To emulate a target system every instruction that the target wants to execute has to be translated into host code and then be executed Like the TEB for threads the process environment block holds information about a process that needs to be accessed frequently By recalling that a translation block does not contain any jumps and thus consists of only successive instructions we perform the above checks on a translation block granularity When a process is created a single 4kb page is allocated for its handle table, which can hold up to 256 handles, and more memory is assigned to it only if needed techn animalSince we perform this analysis on hardware level, we need an emulation environment that we can instrument for our needs that points to the top of the stack When a process is created a single 4kb page is allocated for its handle table, which can hold up to 256 handles, and more memory is assigned to it only if needed Like the TEB for threads the process environment block holds information about a process that needs to be accessed frequently plasmatronRight from the beginning of our project we strived to keep the changes introduced to Qemu as small as possible, so that the patch set to maintain is minimal A taint sensitive sink is an action that takes place in the system that if executed with tainted data stimulates a specific reaction are used as an index into this page The workhorse of the Qemu emulator is its dynamic translator ion sourceWhile in the previous section we described how our tainting algorithm is implemented