Finding Application Data Leaks with Privacy Scope

Source Code

You can download the source code of Privacy Scope from To run the Privacy Scope, you need to install Pin version 25945 on Windows. You may download a copy from or locally.
README PrivacyScope
[Last updated: Oct 26, 2010 by Jaeyeon Jung ( and David Zhu (]

0. Environment for testing:
IDE: Microsoft Visual Studio 2008 Professional Edition
Windows XP Service pack 3
Pin Kit Version 25945 (vc9):

1. Installation
1.1. Install Pin by extracting it to a directory %PINROOT%
     This step includes coping dbghelp.dll from ../../privacyscope/msdebugdll/
     to ia32\bin directory. 

1.2. Extract the source code to the following location:
     %PINROOT%\source\tools (using windows backslash)
1.3. Open PrivacyScope.sln and build project using Visual Studio
1.4. The built library is at privacyscope\Release\PrivacyScope.dll

2. Run (see for details of running a Pin tool)
2.1 After the tool dll is built as shown in the Installation section
2.1 1. Open command prompt cmd.exe
2.2 Go to the release directory mentioned above.
2.3. ..\..\..\..\pin.bat -t PrivacyScope -- [Path to application]

3. Logging
PrivacyScope generates logs in the privacyscope\Release directory

4.1 See for demo
4.2 There are several hot keys designated to interact with PrivacyScope 
    Alt + < : starts the capturing of tainted input
    Alt + >: stops the capturing of tainted input
    Alt + `: resets the taint map 

    Note that Alt key combination does not work reliably. It is strongly re commanded that you 
    monitor the privacyscope log to make sure that the hotkey is received by the Privacy Scope. For instance,
    Alt + < generates the following log message
    [MSG] start tracking keyboard input
    Alt + > generates the following log message
    [MSG] stop tracking keyboard input
    Alt + ' generates the following log message
    [MSG] reset the taint map

4.3 Useful log messages
    When a tainted data is written to a file:
    [MSG] writeIns writes new tainted file ( \pin-2.6-25945-msvc9-ia32_intel64-windows\source\tools\
    nsdi2010\Release\finally.txt )
    [DBG] print tainted buffer at 0xf36c0 length 11
    [TBF] hello [TS]taint[TE]

    When a tainted data is sent to the network: (e.g., typing 000 (Alt + <) 01111 (Alt + >) in the form at and clicking the "Submit" button)
    [MSG] checkSend sends tainted data to at port 0x50
    [DBG] print tainted buffer at 0x13c2b780 length 938
    [TBF] POST /cgi-bin/ HTTP/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
    application/x-shockwave-flash, application/, application/, application/msword, 
    application/x-ms-application, application/x-ms-xbap, application/, application/xaml+xml, 
    */*..Referer: en-us..
    Content-Type: application/x-www-form-urlencoded..UA-CPU: x86..Accept-Encoding: gzip, deflate..
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; EmbeddedWB 14.52 from: 
    EmbeddedWB 14.52; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.04506.648; 
    .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)..Host: 69..
    Connection: Keep-Alive..Cache-Control: no-cache....paymentType=American+Express&
    [DBG] entered writeIns