Abstract
Dynamic data flow tracking (DFT) deals with tagging and tracking data of interest as they propagate during program execution. DFT has been repeatedly implemented by a variety of tools for numerous purposes, including protection from zero-day and cross-site scripting attacks, detection and prevention of information leaks, and for the analysis of legitimate and malicious software. We present libdft, a dynamic DFT framework that unlike previous work is at once fast, reusable, and works with commodity software and hardware. libdft provides an API for building DFT-enabled tools that work on unmodified binaries, running on common operating systems and hardware, thus facilitating research and rapid prototyping. We explore different approaches for implementing the low-level aspects of instruction-level data tracking, introduce a more efficient and 64-bit capable shadow memory, and identify (and avoid) the common pitfalls responsible for the excessive performance overhead of previous studies. We evaluate libdft using real applications with large codebases like the Apache and MySQL servers, and the Firefox web browser. We also use a series of benchmarks and utilities to compare libdft with similar systems. Our results indicate that it performs at least as fast, if not faster, than previous solutions, and to the best of our knowledge, we are the first to evaluate the performance overhead of a fast dynamic DFT implementation in such depth. Finally, libdft is freely available as open source software.
- M. Attariyan and J. Flinn. Automating configuration troubleshooting with dynamic information flow analysis. In Proc. of the 9th OSDI, pages 237--250, 2010. Google ScholarDigital Library
- E. Bosman, A. Slowinska, and H. Bos. Minemu: The World's Fastest Taint Tracker. In Proc. of the 14$^th$ RAID, pages 1--20, 2011. Google ScholarDigital Library
- S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-Oriented Programming without Returns. In Proc. of the 17th CCS, pages 559--572, 2010. Google ScholarDigital Library
- J. Chow, T. Garfinkel, and P. M. Chen. Decoupling dynamic program analysis from execution in virtual environments. In Proc. of the 2008 USENIX ATC, pages 1--14. Google ScholarDigital Library
- J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding Data Lifetime via Whole System Simulation. In Proc. of the 13th USENIX Security, pages 321--336, 2004. Google ScholarDigital Library
- J. Clause, W. Li, and A. Orso. Dytan: A Generic Dynamic Taint Analysis Framework. In Proc. of the 2007 ISSTA, pages 196--206. Google ScholarDigital Library
- M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-End Containment of Internet Worms. In Proc. of the 20th SOSP, pages 133--147, 2005. Google ScholarDigital Library
- J. R. Crandall and F. T. Chong. Minos: Control Data Attack Prevention Orthogonal to Memory Model. In Proc. of the 37th MICRO, pages 221--232, 2004. Google ScholarDigital Library
- M. Dalton, H. Kannan, and C. Kozyrakis. Real-World Buffer Overflow Protection for Userspace & Kernelspace. In Proc. of the 17th USENIX Security, pages 395--410, 2008. Google ScholarDigital Library
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proc. of the 9th OSDI, pages 393--407, 2010. Google ScholarDigital Library
- A. Ermolinskiy, S. Katti, S. Shenker, L. Fowler, and M. McCauley. Towards Practical Taint Tracking. Technical Report UCB/EECS-2010--92, EECS Dept., University of California, Berkeley, USA, 2010.Google Scholar
- B. Ford and R. Cox. Vx32: Lightweight User-level Sandboxing on the x86. In Proc. of the 2008 USENIX ATC, pages 293--306. Google ScholarDigital Library
- A. Ho, M. Fetterman, C. Clark, A. Warfield, and S. Hand. Practical Taint-based Protection using Demand Emulation. In Proc. of the 2006 EuroSys, pages 29--41. Google ScholarDigital Library
- K. Jee, G. Portokalidis, V. P. Kemerlis, S. Ghosh, D. I. August, and A. D. Keromytis. A General Approach for Efficiently Accelerating Software-based Dynamic Data Flow Tracking on Commodity Hardware. In Proc. of the 19th NDSS, 2012.Google Scholar
- M. G. Kang, S. McCamant, P. Poosankam, and D. Song. DTA+: Dynamic Taint Analysis with Targeted Control-Flow Propagation. In Proc. of the 18th NDSS, 2011.Google Scholar
- C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In Proc. of the 2005 PLDI, pages 190--200. Google ScholarDigital Library
- A. C. Myers. JFlow: Practical Mostly-Static Information Flow Control. In Proc. of the $26^th$ POPL, pages 228--241, 1999. Google ScholarDigital Library
- J. Newsome and D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proc. of the 12th NDSS, 2005.Google Scholar
- E. B. Nightingale, D. Peek, P. M. Chen, and J. Flinn. Parallelizing Security Checks on Commodity Hardware. In Proc. of the 13th ASPLOS, pages 308--318, 2008. Google ScholarDigital Library
- G. Portokalidis and H. Bos. Eudaemon: Involuntary and On-Demand Emulation Against Zero-Day Exploits. In Proc. of the 2008 EuroSys, pages 287--299. Google ScholarDigital Library
- G. Portokalidis, A. Slowinska, and H. Bos. Argos: an Emulator for Fingerprinting Zero-Day Attacks. In Proc. of the 2006 EuroSys, pages 15--27. Google ScholarDigital Library
- F. Qin, C. Wang, Z. Li, H.-S. Kim, Y. Zhou, and Y. Wu. LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks. In Proc. of the 39th MICRO, pages 135--148, 2006. Google ScholarDigital Library
- A. Slowinska and H. Bos. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. In Proc. of the 2009 EuroSys, pages 61--74. Google ScholarDigital Library
- G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure Program Execution via Dynamic Information Flow Tracking. In Proc. of the 11th ASPLOS, pages 85--96, 2004. Google ScholarDigital Library
- N. Vachharajani, M. J. Bridges, J. Chang, R. Rangan, G. Ottoni, J. A. Blome, G. A. Reis, M. Vachharajani, and D. I. August. RIFLE: An Architectural Framework for User-Centric Information-Flow Security. In Proc. of the 37th MICRO, pages 243--254, 2004. Google ScholarDigital Library
- G. Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic. Flexitaint: A Programmable Accelerator for Dynamic Taint Propagation. In Proc. of the 14th HPCA, pages 173--184, 2008.Google ScholarCross Ref
- T. Wang, T. Wei, G. Gu, and W. Zou. TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection. In Proc. of the 31st IEEE S&P, pages 497--512, 2010. Google ScholarDigital Library
- W. Xu, S. Bhatkar, and R. Sekar. Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. In Proc. of the 15th USENIX Security, pages 121--136, 2006. Google ScholarDigital Library
- A. Zavou, G. Portokalidis, and A. D. Keromytis. Taint-Exchange: A Generic System for Cross-process and Cross-host Taint Tracking. In Proc. of the 6th IWSEC, pages 113--128, 2011. Google ScholarDigital Library
- N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making Information Flow Explicit in HiStar. In Proc. of the 7th OSDI, pages 263--278, 2006. Google ScholarDigital Library
- D. Zhu, J. Jung, D. Song, T. Kohno, and D. Wetherall. TaintEraser: Protecting Sensitive Data Leaks Using Application-Level Taint Tracking. SIGOPS Oper. Syst. Rev., 45 (1): 142--154, 2011. Google ScholarDigital Library
Index Terms
- libdft: practical dynamic data flow tracking for commodity systems
Recommendations
libdft: practical dynamic data flow tracking for commodity systems
VEE '12: Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution EnvironmentsDynamic data flow tracking (DFT) deals with tagging and tracking data of interest as they propagate during program execution. DFT has been repeatedly implemented by a variety of tools for numerous purposes, including protection from zero-day and cross-...
Apposcopy: semantics-based detection of Android malware through static analysis
FSE 2014: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software EngineeringWe present Apposcopy, a new semantics-based approach for identifying a prevalent class of Android malware that steals private user information. Apposcopy incorporates (i) a high-level language for specifying signatures that describe semantic ...
Dynamic Binary Instrumentation-Based Framework for Malware Defense
DIMVA '08: Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability AssessmentMalware is at the root of a large number of information security breaches. Despite widespread effort devoted to combating malware, current techniques have proven to be insufficient in stemming the incessant growth in malware attacks. In this paper, we ...
Comments