Abstract
Full-system, fine-grained taint tracking has been proven to be a novel approach for the detection of malwares, especially for privacy-breaching and kernel buffer overflow malwares. On-demand emulation achieves a taint tracking framework in the cloud through switching a running system between virtual and emulated execution dynamically. However, facing the complexity of the cloud environment, it still suffers a high performance overhead. In this paper, we propose an approach for practical malware detection using elastic taint tracking, which provides the granularity and strategy of taint tracking according to the cloud applications’ security requirements, including providing a taint tracking configuration file based on script, automatic deployment and trigger mechanism of the sources for taint tracking based on data flow as well as control flow, and customizable security detection method. We present a prototype implementation named CloudTaint based on Xen virtualization environment. The experimental results indicate that CloudTaint is effective for malware detection in the cloud with acceptable performance overhead using elastic taint tracking.
Similar content being viewed by others
References
Wang Z, Jiang X (2010) Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of 17th int symp on security and privacy, Oakland, CA, USA, May 2010, pp 380–395
Li J, Wang Z, Jiang X, Grace M, Bahram S (2010) Defeating return-oriented rootkits with return-less kernels. In: Proceedings of 5th european conference on computer systems, Paris, France, April 2010, pp 195–208
Son S, McKinley KS, Shmatikov V (2013) Diglossia: detecting code injection attacks with precision and efficiency. In: Proceedings of 20th ACM conference on computer and communications security (CCS’13), Berlin, Germany, November 2013, pp 1181–1192
Seshadri A, Luk M, Qu N, Perrig A (2007) SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of 21th SOSP, Stevenson, WA, USA, October 2007, pp 335–350
Riley R, Jiang X, Xu D (2008) Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In: Proceedings of 11th int symp on recent advances in intrusion detection, Cambridge, MA, USA, September 2008, pp 1–20
AI-Saleh M, Crandall J (2010) On information flow for intrusion detection: what if accurate full-system dynamic information flow tracking was possible. In: Proceedings of the 2010 workshop on new security paradigms, Concord, MA, USA, September 2010, pp 17–32
Zhu D, Jung J, Song D, Kohno T, Wetherall D (2011) TaintEraser: protecting sensitive data leaks using application-level taint tracking. ACM SIGOPS Oper Syst Rev 45(1):142–154
Enck W, Gilbert P, Chun B, Cox P, Jung J, McDaniel P, Sheth A (2010) TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th OSDI, Vancouver, BC, Canada, October 2010, pp 255–270
Fu Y, Lin Z (2012) Space traveling across VM: automatically bridging the semantic gap in virtual machine Introspection via online kernel data redirection. In: Proceedings of 19th int symp on security and privacy, San Francisco Bay Area, California, USA, May 2012, pp 586–600
Ho A, Fetterman M, Clark C, Warfield A, Hand S (2006) Practical taint-based protection using demand emulation. In: Proceedings of the 1st european conference on computer systems, Leuven, Belgium, April 2006, pp 29–41
Vasileios P, Georgios P, Kangkook J, Angelos D (2012) libdft: practical dynamic data flow tracking for commodity systems. In: Proceedings of the 8th VEE, London, United Kingdom, March 2012, pp 121–132
Dinaburg A, Royal P, Sharif M, Lee W (2008) Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th CCS, Alexandria, VA, USA, October 2008, pp 51–62
Yan LK, Jayachandra M, Zhang M, Yin H (2012) V2E: combining hardware virtualization and software emulation for transparent and extensible malware analysis. In: Proceedings of 8th VEE, London, UK, March 2012, pp 227–238
Caballero J, Johnson NM, McCamant S, Song D (2010) Binary code extraction and interface identification for security applications. In: Proceedings of the 17th NDSS, San Diego, CA, USA, February 2010, pp 234–246
Yip A, Wang X, Zeldovich N, Kaashoek MF (2009) Improving application security with data flow assertions. In: Proceedings of the 22nd SOSP, New York, NY, USA, October, 2009, pp 291–304
Zeldovich N, Kannan H, Dalton M, Kozyrakis C (2008) Hardware enforcement of application security policies using tagged memory. In: Proceedings of the 8th OSDI, Berkeley, CA, USA, December 2008, pp 225–240
Caballero J, Poosankam P, Kreibich C, Song D (2009) Dispatcher: enabling active botnet infiltration using automatic protocol reverse engineering. In: Proceedings of the 16th CCS, New York, NY, USA, November 2009, pp 621–634
Caballero J, Yin H, Liang Z, Song D (2007) Polyglot: automatic extraction of protocol message format using dynamic binary analysis. In: Proceedings of the 14th CCS, New York, NY, USA, October 2007, pp 317–329
QEMU (2014). http://fabrice.bellard.free.fr/qemu/
Yin H, Song D, Egele M, Kruegel C, Kirda E (2007) Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedings of the 14th CCS, New York, NY, USA, October 2007, pp 283–295
Egele M, Kruegel C, Kirda E, Yin H, Song D (2007) Dynamic spyware analysis. In: Proceedings of the 2007 USENIX annual technical conference, Santa Clara, CA, USA, June 2007, pp 1–14
Yin H, Liang Z, Song D (2008) HookFinder: identifying and understanding malware hooking behaviors. In: Proceedings of the 16th NDSS, San Diego, CA, USA, February 2008, pp 29–41
Nightingale E, Peek D, Chen P, Flinn J (2008) Parallelizing security checks on commodity hardware. In: Proceedings of the 13th ASPLOS, New York, NY, USA, March 2008, pp 308–318
Jiang X, Wang X, Xu D (2007) Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In: Proceedings of the 14th CCS, Alexandria, Virginia, USA, October 2007, pp 128–138
Sharif MI, Lee W, Cui W, Lanzi A (2009) Secure in-VM monitoring using hardware virtualization. In: Proceedings of the 16th CCS, Chicago, Illinois, USA, November 2009, pp 477–487
Payne B, Carbone M, Sharif M, Lee W (2008) Lares: an architecture for secure active monitoring using virtualization. In: Proceedings of 15th int symp on security and privacy, Oakland, California, USA, May 2008, pp 233–247
LMbench (2013). http://www.bitmover.com/lmbench/
Song D, Brumley D, Yin H, Caballero J, Jager I, Kang MG, Liang Z, Newsome J, Poosankam P, Saxena P (2008) BitBlaze: a new approach to computer security via binary analysis. In: Proceedings of the 4th international conference on information systems security, Hyderabad, India, December 2008, pp 1–25
Acknowledgments
The work is supported by National Natural Science Foundation of China under Grant No.61370106, and National 973 Basic Research Program of China under grant No.2014CB340600.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Yuan, J., Qiang, W., Jin, H. et al. CloudTaint: an elastic taint tracking framework for malware detection in the cloud. J Supercomput 70, 1433–1450 (2014). https://doi.org/10.1007/s11227-014-1235-5
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-014-1235-5