ConfuseTaint

What is ConfuseTaint?

ConfuseTaint is an open-source research prototype that demonstrates how type confusion vulnerabilities can be used to silently bypass dynamic taint analysis (DTA). It targets popular taint tracking frameworks such as Phosphor (JVM) and TaintDroid (Android), corrupting taint metadata without altering program semantics or triggering runtime errors.

ConfuseTaint leverages wide-field memory overwrites enabled by type confusion to erase or manipulate taint tags. This reveals a structural weakness in shadow memory–based taint tracking designs, where assumptions about type safety and memory layout can be broken at runtime.

If you use ConfuseTaint in your research, please cite the following paper:

Yufei Wu and Alexandre Bartel, CONFUSETAINT: Exploiting Vulnerabilities to Bypass Dynamic Taint Analysis, in Proceedings of the 40th IEEE/ACM International Conference on Automated Software Engineering (ASE), Seoul, South Korea, 2025. [bib] [pdf]

Phosphor

Phosphor is tested on Mac and Linux. It may not work on Windows.

Requirements

• Java Development Kit (JDK) == 1.8.0_111
• Apache Maven 3.6.0+

Baseline Example

To track the flow of information through classes in the Java Class Library (JCL), such as java.lang.String and java.util.List, Phosphor must instrument the bytecode of JCL classes. Therefore, the first step when using Phosphor is to create an instrumented Java installation (i.e., Java Development Kit or Java Runtime Environment).

cd TaintDemo
java -jar phosphor-driver-0.1.0.jar /Library/Java/JavaVirtualMachines/jdk1.8.0_111.jdk/Contents/Home/jre/jdk8-inst

then build the package:

mvn clean package

Run with Phosphor:

./jdk8-inst/bin/java -Xbootclasspath/a:Phosphor-0.1.0.jar -javaagent:Phosphor-0.1.0.jar=taintSources=sources,taintSinks=sinks -cp target/classes org.example.Main

output:

Exception in thread "main" edu.columbia.cs.psl.phosphor.runtime.TaintSinkError: Taint [Labels = [[AutoTaintLabel [source=org/example/Main.mySource()I, trace=[edu.columbia.cs.psl.phosphor.runtime.TaintSourceWrapper.autoTaint(TaintSourceWrapper.java:102), org.example.Main.mySource(Main.java:5), org.example.Main.main(Main.java:12), org.example.Main.main(Main.java)]]]] flowed to sink! Value: 1234
        at edu.columbia.cs.psl.phosphor.runtime.TaintSourceWrapper.taintViolation(TaintSourceWrapper.java:214)
        at edu.columbia.cs.psl.phosphor.runtime.TaintSourceWrapper.checkTaint(TaintSourceWrapper.java:167)
        at org.example.Main.mySink(Main.java)
        at org.example.Main.main(Main.java:13)
        at org.example.Main.main(Main.java)

ConfuseTaint Example

Creating an Instrumented Java Installation:

cd phosphorDemo
java -jar phosphor-driver-0.1.0.jar /Library/Java/JavaVirtualMachines/jdk1.8.0_111.jdk/Contents/Home/jre/ jdk8-inst

then build the package:

mvn clean package

Run with Phosphor:

./jdk8-inst/bin/java -Xbootclasspath/a:Phosphor-0.1.0.jar -javaagent:Phosphor-0.1.0.jar=taintSources=sources,taintSinks=sinks -cp target/classes a.b.c.WMirror

the output should be:

wm.b class a.b.c.ObjectB
wm.b class a.b.c.ObjectA
Exception in thread "main" edu.columbia.cs.psl.phosphor.runtime.TaintSinkError: Taint [Labels = [[AutoTaintLabel [source=a/b/c/ObjectA.getPassword()I, trace=[edu.columbia.cs.psl.phosphor.runtime.TaintSourceWrapper.autoTaint(TaintSourceWrapper.java:102), a.b.c.ObjectA.getPassword(ObjectA.java:7), a.b.c.WMirror.main(WMirror.java:22), a.b.c.WMirror.main(WMirror.java)]]]] flowed to sink! Value: 3444
        at edu.columbia.cs.psl.phosphor.runtime.TaintSourceWrapper.taintViolation(TaintSourceWrapper.java:214)
        at edu.columbia.cs.psl.phosphor.runtime.TaintSourceWrapper.checkTaint(TaintSourceWrapper.java:167)
        at a.b.c.ObjectA.mySink(ObjectA.java)
        at a.b.c.WMirror.main(WMirror.java:31)
        at a.b.c.WMirror.main(WMirror.java)

Actually, the output is:

wm.b class a.b.c.ObjectB
wm.b class a.b.c.ObjectA
toto: 3444

TaintDroid

For TaintDroid images, please refer to this link.

Requirements

• Operating System Linux
• Java Development Kit (JDK) 1.6.0_45 (recommended for compatibility with legacy tools)
• Android Emulator 35.4.9.0
• Netcat (nc command)

Steps

1. Repeatedly monitor local port 12345 to ensure that TaintDroid can detect information flow leakage.

while true; do nc -lvnp 12345; done

2. Run the emulator using the pre-configured taint-enabled kernel and images:

cd taintDroidDemo
emulator \
  -kernel kernel-goldfish-xattr-2.6.29 \
  -system system.img \
  -userdata userdata-qemu.img \
  -ramdisk ramdisk.img \
  -writable-system \
  -no-snapshot \
  -netdelay none \
  -netspeed full \
  -qemu

⚠️ If you encounter errors related to missing AVDs, consider creating a dummy AVD using avdmanager, or downgrade to Emulator 29.x.

Tested Environment

This artifact has only been tested under the following setup:

• Emulator version: 35.4.9.0
• OS: Ubuntu 24.04
• Build environment: Full AOSP 4.3_r1 + TaintDroid source tree

Build commands:

. build/envsetup.sh
lunch full-eng
emulator -kernel kernel-goldfish-xattr-2.6.29

If the simulator is successfully started, you should be able to see an application named Original and an application named My Application, which are used to send virtual recording data to a local port. Original is the original program, and My Application is the version after the vulnerability is injected. Please open the TaintDroid Notify Controller program first, start it, then start our two applications respectively, and click "start recording" and "stop recording". Original will receive the alert from TaintDroid, but My Application will not.