research-article

Pointless tainting?: evaluating the practicality of pointer tainting

Authors:

Asia Slowinska,

Herbert BosAuthors Info & Claims

EuroSys '09: Proceedings of the 4th ACM European conference on Computer systems

Pages 61 - 74

https://doi.org/10.1145/1519065.1519073

Published: 01 April 2009 Publication History

Abstract

This paper evaluates pointer tainting, an incarnation of Dynamic Information Flow Tracking (DIFT), which has recently become an important technique in system security. Pointer tainting has been used for two main purposes: detection of privacy-breaching malware (e.g., trojan keyloggers obtaining the characters typed by a user), and detection of memory corruption attacks against non-control data (e.g., a buffer overflow that modifies a user's privilege level). In both of these cases the attacker does not modify control data such as stored branch targets, so the control flow of the target program does not change. Phrased differently, in terms of instructions executed, the program behaves 'normally'. As a result, these attacks are exceedingly difficult to detect. Pointer tainting is considered one of the onlymethods for detecting them in unmodified binaries. Unfortunately, almost all of the incarnations of pointer tainting are flawed. In particular, we demonstrate that the application of pointer tainting to the detection of keyloggers and other privacybreaching malware is problematic. We also discuss whether pointer tainting is able to reliably detect memory corruption attacks against non-control data. Pointer tainting generates itself the conditions for false positives. We analyse the problems in detail and investigate various ways to improve the technique. Most have serious drawbacks in that they are either impractical (and incur many false positives still), and/or cripple the technique's ability to detect attacks. In conclusion, we argue that depending on architecture and operating system, pointer tainting may have some value in detecting memory orruption attacks (albeit with false negatives and not on the popular x86 architecture), but it is fundamentally not suitable for automated detecting of privacy-breaching malware such as keyloggers.

References

[1]

P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with WIT. In SP '08: 2008 IEEE Symposium on Security and Privacy, 2008.

Digital Library

[2]

F. Bellard. Qemu, a fast and portable dynamic translator. In ATEC '05: 2005 USENIX Annual Technical Conference, 2005.

Digital Library

[3]

S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In SSYM'05: 14th USENIX Security Symposium, 2005.

Digital Library

[4]

M. Castro, M. Costa, and T. Harris. Securing software by enforcing data-flow integrity. In OSDI '06: 7th symposium on Operating systems design and implementation, 2006.

Digital Library

[5]

L. Cavallaro, P. Saxena, and R. Sekar. On the limits of information flow techniques for malware analysis and containment. In DIMVA '08: 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2008.

Digital Library

[6]

S. Chen, K. Pattabiraman, Z. Kalbarczyk, and R. K. Iyer. Formal reasoning of various categories of widely exploited security vulnerabilities using pointer taintedness semantics. In Proc. of IFIP SEC, 2004.

[7]

S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and I. Ravishankar. Defeating memory corruption attacks via pointer taintedness detection. In DSN '05: Proceedings of the 2005 International Conference on Dependable Systems and Networks, 2005.

Digital Library

[8]

S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. In SSYM'05: 14th USENIX Security Symposium, 2005.

Digital Library

[9]

M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of internet worms. In 20th ACM Symposium on Operating Systems Principles (SOSP), 2005.

Digital Library

[10]

C. Cowan, C. Pu, D. Maier, H. Hintony, Walpole J., P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In 7th USENIX Security Symposium, 1998.

Digital Library

[11]

J. Crandall and F. Chong. Minos: Control data attack prevention orthogonal to memory model. In 37th Interational Symposium on Microarchitecture, 2004.

Digital Library

[12]

M. Dalton, H. Kannan, and C. Kozyrakis. Deconstructing hardware architectures for security. In WDDD'06: 5th Annual Workshop on Duplicating, Deconstructing, and Debunking, 2006.

[13]

M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: a flexible information flow architecture for software security. In ISCA '07: Proceedings of the 34th annual international symposium on Computer architecture, 2007.

Digital Library

[14]

M. Dalton, H. Kannan, and C. Kozyrakis. Real-world buffer overflow protection for userspace and kernelspace. In SSYM'08: 17th Usenix Security Symposium, 2008.

Digital Library

[15]

D. Denning and P. Denning. Certification of programs for secure information flow. Commnic. ACM, 20 (7), 1977.

Digital Library

[16]

M. Egele, Ch. Kruegel, E. Kirda, H. Yin, and D. Song. Dynamic Spyware Analysis. In ATC'07: 2007 USENIX Annual Technical Conference, 2007.

Digital Library

[17]

K. Elphinstone, G. Klein, P. Derrin, T. Roscoe, and G. Heiser. Towards a practical, verified kernel. In HOTOS'07: 11th USENIX workshop on Hot topics in operating systems, 2007.

Digital Library

[18]

J. Giffin, S. Jha, and B. Miller. Efficient context-sensitive intrusion detection. In The 11th Annual Network and Distributed System Security Symposium (NDSS), 2004.

[19]

A. Ho, M. Fetterman, C. Clark, A. Warfield, and S. Hand. Practical taint-based protection using demand emulation. In EuroSys '06: 1st ACM SIGOPS/EuroSys European Conference on Computer Systems, 2006.

Digital Library

[20]

T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In USENIX 2002 Annual Technical Conference, 2002.

Digital Library

[21]

S. Katsunuma, H. Kurita, R. Shioya, K. Shimizu, H. Irie, M. Goshima, and S. Sakai. Base address recognition with data flow tracking for injection attack detection. In PRDC '06: 12th Pacific Rim International Symposium on Dependable Computing, 2006.

Digital Library

[22]

J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In 12th Annual Network and Distributed System Security Symposium (NDSS), 2005.

[23]

G. Portokalidis, A. Slowinska, and H. Bos. Argos: an emulator for fingerprinting zero-day attacks. In EuroSys '06: 1st ACM SIGOPS/EuroSys European Conference on Computer Systems, 2006.

Digital Library

[24]

ProcessLibrary.com. zango.exe. http://www.processlibrary.com/directory/files/zango/.

[25]

Niels Provos. Improving host security with system call policies. In 12th USENIX Security Symposium, 2003.

Digital Library

[26]

Dan Raywood. Sinowal trojan steals data from around 500,000 cards and accounts. SC Magazine, Oct 2008.

[27]

E. Suh, J. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. SIGARCH Comput. Archit. News, 32 (5): 85--96, 2004.

Digital Library

[28]

G. Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic. Flexitaint: A programmable accelerator for dynamic taint propagation. In HPCA'08, 2008.

[29]

W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In 15th USENIX Security Symposium, 2006.

Digital Library

[30]

H. Yin, Z. Liang, and D. Song. HookFinder: Identifying and understanding malware hooking behaviors. In 15th Annual Network and Distributed System Security Symposium (NDSS'08), 2008.

[31]

H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: capturing system-wide information flow for malware detection and analysis. In CCS '07: Proc. of the 14th ACM conference on Computer and communications security, 2007.

Digital Library

Cited By

Brohet MRegazzoni F(2023)A Survey on Thwarting Memory Corruption in RISC-VACM Computing Surveys10.1145/360490656:2(1-29)Online publication date: 17-Jun-2023
https://dl.acm.org/doi/10.1145/3604906
Kreindl JBonetta DStadler LLeopoldseder DMössenböck H(2022)Dynamic Taint Analysis with Label-Defined SemanticsProceedings of the 19th International Conference on Managed Programming Languages and Runtimes10.1145/3546918.3546927(64-84)Online publication date: 14-Sep-2022
https://dl.acm.org/doi/10.1145/3546918.3546927
Usui TOtsuki YKawakoya YIwamura MMatsuura K(2022)Script Tainting Was Doomed From The Start (By Type Conversion): Converting Script Engines into Dynamic Taint Analysis FrameworksProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545969(380-394)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545969
Show More Cited By

Index Terms

Pointless tainting?: evaluating the practicality of pointer tainting
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Tainting is not pointless

Pointer tainting is a form of Dynamic Information Flow Tracking used primarily to prevent software security attacks such as buffer overflows. Researchers have also applied pointer tainting to malware and virus analysis.

A recent paper by Slowinska and ...
TASEL: dynamic taint analysis with selective control dependency
RACS '14: Proceedings of the 2014 Conference on Research in Adaptive and Convergent Systems

Dynamic Taint Analysis (DTA) is an approach used for software testing and vulnerability analysis. The vanilla DTA method is widely used, but its simple taint propagation does not consider any control dependency. Therefore, vanilla DTA generally suffers ...
Pointer tainting still pointless: (but we all see the point of tainting)

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroSys '09: Proceedings of the 4th ACM European conference on Computer systems

April 2009

342 pages

ISBN:9781605584829

DOI:10.1145/1519065

General Chair:
Wolfgang Schröder-Preikschat
FAU Erlangen-Nuremberg, Germany
,
Program Chairs:
John Wilkes
Google, Inc., USA
,
Rebecca Isaacs
Microsoft Research, Cambridge, UK

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 April 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

EuroSys '09

Sponsor:

SIGOPS

EuroSys '09: Fourth EuroSys Conference 2009

April 1 - 3, 2009

Nuremberg, Germany

Acceptance Rates

Overall Acceptance Rate 241 of 1,308 submissions, 18%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

77
Total Citations
View Citations
841
Total Downloads

Downloads (Last 12 months)22
Downloads (Last 6 weeks)3

Reflects downloads up to 10 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Brohet MRegazzoni F(2023)A Survey on Thwarting Memory Corruption in RISC-VACM Computing Surveys10.1145/360490656:2(1-29)Online publication date: 17-Jun-2023
https://dl.acm.org/doi/10.1145/3604906
Kreindl JBonetta DStadler LLeopoldseder DMössenböck H(2022)Dynamic Taint Analysis with Label-Defined SemanticsProceedings of the 19th International Conference on Managed Programming Languages and Runtimes10.1145/3546918.3546927(64-84)Online publication date: 14-Sep-2022
https://dl.acm.org/doi/10.1145/3546918.3546927
Usui TOtsuki YKawakoya YIwamura MMatsuura K(2022)Script Tainting Was Doomed From The Start (By Type Conversion): Converting Script Engines into Dynamic Taint Analysis FrameworksProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545969(380-394)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545969
Jero SBurow NWard BSkowyra RKhazan RShrobe HOkhravi H(2022)TAG: Tagged Architecture GuideACM Computing Surveys10.1145/353370455:6(1-34)Online publication date: 7-Dec-2022
https://dl.acm.org/doi/10.1145/3533704
Yang ZYuan ZJin SChen XSun LDu XLi WZhang H(2022)FSAFlow: Lightweight and Fast Dynamic Path Tracking and Control for Privacy Protection on Android Using Hybrid Analysis with State-Reduction Strategy2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833764(2114-2129)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833764
Das DBose PMachiry AMariani SShoshitaishvili YVigna GKruegel C(2022)Hybrid Pruning: Towards Precise Pointer and Taint AnalysisDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-09484-2_1(1-22)Online publication date: 24-Jun-2022
https://doi.org/10.1007/978-3-031-09484-2_1
Brant CShrestha PMixon-Baca BChen KVarlioglu SElsayed NJin YCrandall JOliveira D(2021)Challenges and Opportunities for Practical and Effective Dynamic Information Flow TrackingACM Computing Surveys10.1145/348379055:1(1-33)Online publication date: 23-Nov-2021
https://dl.acm.org/doi/10.1145/3483790
Xiao QSubialdea BBauer LReiter MLobo JStoller SLiu P(2020)Metering Graphical Data Leakage with SnowmanProceedings of the 25th ACM Symposium on Access Control Models and Technologies10.1145/3381991.3395598(1-12)Online publication date: 10-Jun-2020
https://dl.acm.org/doi/10.1145/3381991.3395598
Galea JKroening DSun HShieh SGu GAteniese G(2020)The Taint Rabbit: Optimizing Generic Taint Analysis with Dynamic Fast Path GenerationProceedings of the 15th ACM Asia Conference on Computer and Communications Security10.1145/3320269.3384764(622-636)Online publication date: 5-Oct-2020
https://dl.acm.org/doi/10.1145/3320269.3384764
She DChen YShah ARay BJana S(2020)Neutaint: Efficient Dynamic Taint Analysis with Neural Networks2020 IEEE Symposium on Security and Privacy (SP)10.1109/SP40000.2020.00022(1527-1543)Online publication date: May-2020
https://doi.org/10.1109/SP40000.2020.00022
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents