Mystra: Declarative Dynamic Taint Analysis via Shadow Virtual Machine

📅 2026-07-13
📈 Citations: 0
✹ Influential: 0
📄 PDF
🀖 AI Summary
This work addresses the high overhead and engine dependency of existing dynamic taint analysis techniques in interpreted languages, which stem from the tight coupling of runtime observation with taint logic and the lack of a general abstraction. The authors propose a shadow virtual machine architecture that decouples taint semantics from host execution through a declarative language called Mystra, enabling multi-level tainting, source tracking, and cross-call-context propagation. Key innovations include the first declarative higher-order taint rules, a formal and language-model-friendly Mystra specification, constant-time rule dispatch, and ahead-of-time (AOT) compilation supporting multiple runtimes (V8, SpiderMonkey, CPython). Experiments show that the V8 implementation achieves 95.5% recall with zero false positives on SecBench.js, and incurs only 1.85× runtime overhead on Node.js—22.7× faster than NodeMedic-FINE while improving recall by 33.2%.
📝 Abstract
Dynamic taint analysis (DTA) for interpreted languages like JavaScript and Python requires three capabilities: observing host-runtime operations, maintaining parallel taint states, and defining how taint propagates. Existing systems couple these capabilities within an instrumentation mechanism -- source-rewriting or engine-native -- either incurring high runtime overhead or demanding engine-specific embeddings. There is yet to be a runtime-independent abstraction of a general DTA that separates taint semantics and state transitions from how a host runtime observes and executes them. We set out to develop a DTA engine that is extensible, performant, and accurate. To achieve this, we introduce a Shadow Virtual Machine executing alongside host runtimes that tracks multi-level taint, provenance, and cross-invocation context. We design Mystra, a declarative taint specification language with formal operational semantics. Mystra is designed to be language model friendly, and is equipped with validators enabling trustworthy automated synthesis of rules. Mystra is also the first to express higher-order function taint transfer declaratively. Further, Mystra rules are compiled ahead of time to a binary representation and dispatch in constant runtime. We implement our vision into a tool named Shar, which contains a shared core engine and instantiations on three runtimes: V8 in both Node.js and Chromium (embedding), SpiderMonkey (engine), and CPython (language). Accuracy wise, on SecBench.js (493 in-scope CVEs across four CWE categories), our V8 instantiation achieves 95.5% recall with zero false positives on patched-version testing. Regarding performance, the runtime overhead of Shar is only 1.85$\times$ over vanilla Node.js on NodeMedic's benchmarks, and is 22.7$\times$ lower than NodeMedic-FINE on identical workloads, all the while producing 33.2% higher recall in its supported categories.
Problem

Research questions and friction points this paper is trying to address.

Dynamic Taint Analysis
Interpreted Languages
Runtime Independence
Taint Semantics
Instrumentation Overhead
Innovation

Methods, ideas, or system contributions that make the work stand out.

Shadow Virtual Machine
Declarative Taint Specification
Dynamic Taint Analysis
Runtime-Independent Abstraction
Higher-Order Function Taint
🔎 Similar Papers
No similar papers found.