Information Flow–Based Vulnerability Modeling

Modern computer exploits often involve complex dataflows. That is, they involve dangerous data (e.g., attacker data or secret data) traversing unconventional, multi-stage paths and subverting both software and hardware logic. Unfortunately, conventional methods based on Dynamic Taint Analysis (DTA) to identify such exploits—which use a monolithic “source-to sink” policy to *implicitly* model simpler vulnerabilities—can miss such intricate dataflows. To address this gap, this dissertation introduces *explicit vulnerability modeling*. By decomposing modern exploits into their essential sub-steps and assigning targeted taint policies for each, we can precisely capture the underlying dataflows. We validated this approach through three case studies: (i) finding *transient execution gadgets* by simulating branch mispredictions and the interplay between hardware and software bugs, (ii) constructing *data-only attack chains* by tracking attacker data into vulnerable syscall arguments and the resulting cross-syscall dependencies, and (iii) detecting *vulnerable DMA race conditions* by monitoring for hardware-level concurrency bugs and following attacker data to sensitive operations. We evaluated each tool on large-scale, high-value codebases (e.g., the Linux kernel), discovering thousands of vulnerabilities and constructing hundreds of exploits. These results showcase the practicality of vulnerability-centric DTA in identifying and mitigating modern attacks, while also opening the door to new research directions.