Fig 3 Part of value flow graph of applications.
In the VFG, the node possesses varying potential for spread. To assess the effects of propagation more accurately, we have advanced from the basic VFG to construct a Weighted Value Flow Graph (WVFG). Propagation potential refers to the extent to which a tainted variable node might affect other nodes. For example, in Figure 3, if variable %3 is tainted, variables %4 and %10 might also be tainted. Similarly, if variable %10 is tainted, variable %11 might be tainted as well. Therefore, the propagation potential of node %3 is 2, while that of node %10 is 1. Nodes with higher propagation potential are more significant for the spread of tainted data, as they are likely to facilitate wider dissemination once tainted. Based on the basic VFG, we quantify the propagation potential of each node according to the number of outgoing edges, thus resulting in the WVFG.
In OOB write bugs, the flawed data area varies as different overflow length, resulting in different exploitable memory objects. Therefore, to accurately assess the exploitability of a bug, we explored the exploitable objects under the influence of corrupted data within varying lengths. To finely track the propagation process of the corrupted data, we employed dynamic taint analysis, using the Dataflow Sanitizer [10] for online taint analysis. Additionally, to detect whether the flawed data has propagated to an exploitable position, we need to monitor important nodes during program execution. We employ Dataflow Sanitizer for dynamic runtime detection and conduct inspections at various critical points during the program’s execution. The specific detection rules are outlined in Table 1.