Fig 3 Part of value flow graph of applications.
In the VFG, the node possesses varying potential for spread. To assess
the effects of propagation more accurately, we have advanced from the
basic VFG to construct a Weighted Value Flow Graph (WVFG). Propagation
potential refers to the extent to which a tainted variable node might
affect other nodes. For example, in Figure 3, if variable %3 is
tainted, variables %4 and %10 might also be tainted. Similarly, if
variable %10 is tainted, variable %11 might be tainted as well.
Therefore, the propagation potential of node %3 is 2, while that of
node %10 is 1. Nodes with higher propagation potential are more
significant for the spread of tainted data, as they are likely to
facilitate wider dissemination once tainted. Based on the basic VFG, we
quantify the propagation potential of each node according to the number
of outgoing edges, thus resulting in the WVFG.
In OOB write bugs, the flawed data area varies as different overflow
length, resulting in different exploitable memory objects. Therefore, to
accurately assess the exploitability of a bug, we explored the
exploitable objects under the influence of corrupted data within varying
lengths. To finely track the propagation process of the corrupted data,
we employed dynamic taint analysis, using the Dataflow Sanitizer
[10] for online taint analysis. Additionally, to detect whether the
flawed data has propagated to an exploitable position, we need to
monitor important nodes during program execution. We employ Dataflow
Sanitizer for dynamic runtime detection and conduct inspections at
various critical points during the program’s execution. The specific
detection rules are outlined in Table 1.