research-article

libdft: practical dynamic data flow tracking for commodity systems

Authors:

Vasileios P. Kemerlis,

Georgios Portokalidis,

Angelos D. KeromytisAuthors Info & Claims

ACM SIGPLAN Notices, Volume 47, Issue 7

Pages 121 - 132

https://doi.org/10.1145/2365864.2151042

Published: 03 March 2012 Publication History

Abstract

Dynamic data flow tracking (DFT) deals with tagging and tracking data of interest as they propagate during program execution. DFT has been repeatedly implemented by a variety of tools for numerous purposes, including protection from zero-day and cross-site scripting attacks, detection and prevention of information leaks, and for the analysis of legitimate and malicious software. We present libdft, a dynamic DFT framework that unlike previous work is at once fast, reusable, and works with commodity software and hardware. libdft provides an API for building DFT-enabled tools that work on unmodified binaries, running on common operating systems and hardware, thus facilitating research and rapid prototyping. We explore different approaches for implementing the low-level aspects of instruction-level data tracking, introduce a more efficient and 64-bit capable shadow memory, and identify (and avoid) the common pitfalls responsible for the excessive performance overhead of previous studies. We evaluate libdft using real applications with large codebases like the Apache and MySQL servers, and the Firefox web browser. We also use a series of benchmarks and utilities to compare libdft with similar systems. Our results indicate that it performs at least as fast, if not faster, than previous solutions, and to the best of our knowledge, we are the first to evaluate the performance overhead of a fast dynamic DFT implementation in such depth. Finally, libdft is freely available as open source software.

References

[1]

M. Attariyan and J. Flinn. Automating configuration troubleshooting with dynamic information flow analysis. In Proc. of the 9th OSDI, pages 237--250, 2010.

Digital Library

[2]

E. Bosman, A. Slowinska, and H. Bos. Minemu: The World's Fastest Taint Tracker. In Proc. of the 14$^th$ RAID, pages 1--20, 2011.

Digital Library

[3]

S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-Oriented Programming without Returns. In Proc. of the 17th CCS, pages 559--572, 2010.

Digital Library

[4]

J. Chow, T. Garfinkel, and P. M. Chen. Decoupling dynamic program analysis from execution in virtual environments. In Proc. of the 2008 USENIX ATC, pages 1--14.

Digital Library

[5]

J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding Data Lifetime via Whole System Simulation. In Proc. of the 13th USENIX Security, pages 321--336, 2004.

Digital Library

[6]

J. Clause, W. Li, and A. Orso. Dytan: A Generic Dynamic Taint Analysis Framework. In Proc. of the 2007 ISSTA, pages 196--206.

Digital Library

[7]

M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-End Containment of Internet Worms. In Proc. of the 20th SOSP, pages 133--147, 2005.

Digital Library

[8]

J. R. Crandall and F. T. Chong. Minos: Control Data Attack Prevention Orthogonal to Memory Model. In Proc. of the 37th MICRO, pages 221--232, 2004.

Digital Library

[9]

M. Dalton, H. Kannan, and C. Kozyrakis. Real-World Buffer Overflow Protection for Userspace & Kernelspace. In Proc. of the 17th USENIX Security, pages 395--410, 2008.

Digital Library

[10]

W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proc. of the 9th OSDI, pages 393--407, 2010.

Digital Library

[11]

A. Ermolinskiy, S. Katti, S. Shenker, L. Fowler, and M. McCauley. Towards Practical Taint Tracking. Technical Report UCB/EECS-2010--92, EECS Dept., University of California, Berkeley, USA, 2010.

[12]

B. Ford and R. Cox. Vx32: Lightweight User-level Sandboxing on the x86. In Proc. of the 2008 USENIX ATC, pages 293--306.

Digital Library

[13]

A. Ho, M. Fetterman, C. Clark, A. Warfield, and S. Hand. Practical Taint-based Protection using Demand Emulation. In Proc. of the 2006 EuroSys, pages 29--41.

Digital Library

[14]

K. Jee, G. Portokalidis, V. P. Kemerlis, S. Ghosh, D. I. August, and A. D. Keromytis. A General Approach for Efficiently Accelerating Software-based Dynamic Data Flow Tracking on Commodity Hardware. In Proc. of the 19th NDSS, 2012.

[15]

M. G. Kang, S. McCamant, P. Poosankam, and D. Song. DTA+: Dynamic Taint Analysis with Targeted Control-Flow Propagation. In Proc. of the 18th NDSS, 2011.

[16]

C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In Proc. of the 2005 PLDI, pages 190--200.

Digital Library

[17]

A. C. Myers. JFlow: Practical Mostly-Static Information Flow Control. In Proc. of the $26^th$ POPL, pages 228--241, 1999.

Digital Library

[18]

J. Newsome and D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proc. of the 12th NDSS, 2005.

[19]

E. B. Nightingale, D. Peek, P. M. Chen, and J. Flinn. Parallelizing Security Checks on Commodity Hardware. In Proc. of the 13th ASPLOS, pages 308--318, 2008.

Digital Library

[20]

G. Portokalidis and H. Bos. Eudaemon: Involuntary and On-Demand Emulation Against Zero-Day Exploits. In Proc. of the 2008 EuroSys, pages 287--299.

Digital Library

[21]

G. Portokalidis, A. Slowinska, and H. Bos. Argos: an Emulator for Fingerprinting Zero-Day Attacks. In Proc. of the 2006 EuroSys, pages 15--27.

Digital Library

[22]

F. Qin, C. Wang, Z. Li, H.-S. Kim, Y. Zhou, and Y. Wu. LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks. In Proc. of the 39th MICRO, pages 135--148, 2006.

Digital Library

[23]

A. Slowinska and H. Bos. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. In Proc. of the 2009 EuroSys, pages 61--74.

Digital Library

[24]

G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure Program Execution via Dynamic Information Flow Tracking. In Proc. of the 11th ASPLOS, pages 85--96, 2004.

Digital Library

[25]

N. Vachharajani, M. J. Bridges, J. Chang, R. Rangan, G. Ottoni, J. A. Blome, G. A. Reis, M. Vachharajani, and D. I. August. RIFLE: An Architectural Framework for User-Centric Information-Flow Security. In Proc. of the 37th MICRO, pages 243--254, 2004.

Digital Library

[26]

G. Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic. Flexitaint: A Programmable Accelerator for Dynamic Taint Propagation. In Proc. of the 14th HPCA, pages 173--184, 2008.

[27]

T. Wang, T. Wei, G. Gu, and W. Zou. TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection. In Proc. of the 31st IEEE S&P, pages 497--512, 2010.

Digital Library

[28]

W. Xu, S. Bhatkar, and R. Sekar. Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. In Proc. of the 15th USENIX Security, pages 121--136, 2006.

Digital Library

[29]

A. Zavou, G. Portokalidis, and A. D. Keromytis. Taint-Exchange: A Generic System for Cross-process and Cross-host Taint Tracking. In Proc. of the 6th IWSEC, pages 113--128, 2011.

Digital Library

[30]

N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making Information Flow Explicit in HiStar. In Proc. of the 7th OSDI, pages 263--278, 2006.

Digital Library

[31]

D. Zhu, J. Jung, D. Song, T. Kohno, and D. Wetherall. TaintEraser: Protecting Sensitive Data Leaks Using Application-Level Taint Tracking. SIGOPS Oper. Syst. Rev., 45 (1): 142--154, 2011.

Digital Library

Cited By

Abela RColombo CCurmi AFenech MVella MFerrando A(2023)Runtime Verification for Trustworthy ComputingElectronic Proceedings in Theoretical Computer Science10.4204/EPTCS.391.7391(49-62)Online publication date: 30-Sep-2023
https://doi.org/10.4204/EPTCS.391.7
Wu MChen KLuo QXiang JQi JChen JCui HZhang YChandra SBlincoe KTonella P(2023)Enhancing Coverage-Guided Fuzzing via Phantom ProgramProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616294(1037-1049)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616294
Mallissery SChiang KBau CWu Y(2023)Pervasive Micro Information Flow TrackingIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.323854720:6(4957-4975)Online publication date: 1-Nov-2023
https://dl.acm.org/doi/10.1109/TDSC.2023.3238547
Show More Cited By

Index Terms

libdft: practical dynamic data flow tracking for commodity systems
1. Information systems
  1. Data management systems
    1. Middleware for databases
      1. Distributed transaction monitors
2. Software and its engineering
  1. Software notations and tools
    1. Software libraries and repositories
  2. Software organization and properties
    1. Contextual software domains
      1. Operating systems
        Process management
        Monitors

Recommendations

libdft: practical dynamic data flow tracking for commodity systems
VEE '12: Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments

Dynamic data flow tracking (DFT) deals with tagging and tracking data of interest as they propagate during program execution. DFT has been repeatedly implemented by a variety of tools for numerous purposes, including protection from zero-day and cross-...
Apposcopy: semantics-based detection of Android malware through static analysis
FSE 2014: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering

We present Apposcopy, a new semantics-based approach for identifying a prevalent class of Android malware that steals private user information. Apposcopy incorporates (i) a high-level language for specifying signatures that describe semantic ...
Dynamic Binary Instrumentation-Based Framework for Malware Defense
DIMVA '08: Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Malware is at the root of a large number of information security breaches. Despite widespread effort devoted to combating malware, current techniques have proven to be insufficient in stemming the incessant growth in malware attacks. In this paper, we ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGPLAN Notices

ACM SIGPLAN Notices Volume 47, Issue 7

VEE '12

July 2012

229 pages

ISSN:0362-1340

EISSN:1558-1160

DOI:10.1145/2365864

Issue’s Table of Contents

VEE '12: Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments
March 2012
248 pages
ISBN:9781450311762
DOI:10.1145/2151024
General Chair:
Steven Hand
University of Cambridge, UK
,
Program Chair:
Dilma da Silva
IBM T. J. Watson Research Center, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 March 2012

Published in SIGPLAN Volume 47, Issue 7

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

184
Total Citations
View Citations
1,006
Total Downloads

Downloads (Last 12 months)55
Downloads (Last 6 weeks)5

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Abela RColombo CCurmi AFenech MVella MFerrando A(2023)Runtime Verification for Trustworthy ComputingElectronic Proceedings in Theoretical Computer Science10.4204/EPTCS.391.7391(49-62)Online publication date: 30-Sep-2023
https://doi.org/10.4204/EPTCS.391.7
Wu MChen KLuo QXiang JQi JChen JCui HZhang YChandra SBlincoe KTonella P(2023)Enhancing Coverage-Guided Fuzzing via Phantom ProgramProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616294(1037-1049)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616294
Mallissery SChiang KBau CWu Y(2023)Pervasive Micro Information Flow TrackingIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.323854720:6(4957-4975)Online publication date: 1-Nov-2023
https://dl.acm.org/doi/10.1109/TDSC.2023.3238547
Pei ZChen XYang SDuan HZhang C(2023)TAICHI: Transform Your Secret Exploits Into Mine From a Victim's PerspectiveIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.319169320:6(5278-5292)Online publication date: 1-Nov-2023
https://dl.acm.org/doi/10.1109/TDSC.2022.3191693
Tang CGuan XYang MQiang B(2023)TaintSE: Dynamic Taint Analysis Combined with Symbolic Execution and Constraint Association2023 IEEE 14th International Conference on Software Engineering and Service Science (ICSESS)10.1109/ICSESS58500.2023.10293040(111-117)Online publication date: 17-Oct-2023
https://doi.org/10.1109/ICSESS58500.2023.10293040
Yang MZhou XLiu DZhou LTang Y(2023)Enhancing IoT Security: A Full-System Simulation Dynamic Taint Analysis Framework for Firmware2023 3rd International Conference on Electronic Information Engineering and Computer (EIECT)10.1109/EIECT60552.2023.10442540(381-388)Online publication date: 17-Nov-2023
https://doi.org/10.1109/EIECT60552.2023.10442540
Zhai JJin YChen WZheng WZhai JJin YChen WZheng W(2023)Informed Memory Access MonitoringPerformance Analysis of Parallel Applications for HPC10.1007/978-981-99-4366-1_4(73-97)Online publication date: 19-Jun-2023
https://doi.org/10.1007/978-981-99-4366-1_4
Goli MDrechsler RGoli MDrechsler R(2023)Anwendung II: SicherheitsvalidierungAutomatisierte Analyse von virtuellen Prototypen auf der Ebene elektronischer Systeme10.1007/978-3-031-36997-1_5(113-134)Online publication date: 20-Sep-2023
https://doi.org/10.1007/978-3-031-36997-1_5
Y aguang yZhao Y(2022)A review of auxiliary hardware architectures supporting dynamic taint analysisInternational Conference on Cloud Computing, Internet of Things, and Computer Applications (CICA 2022)10.1117/12.2642713(109)Online publication date: 28-Jul-2022
https://doi.org/10.1117/12.2642713
Pauley ETan GZhang DMcDaniel P(2022)Performant Binary Fuzzing without Source Code using Static Instrumentation2022 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS56114.2022.9947273(226-235)Online publication date: 3-Oct-2022
https://doi.org/10.1109/CNS56114.2022.9947273
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents