CONFUSETAINT: Exploiting Vulnerabilities to Bypass Dynamic Taint Analysis
This program is tentative and subject to change.
Dynamic taint analysis (DTA) tracks how sensitive data flows through a program at runtime, enabling the detection of security violations such as information leaks and injection attacks. However, most DTA systems assume that memory layouts are type-safe and stable—an assumption that can be violated by type confusion. While type confusion has been studied in sandboxing and memory safety, its ability to silently bypass taint tracking without altering program behavior remains underexplored. In this paper, we present CONFUSETAINT, a technique that leverages type confusion vulnerabilities to corrupt taint metadata without modifying program semantics or the analysis tool. CONFUSETAINT exploits wide-field writes under memory reinterpretation to corrupt taint tags, breaking the integrity of tag-based tracking mechanisms commonly used in DTA systems.
We evaluate CONFUSETAINT on two widely used taint tracking frameworks: Phosphor for the JVM and TaintDroid for Android. In both cases, our attacks bypass taint tracking and allow sensitive data to reach sinks undetected—including both information leaks and injection-style flows. These results reveal a structural weakness in current DTA designs: their reliance on type-safe memory layouts leaves them vulnerable to low-level reinterpretation. Overall, our work reveals that runtime-level memory reinterpretation is an overlooked threat, calling for taint tracking architectures that do not rely on fragile assumptions about type and memory layout.
This program is tentative and subject to change.
Tue 18 NovDisplayed time zone: Seoul change
16:00 - 17:00 | |||
16:00 10mTalk | The Gold Digger in the Dark Forest: Industrial-Scale MEV Analysis in Ethereum Industry Showcase Ningyu He Hong Kong Polytechnic University, Tianyang Chi Beijing University of Posts and Telecommunications, Xiaohui Hu Huazhong University of Science and Technology, Haoyu Wang Huazhong University of Science and Technology | ||
16:10 10mTalk | RPG: Linux Kernel Fuzzing Guided by Distribution-Specific Runtime Parameter Interfaces Industry Showcase Yuhan Chen Central South Sniversity, Yuheng Shen Tsinghua University, Guoyu Yin Central South University, Fan Ding Central South Sniversity, Runzhe Wang Alibaba Group, Tao Ma Alibaba Group, Xiaohai Shi Alibaba Group, Qiang Fu Central South University, Ying Fu Tsinghua University, Heyuan Shi Central South University | ||
16:20 10mTalk | Securing Self-Managed Third-Party Libraries Industry Showcase Xin Zhou Nanjing University, Jinwei Xu Nanjing University, He Zhang Nanjing University, Yanjing Yang Nanjing University, Lanxin Yang Nanjing University, Bohan Liu Nanjing University, Hongshan Tang JD.com, Inc. | ||
16:30 10mTalk | STaint: Detecting Second-Order Vulnerabilities in PHP Applications with LLM-Assisted Bi-Directional Static Taint Analysis NIER Track Yuchen Ji ShanghaiTech University, Hongchen Cao ShanghaiTech University, Jingzhu He ShanghaiTech University | ||
16:40 10mTalk | AdaptiveGuard: Towards Adaptive Runtime Safety for LLM-Powered Software Industry Showcase Rui Yang Monash University and Transurban, Michael Fu The University of Melbourne, Kla Tantithamthavorn Monash University and Atlassian, Chetan Arora Monash University, Gunel Gulmammadova Transurban, Joey Chua Transurban | ||
16:50 10mTalk | CONFUSETAINT: Exploiting Vulnerabilities to Bypass Dynamic Taint Analysis NIER Track | ||