Dynamic taint propagation: Finding vulnerabilities without attacking

We apply dynamic taint propagation to find input validation bugs using less effort than typical security testing. We monitor a target program as it executes in order to track untrusted user input. Our system works in conjunction with normal functional testing, so effort devoted to functional testing can be directly leveraged to uncover vulnerabilities. The result is that we achieve higher test coverage (and therefore find more bugs) than typical security testing techniques and make it practical for quality assurance organizations with no security experience to test the security of the software they examine. © 2008 Elsevier Ltd. All rights reserved.