is implemented on the dynamic binary instrumentation framework Valgrind [17] and its memory error detection plugin, Memcheck [21]. This paper focuses on the implementation of Flayer, its supporting libraries, and their application to software security. Flayer provides tainted, or marked, data flow analysis and instrumentation mechanisms for arbitrarily altering that flow. Flayer improves upon prior taint tracing tools with bit-precision. Taint propagation calculations are performed for each value-creating memory or register operation. These calculations are embedded in the target application’s running code using dynamic instrumentation. The same technique has been employed to allow the user to control the outcome of conditional jumps and step over function calls. Flayer’s functionality provides a robust foundation for the implementation of security tools and techniques. In particular, this paper presents an effective fault injection testing technique and an automation library, LibFlayer. Alongside these contributions, it explores techniques for vulnerability patch analysis and guided source code auditing. Flayer finds errors in real software. In the past year, its use has yielded the expedient discovery of flaws in security critical software including OpenSSH and OpenSSL.}, added-at = {2009-07-16T10:40:23.000+0200}, author = {Drewry, Will and Ormandy, Tavis}, biburl = {https://www.bibsonomy.org/bibtex/29eb1b5f61177eed658a12eb885056520/gwpl}, interhash = {4a6ea18faed4ee16ffeb2c25b9c63eee}, intrahash = {9eb1b5f61177eed658a12eb885056520}, keywords = {binary mgr todo_tags}, month = {August}, note = {http://valgrind.org/docs/pubs.html http://valgrind.org/docs/drewry2007.pdf http://www.usenix.org/events/woot07/tech/full_papers/drewry/drewry_html }, organization = {Google, Inc.}, publisher = {Citeseer}, timestamp = {2009-07-16T10:40:23.000+0200}, title = {Flayer: Exposing Application Internals}, url = {http://valgrind.org/docs/drewry2007.pdf}, year = 2007 }