TaintSE: Dynamic Taint Analysis Combined with Symbolic Execution and Constraint Association

In order to solve the problem of under-tainting caused by insufficient coverage in dynamic taint analysis and the inability to perform fine-grained level analysis, a dynamic taint analysis method combining symbolic execution and constraint association is proposed. First, through code coverage to guide symbolic execution path exploration and test case generation, code coverage of dynamic taint analysis is improved. Next, perform constraint association based on the corresponding taint constraint transfer rules. Finally, the generation of taint summaries in dynamic taint analysis is completed based on constraint associations, reducing the time consumption in the analysis process. This paper designs and implements a dynamic taint analysis tool TaintSE based on the above methods. The experimental results show that TaintSE effectively improves the code coverage of dynamic taint analysis, and reduces the time required for analysis while ensuring the accuracy of analysis results. In the BugBench test set, TaintSE's analysis path coverage increased by 24% −35% compared to the dynamic taint analysis tool Libdft. In addition, based on the results of taint analysis, the accuracy and recall of taint markers calculated are better than those of Libdft, while reducing the analysis time consumption by about 20%.