Abstract
Dynamic data flow tracking (DFT) deals with tagging and tracking data of interest as they propagate during program execution. DFT has been repeatedly implemented by a variety of tools for numerous purposes, including protection from zero-day and cross-site scripting attacks, detection and prevention of information leaks, and for the analysis of legitimate and malicious software. We present libdft, a dynamic DFT framework that unlike previous work is at once fast, reusable, and works with commodity software and hardware. libdft provides an API for building DFT-enabled tools that work on unmodified binaries, running on common operating systems and hardware, thus facilitating research and rapid prototyping. We explore different approaches for implementing the low-level aspects of instruction-level data tracking, introduce a more efficient and 64-bit capable shadow memory, and identify (and avoid) the common pitfalls responsible for the excessive performance overhead of previous studies. We evaluate libdft using real applications with large codebases like the Apache and MySQL servers, and the Firefox web browser. We also use a series of benchmarks and utilities to compare libdft with similar systems. Our results indicate that it performs at least as fast, if not faster, than previous solutions, and to the best of our knowledge, we are the first to evaluate the performance overhead of a fast dynamic DFT implementation in such depth. Finally, libdft is freely available as open source software.
- M. Attariyan and J. Flinn. Automating configuration troubleshooting with dynamic information flow analysis. In Proc. of the 9th OSDI, pages 237--250, 2010. Google Scholar
Digital Library
- E. Bosman, A. Slowinska, and H. Bos. Minemu: The World's Fastest Taint Tracker. In Proc. of the 14$^th$ RAID, pages 1--20, 2011. Google Scholar
Digital Library
- S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-Oriented Programming without Returns. In Proc. of the 17th CCS, pages 559--572, 2010. Google Scholar
Digital Library
- J. Chow, T. Garfinkel, and P. M. Chen. Decoupling dynamic program analysis from execution in virtual environments. In Proc. of the 2008 USENIX ATC, pages 1--14. Google Scholar
Digital Library
- J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding Data Lifetime via Whole System Simulation. In Proc. of the 13th USENIX Security, pages 321--336, 2004. Google Scholar
Digital Library
- J. Clause, W. Li, and A. Orso. Dytan: A Generic Dynamic Taint Analysis Framework. In Proc. of the 2007 ISSTA, pages 196--206. Google Scholar
Digital Library
- M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-End Containment of Internet Worms. In Proc. of the 20th SOSP, pages 133--147, 2005. Google Scholar
Digital Library
- J. R. Crandall and F. T. Chong. Minos: Control Data Attack Prevention Orthogonal to Memory Model. In Proc. of the 37th MICRO, pages 221--232, 2004. Google Scholar
Digital Library
- M. Dalton, H. Kannan, and C. Kozyrakis. Real-World Buffer Overflow Protection for Userspace & Kernelspace. In Proc. of the 17th USENIX Security, pages 395--410, 2008. Google Scholar
Digital Library
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proc. of the 9th OSDI, pages 393--407, 2010. Google Scholar
Digital Library
- A. Ermolinskiy, S. Katti, S. Shenker, L. Fowler, and M. McCauley. Towards Practical Taint Tracking. Technical Report UCB/EECS-2010--92, EECS Dept., University of California, Berkeley, USA, 2010.Google Scholar
- B. Ford and R. Cox. Vx32: Lightweight User-level Sandboxing on the x86. In Proc. of the 2008 USENIX ATC, pages 293--306. Google Scholar
Digital Library
- A. Ho, M. Fetterman, C. Clark, A. Warfield, and S. Hand. Practical Taint-based Protection using Demand Emulation. In Proc. of the 2006 EuroSys, pages 29--41. Google Scholar
Digital Library
- K. Jee, G. Portokalidis, V. P. Kemerlis, S. Ghosh, D. I. August, and A. D. Keromytis. A General Approach for Efficiently Accelerating Software-based Dynamic Data Flow Tracking on Commodity Hardware. In Proc. of the 19th NDSS, 2012.Google Scholar
- M. G. Kang, S. McCamant, P. Poosankam, and D. Song. DTA+: Dynamic Taint Analysis with Targeted Control-Flow Propagation. In Proc. of the 18th NDSS, 2011.Google Scholar
- C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In Proc. of the 2005 PLDI, pages 190--200. Google Scholar
Digital Library
- A. C. Myers. JFlow: Practical Mostly-Static Information Flow Control. In Proc. of the $26^th$ POPL, pages 228--241, 1999. Google Scholar
Digital Library
- J. Newsome and D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proc. of the 12th NDSS, 2005.Google Scholar
- E. B. Nightingale, D. Peek, P. M. Chen, and J. Flinn. Parallelizing Security Checks on Commodity Hardware. In Proc. of the 13th ASPLOS, pages 308--318, 2008. Google Scholar
Digital Library
- G. Portokalidis and H. Bos. Eudaemon: Involuntary and On-Demand Emulation Against Zero-Day Exploits. In Proc. of the 2008 EuroSys, pages 287--299. Google Scholar
Digital Library
- G. Portokalidis, A. Slowinska, and H. Bos. Argos: an Emulator for Fingerprinting Zero-Day Attacks. In Proc. of the 2006 EuroSys, pages 15--27. Google Scholar
Digital Library
- F. Qin, C. Wang, Z. Li, H.-S. Kim, Y. Zhou, and Y. Wu. LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks. In Proc. of the 39th MICRO, pages 135--148, 2006. Google Scholar
Digital Library
- A. Slowinska and H. Bos. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. In Proc. of the 2009 EuroSys, pages 61--74. Google Scholar
Digital Library
- G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure Program Execution via Dynamic Information Flow Tracking. In Proc. of the 11th ASPLOS, pages 85--96, 2004. Google Scholar
Digital Library
- N. Vachharajani, M. J. Bridges, J. Chang, R. Rangan, G. Ottoni, J. A. Blome, G. A. Reis, M. Vachharajani, and D. I. August. RIFLE: An Architectural Framework for User-Centric Information-Flow Security. In Proc. of the 37th MICRO, pages 243--254, 2004. Google Scholar
Digital Library
- G. Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic. Flexitaint: A Programmable Accelerator for Dynamic Taint Propagation. In Proc. of the 14th HPCA, pages 173--184, 2008.Google Scholar
Cross Ref
- T. Wang, T. Wei, G. Gu, and W. Zou. TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection. In Proc. of the 31st IEEE S&P, pages 497--512, 2010. Google Scholar
Digital Library
- W. Xu, S. Bhatkar, and R. Sekar. Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. In Proc. of the 15th USENIX Security, pages 121--136, 2006. Google Scholar
Digital Library
- A. Zavou, G. Portokalidis, and A. D. Keromytis. Taint-Exchange: A Generic System for Cross-process and Cross-host Taint Tracking. In Proc. of the 6th IWSEC, pages 113--128, 2011. Google Scholar
Digital Library
- N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making Information Flow Explicit in HiStar. In Proc. of the 7th OSDI, pages 263--278, 2006. Google Scholar
Digital Library
- D. Zhu, J. Jung, D. Song, T. Kohno, and D. Wetherall. TaintEraser: Protecting Sensitive Data Leaks Using Application-Level Taint Tracking. SIGOPS Oper. Syst. Rev., 45 (1): 142--154, 2011. Google Scholar
Digital Library
Index Terms
libdft: practical dynamic data flow tracking for commodity systems
Recommendations
libdft: practical dynamic data flow tracking for commodity systems
VEE '12: Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution EnvironmentsDynamic data flow tracking (DFT) deals with tagging and tracking data of interest as they propagate during program execution. DFT has been repeatedly implemented by a variety of tools for numerous purposes, including protection from zero-day and cross-...
API Chaser: Anti-analysis Resistant Malware Analyzer
RAID 2013: Proceedings of the 16th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 8145API Application Programming Interface monitoring is an effective approach for quickly understanding the behavior of malware. It has been widely used in many malware countermeasures as their base. However, malware authors are now aware of the situation ...
Apposcopy: semantics-based detection of Android malware through static analysis
FSE 2014: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software EngineeringWe present Apposcopy, a new semantics-based approach for identifying a prevalent class of Android malware that steals private user information. Apposcopy incorporates (i) a high-level language for specifying signatures that describe semantic ...







Comments