skip to content
DeGatchi's Icon DeGatchi
← Go back

Binary Analysis: Taint Analysis
Binary Analysis: Taint Analysis

When performing binary analysis you need to know what instructions are influencing others to pinpoint where someone can directly influence a control flow. Using taint analysis we are able to find the niddle in the haystack and discover the lifetime of a variable.

import MailingList from ”@/components/blog/NewsletterForm”;

Intro

Since the start of Nov 2022 I’ve been working on a standalone decoder that will be capable of finding complex critical vulnerabilities with only the bytecode of a smart contract. During this time I’ve gone deep into the world of formal verification, discovering interesting techniques useful in information reconassiance. The technique I’ll be talking about in this article is named taint analysis.

But hold on cowboy! This is a forbidden technique that wouldn’t normally cross the mind of the common folk. You must be warey and be experience in the realm of the taint to reap it’s rewards.

Having said that, lets stretch this out a bit…

What is taint analysis?

First of all let me clarify what “taint” is in this context for your dirty brain!

Taint is referring to applying colored dye to a stream of water to identify where it flows. In this case we select a specific opcode we want to apply as our “dye” to it and see what other opcodes the flow influences.

For example, given the opcode sequence:

0 | PUSH1 0x01
1 | PUSH1 0x02
2 | ADD

3 | PUSH1 0x02
4 | MUL

5 | PUSH1 0x00
6 | MSTORE

7 | PUSH0
8 | PUSH1 0x20
9 | MSTORE

We want to know what element [1] (PUSH1 0x02) is influencing.

If we follow the sequence of opcodes we can see that element [2] depends on elements [0] + [1] to not throw an error.

Since element [2] requires our tainted opcode, [1] we now know that [2] is now tainted!

Therefore, anything else consuming [2] will also be tainted.

So, where does it end?

When an opcode consumes the last tainted element, which in this case will be [6] or the program stops and the element’s lifetime ends.

Why is it useful?

If we want to see whether a sequence of opcodes are influence by a specific opcode then we can use taint analysis!

Then you have more detailed information about your target, allowing you to perform more precise analysis.

Final

I appreciate you for taking the time to read this article. I hope you found value in this, anon! , please share with your frens and free to support me 0x82828f6aFf831e0D8b366D7b33caf12B39232772 :)

Although it’s a short article, I hope you find value in this technique and use it in your endeavours!

Share this Article

Recent Articles