Taint Dependency Sequences (TDS)

• TDS is a formalism that defines how attacker-controlled inputs flow through data and control dependencies to reach vulnerable code segments.
• It integrates static propagation and dynamic tracking techniques, enabling strategies like genetic algorithms and protocol-aware guided fuzzing.
• Practical TDS applications enhance fuzzing efficiency by pinpointing minimal mutation targets in both source-level analyses and full-system, multi-request environments.

A Taint Dependency Sequence (TDS) is a formalism and analysis construct to characterize the propagation of attacker-controllable input (taint) through a software system, connecting input sources to vulnerable code locations via explicit data and control dependencies. TDSs arise in both binary and source-level security analyses and are a foundational artifact for advanced vulnerability detection and guided fuzzing. In modern applied contexts, such as full-system firmware fuzzing, TDSs encode not only intra-process flows but also inter-process and multi-session dependencies necessary for exercising stateful, protocol-driven vulnerabilities.

1. Formal Definition and Origins

A Taint Dependency Sequence in the source-level formalism is defined as a finite sequence of program location labels $$t = \langle \ell_1, \ell_2, ..., \ell_k \rangle \in L^k$$ such that:

• $\ell_1$ is a taint source (user-controlled),
• $\ell_k$ is a vulnerable statement,
• For every $i=1...k-1$, there is a data or control dependence edge from $\ell_i$ to $\ell_{i+1}$. This definition was explored in the context of buffer overflow detection in C programs, where the goal is to statically enumerate all feasible paths by which input variables might reach a point of vulnerability (Rawat et al., 2013). TDSs generalize program slicing, capturing only those slices that connect user-controlled inputs to sinks of interest.

In full-system fuzzing, TDSs take the form: $$h = \{\text{region}, \text{offset}, \text{len}, \text{deps}\}$$, associating input byte windows with the minimal necessary region dependencies for successful propagation through the system’s code and persistent state (Izzillo et al., 22 Sep 2025).

2. Static and Dynamic Construction Algorithms

Source-Level TDS Enumeration

Static analysis uses a flow- and path-sensitive forward propagation over the code’s dependence graph. Key data structures:

• Environment map $\text{Env} : (l, v) \mapsto$ set of TDSs for variable $v$ at location $l$,
• Worklist scheduling propagation of new dependencies.

Algorithmic steps:

1. For each taint source, initialize corresponding $\text{Env}(l, v)$,
2. Propagate sequences through assignment and control statements:
   • When $v$ flows via assignments or is a branch condition, extend every sequence by the relevant label,
3. Collect fixpoint sets of TDSs for buffer/index variables at vulnerable statements. Complexity is $O(N \cdot M \cdot K)$ with $N$ locations, $M$ variables, and maximal $K$ TDSs per location-variable pair.

Whole-System Byte-Level TDS Extraction

STAFF applies whole-system taint tracking within a QEMU-based emulation, capturing both in-memory and filesystem/IPC flows:

• Each byte $b$ entering via input region $R_i$ is labeled $(i,k)$ (region and offset),
• Propagation at IR level, memory granularity,
• Cross-process/file dependencies detected by correlating writer/reader syscalls,
• Flattening and filtering minimizes the causal region-to-region dependency mapping.

Byte-level annotation is achieved via trie-matching of input subsequences to observed tainted memory events and basic block program counters. This produces a per-seed set of actionable TDS hints, with exact offset, length, and dependency regions.

3. Practical Use in Guided Fuzzing

TDSs serve as first-class artifacts for stateful and protocol-aware mutation strategies:

• Each TDS $$h = \{\text{region}, \text{offset}, \text{len}, \text{deps}\}$$ encodes the window of input to mutate and the necessary preserving context,
• The fuzzing engine uses TDSs to restrict candidate mutations to only those bytes with maximal taint impact,
• Sequence minimization ensures that replay/coverage only includes minimal chains of causally relevant requests/messages,
• Multi-staged forkservers checkpoint protocol state at mutation boundaries, optimizing high-throughput fuzzing (Izzillo et al., 22 Sep 2025).

In the source-level approach, TDSs guide a genetic algorithm, producing program inputs that maximize execution coverage along a target TDS path. The fitness function is:

$$F_i = \sum_{j=1}^k \frac{1}{freq_j \cdot j} \cdot f_{ij}$$

where $f_{ij}$ is the count of label $\ell_j$ visits under input $i$, and $freq_j$ is the global label execution frequency for population biasing toward rare/deeper labels (Rawat et al., 2013).

4. Illustrative Examples of TDS Structure and Impact

Source-Level C Example (sendmail CVE-2003-0681)

A static TDS $t_1 = \langle 21,5,7,8 \rangle$ describes propagation from the argv taint to a vulnerable strcpy in a loop. Initial population inputs are constrained by regex reflecting predicate constraints (e.g., $[a-z\$%;,@#&0-9A-Z]{16,32}$$), and the genetic algorithm evolves toward inputs exercising the targeted overflow (<a href="/papers/1305.3883" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Rawat et al., 2013</a>).</p> <h3 class='paper-heading' id='full-system-multi-request-example'>Full-System Multi-Request Example</h3> <p>Suppose a three-request HTTP session:</p> <ul> <li>$$R_0$$: <a href="https://www.emergentmind.com/topics/gaussian-equivalence-theory-get" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">GET</a> /login.php</li> <li>$$R_1$$: POST /settings (e.g., “admin” at offsets 8…12)</li> <li>$$R_2$$: GET /apply (reads and propagates prior taint)</li> </ul> <p>Byte-level TDSs are identified as$$h = \{ \text{region}=1, \text{offset}=8, \text{len}=5, \text{deps}=\{0,2\} \}$, indicating that the “admin” credentials at region 1/offset 8 depend on regions 0 and 2 for correct replay and vulnerability exposure (Izzillo et al., 22 Sep 2025).

5. Comparative Evaluation and Observed Effects

Empirical analyses demonstrate the effectiveness of TDS-guided approaches compared to coverage- or random-based fuzzing/generation. In the Verisec benchmark:

• Static TDS computation times are sub-second per program,
• TDS-GA reaches crashes in 6–35 generations, with 100% success on challenging paths, outperforming coverage-based and random methods that fail on deep or character-constrained sequences (Rawat et al., 2013).

STAFF, applying TDS-based protocol-aware mutations, identified 42 multi-request, multi-daemon vulnerabilities across 15 embedded firmware targets, with reproducible exploits and coverage unattainable by single-process/stateless fuzzers (Izzillo et al., 22 Sep 2025).

6. Contextual Significance and Future Directions

TDS formalism unifies static taint propagation with dynamic symbolic, genetic, and coverage-driven approaches. Its utility extends from micro-level buffer analysis in monolithic C codebases to macro-level orchestration of stateful interactions in modern embedded or distributed systems.

A plausible implication is that the applicability of TDS will scale with increasing system complexity and protocol heterogeneity; further advances may integrate TDS extraction with symbolic execution, multi-language analysis, and real-time protocol discovery workflows to identify classes of vulnerabilities presently unreachable by traditional techniques. Existing frameworks such as STAFF demonstrate the operationalization of TDSs as mutation and replay primitives for advanced vulnerability discovery in persistent, stateful environments.