Compiler-based Attack Origin Tracking with Dynamic Taint Analysis
Pages 175 - 191
Abstract
Over the last decade, many exploit mitigations based on Control Flow Integrity (CFI) have been developed to secure programs from being hijacked by attackers. However, most of them only abort the protected application after attack detection, producing no further information for attack analysis. Solely restarting the application leaves it open for repeated attack attempts. We propose Resilient CFI, a compiler-based CFI approach that utilizes dynamic taint analysis to detect code pointer overwrites and trace attacks back to their origin. Gained insights can be used to identify attackers and exclude them from further communication with the application. We implemented our approach as extension to LLVM’s Dataflow Sanitizer, an actively maintained data-flow tracking engine. Our results show that control-flow hijacking attempts can be reliably detected. Compared to previous approaches based on Dynamic Binary Instrumentation, our compiler-based static instrumentation introduces less run-time overhead: on average 3.52x for SPEC CPU2017 benchmarks and 1.56x for the real-world web server NginX.
References
[1]
Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 340–353. CCS 2005, Association for Computing Machinery, NY (2005)
[2]
Banerjee, S., Devecsery, D., Chen, P.M., Narayanasamy, S.: Iodine: fast dynamic taint tracking using rollback-free optimistic hybrid analysis. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 490–504. IEEE, San Francisco, CA (2019)
[3]
Burow, N., et al.: Control-flow integrity: precision, security, and performance. ACM Comput. Surv. 50(1), 16:1–16:33 (2017)
[4]
Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: on the effectiveness of control-flow integrity. In: 24th USENIX Security Symposium, pp. 161–176 (2015)
[5]
Chen, S., Xu, J., Nakka, N., Kalbarczyk, Z., Iyer, R.K.: Defeating memory corruption attacks via pointer taintedness detection. In: 2005 International Conference on Dependable Systems and Networks (DSN 2005), pp. 378–387 (2005)
[6]
Cheng, W., Zhao, Q., Yu, B., Hiroshige, S.: TaintTrace: efficient flow tracing with dynamic binary rewriting. In: 11th IEEE Symposium on Computers and Communications (ISCC 2006), pp. 749–754 (2006)
[7]
Clause, J., Li, W., Orso, A.: Dytan: a generic dynamic taint analysis framework. In: Proceedings of the 2007 International Symposium on Software Testing and Analysis, pp. 196–206. ISSTA 2007, Association for Computing Machinery, NY (2007)
[8]
Dalton, M., Kannan, H., Kozyrakis, C.: Raksha: a flexible information flow architecture for software security. In: Proceedings of the 34th Annual International Symposium on Computer Architecture, pp. 482–493. ISCA 2007, Association for Computing Machinery, NY (2007)
[9]
Devecsery D, Chen PM, Flinn J, and Narayanasamy S Optimistic hybrid analysis: accelerating dynamic analysis through predicated static analysis ACM SIGPLAN Not. 2018 53 2 348-362
[10]
Katsunuma, S., et al.: Base address recognition with data flow tracking for injection attack detection. In: 2006 12th Pacific Rim International Symposium on Dependable Computing (PRDC 2006), pp. 165–172 (2006)
[11]
Kemerlis VP, Portokalidis G, Jee K, and Keromytis AD libdft: practical dynamic data flow tracking for commodity systems ACM SIGPLAN Not. 2012 47 7 121-132
[12]
Luk CK et al. Pin: building customized program analysis tools with dynamic instrumentation ACM SIGPLAN Not. 2005 40 6 190-200
[13]
Necula GC, McPeak S, Rahul SP, and Weimer W Horspool RN CIL: intermediate language and tools for analysis and transformation of C programs Compiler Construction 2002 Heidelberg Springer 213-228
[14]
Newsome, J., Song, D.: Dynamic taint analysis: automatic detection, analysis, and signature generation of exploit attacks on commodity software. In: Proceedings of the 12th Network and Distributed Systems Security Symposium (2005)
[15]
Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 85–96. ASPLOS XI, Association for Computing Machinery, Boston, MA (2004)
[16]
Tice, C., et al.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: 23rd USENIX Security Symposium, pp. 941–955 (2014)
[17]
Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In: 15th USENIX Security Symposium (2006)
Index Terms
- Compiler-based Attack Origin Tracking with Dynamic Taint Analysis
Index terms have been assigned to the content through auto-classification.
Recommendations
Using Precise Taint Tracking for Auto-sanitization
PLAS '17: Proceedings of the 2017 Workshop on Programming Languages and Analysis for SecurityTaint analysis has been used in numerous scripting languages such as Perl and Ruby to defend against various form of code injection attacks, such as cross-site scripting (XSS) and SQL-injection. However, most taint analysis systems simply fail when ...
Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution
Fuzz testing has proven successful in finding security vulnerabilities in large programs. However, traditional fuzz testing tools have a well-known common drawback: they are ineffective if most generated inputs are rejected at the early stage of program ...
Tainting is not pointless
Pointer tainting is a form of Dynamic Information Flow Tracking used primarily to prevent software security attacks such as buffer overflows. Researchers have also applied pointer tainting to malware and virus analysis.
A recent paper by Slowinska and ...
Comments
Information & Contributors
Information
Published In
Dec 2021
438 pages
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 01 December 2021
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 30 Aug 2024
Other Metrics
Citations
View Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in