research-article

libdft: practical dynamic data flow tracking for commodity systems

Authors:

Vasileios P. Kemerlis,

Georgios Portokalidis,

Angelos D. KeromytisAuthors Info & Claims

VEE '12: Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments

Pages 121 - 132

https://doi.org/10.1145/2151024.2151042

Published: 03 March 2012 Publication History

Abstract

Dynamic data flow tracking (DFT) deals with tagging and tracking data of interest as they propagate during program execution. DFT has been repeatedly implemented by a variety of tools for numerous purposes, including protection from zero-day and cross-site scripting attacks, detection and prevention of information leaks, and for the analysis of legitimate and malicious software. We present libdft, a dynamic DFT framework that unlike previous work is at once fast, reusable, and works with commodity software and hardware. libdft provides an API for building DFT-enabled tools that work on unmodified binaries, running on common operating systems and hardware, thus facilitating research and rapid prototyping. We explore different approaches for implementing the low-level aspects of instruction-level data tracking, introduce a more efficient and 64-bit capable shadow memory, and identify (and avoid) the common pitfalls responsible for the excessive performance overhead of previous studies. We evaluate libdft using real applications with large codebases like the Apache and MySQL servers, and the Firefox web browser. We also use a series of benchmarks and utilities to compare libdft with similar systems. Our results indicate that it performs at least as fast, if not faster, than previous solutions, and to the best of our knowledge, we are the first to evaluate the performance overhead of a fast dynamic DFT implementation in such depth. Finally, libdft is freely available as open source software.

References

[1]

M. Attariyan and J. Flinn. Automating configuration troubleshooting with dynamic information flow analysis. In Proc. of the 9th OSDI, pages 237--250, 2010.

Digital Library

[2]

E. Bosman, A. Slowinska, and H. Bos. Minemu: The World's Fastest Taint Tracker. In Proc. of the 14$^th$ RAID, pages 1--20, 2011.

Digital Library

[3]

S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-Oriented Programming without Returns. In Proc. of the 17th CCS, pages 559--572, 2010.

Digital Library

[4]

J. Chow, T. Garfinkel, and P. M. Chen. Decoupling dynamic program analysis from execution in virtual environments. In Proc. of the 2008 USENIX ATC, pages 1--14.

Digital Library

[5]

J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding Data Lifetime via Whole System Simulation. In Proc. of the 13th USENIX Security, pages 321--336, 2004.

Digital Library

[6]

J. Clause, W. Li, and A. Orso. Dytan: A Generic Dynamic Taint Analysis Framework. In Proc. of the 2007 ISSTA, pages 196--206.

Digital Library

[7]

M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-End Containment of Internet Worms. In Proc. of the 20th SOSP, pages 133--147, 2005.

Digital Library

[8]

J. R. Crandall and F. T. Chong. Minos: Control Data Attack Prevention Orthogonal to Memory Model. In Proc. of the 37th MICRO, pages 221--232, 2004.

Digital Library

[9]

M. Dalton, H. Kannan, and C. Kozyrakis. Real-World Buffer Overflow Protection for Userspace & Kernelspace. In Proc. of the 17th USENIX Security, pages 395--410, 2008.

Digital Library

[10]

W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proc. of the 9th OSDI, pages 393--407, 2010.

Digital Library

[11]

A. Ermolinskiy, S. Katti, S. Shenker, L. Fowler, and M. McCauley. Towards Practical Taint Tracking. Technical Report UCB/EECS-2010--92, EECS Dept., University of California, Berkeley, USA, 2010.

[12]

B. Ford and R. Cox. Vx32: Lightweight User-level Sandboxing on the x86. In Proc. of the 2008 USENIX ATC, pages 293--306.

Digital Library

[13]

A. Ho, M. Fetterman, C. Clark, A. Warfield, and S. Hand. Practical Taint-based Protection using Demand Emulation. In Proc. of the 2006 EuroSys, pages 29--41.

Digital Library

[14]

K. Jee, G. Portokalidis, V. P. Kemerlis, S. Ghosh, D. I. August, and A. D. Keromytis. A General Approach for Efficiently Accelerating Software-based Dynamic Data Flow Tracking on Commodity Hardware. In Proc. of the 19th NDSS, 2012.

[15]

M. G. Kang, S. McCamant, P. Poosankam, and D. Song. DTA+: Dynamic Taint Analysis with Targeted Control-Flow Propagation. In Proc. of the 18th NDSS, 2011.

[16]

C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In Proc. of the 2005 PLDI, pages 190--200.

Digital Library

[17]

A. C. Myers. JFlow: Practical Mostly-Static Information Flow Control. In Proc. of the $26^th$ POPL, pages 228--241, 1999.

Digital Library

[18]

J. Newsome and D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proc. of the 12th NDSS, 2005.

[19]

E. B. Nightingale, D. Peek, P. M. Chen, and J. Flinn. Parallelizing Security Checks on Commodity Hardware. In Proc. of the 13th ASPLOS, pages 308--318, 2008.

Digital Library

[20]

G. Portokalidis and H. Bos. Eudaemon: Involuntary and On-Demand Emulation Against Zero-Day Exploits. In Proc. of the 2008 EuroSys, pages 287--299.

Digital Library

[21]

G. Portokalidis, A. Slowinska, and H. Bos. Argos: an Emulator for Fingerprinting Zero-Day Attacks. In Proc. of the 2006 EuroSys, pages 15--27.

Digital Library

[22]

F. Qin, C. Wang, Z. Li, H.-S. Kim, Y. Zhou, and Y. Wu. LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks. In Proc. of the 39th MICRO, pages 135--148, 2006.

Digital Library

[23]

A. Slowinska and H. Bos. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. In Proc. of the 2009 EuroSys, pages 61--74.

Digital Library

[24]

G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure Program Execution via Dynamic Information Flow Tracking. In Proc. of the 11th ASPLOS, pages 85--96, 2004.

Digital Library

[25]

N. Vachharajani, M. J. Bridges, J. Chang, R. Rangan, G. Ottoni, J. A. Blome, G. A. Reis, M. Vachharajani, and D. I. August. RIFLE: An Architectural Framework for User-Centric Information-Flow Security. In Proc. of the 37th MICRO, pages 243--254, 2004.

Digital Library

[26]

G. Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic. Flexitaint: A Programmable Accelerator for Dynamic Taint Propagation. In Proc. of the 14th HPCA, pages 173--184, 2008.

[27]

T. Wang, T. Wei, G. Gu, and W. Zou. TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection. In Proc. of the 31st IEEE S&P, pages 497--512, 2010.

Digital Library

[28]

W. Xu, S. Bhatkar, and R. Sekar. Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. In Proc. of the 15th USENIX Security, pages 121--136, 2006.

Digital Library

[29]

A. Zavou, G. Portokalidis, and A. D. Keromytis. Taint-Exchange: A Generic System for Cross-process and Cross-host Taint Tracking. In Proc. of the 6th IWSEC, pages 113--128, 2011.

Digital Library

[30]

N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making Information Flow Explicit in HiStar. In Proc. of the 7th OSDI, pages 263--278, 2006.

Digital Library

[31]

D. Zhu, J. Jung, D. Song, T. Kohno, and D. Wetherall. TaintEraser: Protecting Sensitive Data Leaks Using Application-Level Taint Tracking. SIGOPS Oper. Syst. Rev., 45 (1): 142--154, 2011.

Digital Library

Cited By

Zhang YLiu TWang YQi YJi KTang JWang XLi XZuo Z(2024)HardTaint: Production-Run Dynamic Taint Analysis via Selective Hardware TracingProceedings of the ACM on Programming Languages10.1145/36897688:OOPSLA2(1615-1640)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689768
Sultanik ESurovič MBrodin HKaoudis KTuesca FHarmon COverall LSweeney JLarsen BChristakis MPradel M(2024)PolyTracker: Whole-Input Dynamic Information Flow TracingProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3685313(1841-1845)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3685313
Grayson SAguilar FMilewicz RKatz DMarinov D(2024)A benchmark suite and performance analysis of user-space provenance collectorsProceedings of the 2nd ACM Conference on Reproducibility and Replicability10.1145/3641525.3663627(85-95)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3641525.3663627
Show More Cited By

Recommendations

libdft: practical dynamic data flow tracking for commodity systems
VEE '12

Dynamic data flow tracking (DFT) deals with tagging and tracking data of interest as they propagate during program execution. DFT has been repeatedly implemented by a variety of tools for numerous purposes, including protection from zero-day and cross-...
Using Precise Taint Tracking for Auto-sanitization
PLAS '17: Proceedings of the 2017 Workshop on Programming Languages and Analysis for Security

Taint analysis has been used in numerous scripting languages such as Perl and Ruby to defend against various form of code injection attacks, such as cross-site scripting (XSS) and SQL-injection. However, most taint analysis systems simply fail when ...
A Framework for Understanding Dynamic Anti-Analysis Defenses
PPREW-4: Proceedings of the 4th Program Protection and Reverse Engineering Workshop

Malicious code often use a variety of anti-analysis and anti-tampering defenses to hinder analysis. Researchers trying to understand the internal logic of the malware have to penetrate these defenses. Existing research on such anti-analysis defenses ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

VEE '12: Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments

March 2012

248 pages

ISBN:9781450311762

DOI:10.1145/2151024

General Chair:
Steven Hand
University of Cambridge, UK
,
Program Chair:
Dilma da Silva
IBM T. J. Watson Research Center, USA

ACM SIGPLAN Notices Volume 47, Issue 7
VEE '12
July 2012
229 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/2365864
Issue’s Table of Contents

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 March 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

VEE '12

Sponsor:

VEE '12: ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

March 3 - 4, 2012

London, England, UK

Acceptance Rates

Overall Acceptance Rate 80 of 235 submissions, 34%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

190
Total Citations
View Citations
1,026
Total Downloads

Downloads (Last 12 months)50
Downloads (Last 6 weeks)9

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhang YLiu TWang YQi YJi KTang JWang XLi XZuo Z(2024)HardTaint: Production-Run Dynamic Taint Analysis via Selective Hardware TracingProceedings of the ACM on Programming Languages10.1145/36897688:OOPSLA2(1615-1640)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689768
Sultanik ESurovič MBrodin HKaoudis KTuesca FHarmon COverall LSweeney JLarsen BChristakis MPradel M(2024)PolyTracker: Whole-Input Dynamic Information Flow TracingProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3685313(1841-1845)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3685313
Grayson SAguilar FMilewicz RKatz DMarinov D(2024)A benchmark suite and performance analysis of user-space provenance collectorsProceedings of the 2nd ACM Conference on Reproducibility and Replicability10.1145/3641525.3663627(85-95)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3641525.3663627
Maar LNasahl PMangard SQuek TGao DZhou JCardenas A(2024)Beyond the Edges of Kernel Control-Flow Hijacking Protection with HEK-CFIProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3661135(1214-1230)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3661135
Kim THong SCho YQuek TGao DZhou JCardenas A(2024)AIMFuzz: Automated Function-Level In-Memory Fuzzing on BinariesProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3644996(1510-1522)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3644996
James KValakuzhy KSnow KMonrose FVilela JSchulmann HLi N(2024)CrashTalk: Automated Generation of Precise, Human Readable, Descriptions of Software Security BugsProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653256(337-347)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1145/3626232.3653256
Goli MDrechsler R(2024)Early SoCs Information Flow Policies Validation Using SystemC-Based Virtual Prototypes at the ESLACM Transactions on Embedded Computing Systems10.1145/354478023:5(1-20)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.1145/3544780
Chen CYan TShi CXi HFan ZWan HZhao X(2024)The Last Mile of Attack Investigation: Audit Log Analysis Toward Software Vulnerability LocationIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.345961619(9566-9581)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3459616
Park YLee HJung JKoo HKim H(2024)Benzene: A Practical Root Cause Analysis System with an Under-Constrained State Mutation2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00074(1865-1883)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00074
Sang QWang YLiu YJia XBao TSu P(2024)AirTaint: Making Dynamic Taint Analysis Faster and Easier2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00045(3998-4014)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00045
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents