skip to main content
10.1145/2872362.2872403acmconferencesArticle/Chapter ViewAbstractPublication PagesasplosConference Proceedingsconference-collections
research-article

PIFT: Predictive Information-Flow Tracking

Published:25 March 2016Publication History

ABSTRACT

Phones today carry sensitive information and have a great number of ways to communicate that data. As a result, malware that steal money, information, or simply disable functionality have hit the app stores. Current security solutions for preventing undesirable data leaks are mostly high-overhead and have not been practical enough for smartphones. In this paper, we show that simply monitoring just some instructions (only memory loads and stores) it is possible to achieve low overhead, highly accurate information flow tracking. Our method achieves 98% accuracy (0% false positive and 2% false negative) over DroidBench and was able to successfully catch seven real-world malware instances that steal phone number, location, and device ID using SMS messages and HTTP connections.

References

  1. Run-time ABI for the ARM architecture. http://infocenter.arm.com/help/topic/com.arm.doc.ihi0043d/IHI0043D_rtabi.pdf.Google ScholarGoogle Scholar
  2. Bbench-gem5. http://www.m5sim.org/BBench-gem5.Google ScholarGoogle Scholar
  3. Dalvik bytecode. https://source.android.com/devices/tech/dalvik/dalvik-bytecode.html.Google ScholarGoogle Scholar
  4. DroidBench Version 1.1. http://sseblog.ec-spride.de/tools/droidbench/.Google ScholarGoogle Scholar
  5. S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI, 2014.Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. N. Binkert, B. Beckmann, G. Black, S. K. Reinhardt, A. Saidi, A. Basu, J. Hestness, D. R. Hower, T. Krishna, S. Sardashti, R. Sen, K. Sewell, M. Shoaib, N. Vaish, M. D. Hill, and D. A. Wood. The gem5 simulator. SIGARCH Comput. Archit. News, 39 (2): 1--7, Aug. 2011.Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Y. Cao, Y. Fratantonio, A. Bianchi, M. Egele, C. Kruegel, G. Vigna, and Y. Chen. Edgeminer: Automatically detecting implicit control flow transitions through the android framework. In Proceedings of the 22nd Network and Distributed System Security Symposium, NDSS, 2015.Google ScholarGoogle ScholarCross RefCross Ref
  8. M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: A flexible information flow architecture for software security. In Proceedings of the 34th Annual International Symposium on Computer Architecture, ISCA, 2007.Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI, 2010.Google ScholarGoogle Scholar
  10. C. Gibler, J. Crussell, J. Erickson, and H. Chen. Androidleaks: Automatically detecting potential privacy leaks in android applications on a large scale. In Proceedings of the 5th International Conference on Trust and Trustworthy Computing, TRUST, 2012.Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. A. Ho, M. Fetterman, C. Clark, A. Warfield, and S. Hand. Practical taint-based protection using demand emulation. In Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems, EuroSys, 2006.Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. M. G. Kang, S. McCamant, P. Poosankam, and D. Song. Dta+: Dynamic taint analysis with targeted control-flow propagation. In phProceedings of the 18th Network and Distributed System Security Symposium, NDSS, 2011.Google ScholarGoogle Scholar
  13. K. Lu, Z. Li, V. Kemerlis, Z. Wu, L. Lu, C. Zheng, Z. Qian, W. Lee, and G. Jiang. Checking more and alerting less: Detecting privacy leakages via enhanced data-flow analysis and peer voting. In Proceedings of the 22nd Network and Distributed System Security Symposium, NDSS, 2015.Google ScholarGoogle ScholarCross RefCross Ref
  14. J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Network and Distributed System Security Symposium, NDSS, 2005.Google ScholarGoogle Scholar
  15. F. Qin, C. Wang, Z. Li, H.-s. Kim, Y. Zhou, and Y. Wu. Lift: A low-overhead practical information flow tracking system for detecting security attacks. In Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO, 2006.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. G. E. Suh, J. Lee, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS, 2004.Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. M. Tiwari, B. Agrawal, S. Mysore, J. Valamehr, and T. Sherwood. A small cache of large ranges: Hardware methods for efficiently searching, storing, and updating big dataflow tags. In Proceedings of the 41st Annual IEEE/ACM International Symposium on Microarchitecture, MICRO, 2008.Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. M. Tiwari, H. M. Wassel, B. Mazloom, S. Mysore, F. T. Chong, and T. Sherwood. Complete information flow tracking from the gates up. In Proceedings of the 14th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS, 2009.Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. G. Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic. Flexitaint: A programmable accelerator for dynamic taint propagation. In Proceedings of the 14th IEEE International Symposium on High Performance Computer Architecture, HPCA, 2008.Google ScholarGoogle ScholarCross RefCross Ref
  20. E. Witchel, J. Cates, and K. Asanović. Mondrian memory protection. In Proceedings of the 10th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS, 2002.Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. L. K. Yan and H. Yin. Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In Proceedings of the 21st USENIX Conference on Security Symposium, Security, 2012.Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS, 2007.Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. D. Y. Zhu, J. Jung, D. Song, T. Kohno, and D. Wetherall. Tainteraser: Protecting sensitive data leaks using application-level taint tracking. SIGOPS Oper. Syst. Rev., 45 (1): 142--154, 2011.Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. PIFT: Predictive Information-Flow Tracking

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in
    • Published in

      cover image ACM Conferences
      ASPLOS '16: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems
      March 2016
      824 pages
      ISBN:9781450340915
      DOI:10.1145/2872362
      • General Chair:
      • Tom Conte,
      • Program Chair:
      • Yuanyuan Zhou

      Copyright © 2016 ACM

      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 25 March 2016

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article

      Acceptance Rates

      ASPLOS '16 Paper Acceptance Rate53of232submissions,23%Overall Acceptance Rate535of2,713submissions,20%

      Upcoming Conference

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader