Flayer is a tool for dynamically exposing application
innards for security testing and analysis. It is implemented
on the dynamic binary instrumentation framework
Valgrind  and its memory error detection plugin,
Memcheck . This paper focuses on the implementation
of Flayer, its supporting libraries, and their application
to software security.
Flayer provides tainted, or marked, data flow analysis
and instrumentation mechanisms for arbitrarily altering
that flow. Flayer improves upon prior taint tracing
tools with bit-precision. Taint propagation calculations
are performed for each value-creating memory or register
operation. These calculations are embedded in the
target application’s running code using dynamic instrumentation.
The same technique has been employed to allow
the user to control the outcome of conditional jumps
and step over function calls.
Flayer’s functionality provides a robust foundation for
the implementation of security tools and techniques. In
particular, this paper presents an effective fault injection
testing technique and an automation library, LibFlayer.
Alongside these contributions, it explores techniques for
vulnerability patch analysis and guided source code auditing.
Flayer finds errors in real software. In the past year, its
use has yielded the expedient discovery of flaws in security
critical software including OpenSSH and OpenSSL.