Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

CloudTaint: an elastic taint tracking framework for malware detection in the cloud

  • 392 Accesses

  • 1 Citations

Abstract

Full-system, fine-grained taint tracking has been proven to be a novel approach for the detection of malwares, especially for privacy-breaching and kernel buffer overflow malwares. On-demand emulation achieves a taint tracking framework in the cloud through switching a running system between virtual and emulated execution dynamically. However, facing the complexity of the cloud environment, it still suffers a high performance overhead. In this paper, we propose an approach for practical malware detection using elastic taint tracking, which provides the granularity and strategy of taint tracking according to the cloud applications’ security requirements, including providing a taint tracking configuration file based on script, automatic deployment and trigger mechanism of the sources for taint tracking based on data flow as well as control flow, and customizable security detection method. We present a prototype implementation named CloudTaint based on Xen virtualization environment. The experimental results indicate that CloudTaint is effective for malware detection in the cloud with acceptable performance overhead using elastic taint tracking.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

References

  1. 1.

    Wang Z, Jiang X (2010) Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of 17th int symp on security and privacy, Oakland, CA, USA, May 2010, pp 380–395

  2. 2.

    Li J, Wang Z, Jiang X, Grace M, Bahram S (2010) Defeating return-oriented rootkits with return-less kernels. In: Proceedings of 5th european conference on computer systems, Paris, France, April 2010, pp 195–208

  3. 3.

    Son S, McKinley KS, Shmatikov V (2013) Diglossia: detecting code injection attacks with precision and efficiency. In: Proceedings of 20th ACM conference on computer and communications security (CCS’13), Berlin, Germany, November 2013, pp 1181–1192

  4. 4.

    Seshadri A, Luk M, Qu N, Perrig A (2007) SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of 21th SOSP, Stevenson, WA, USA, October 2007, pp 335–350

  5. 5.

    Riley R, Jiang X, Xu D (2008) Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In: Proceedings of 11th int symp on recent advances in intrusion detection, Cambridge, MA, USA, September 2008, pp 1–20

  6. 6.

    AI-Saleh M, Crandall J (2010) On information flow for intrusion detection: what if accurate full-system dynamic information flow tracking was possible. In: Proceedings of the 2010 workshop on new security paradigms, Concord, MA, USA, September 2010, pp 17–32

  7. 7.

    Zhu D, Jung J, Song D, Kohno T, Wetherall D (2011) TaintEraser: protecting sensitive data leaks using application-level taint tracking. ACM SIGOPS Oper Syst Rev 45(1):142–154

  8. 8.

    Enck W, Gilbert P, Chun B, Cox P, Jung J, McDaniel P, Sheth A (2010) TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th OSDI, Vancouver, BC, Canada, October 2010, pp 255–270

  9. 9.

    Fu Y, Lin Z (2012) Space traveling across VM: automatically bridging the semantic gap in virtual machine Introspection via online kernel data redirection. In: Proceedings of 19th int symp on security and privacy, San Francisco Bay Area, California, USA, May 2012, pp 586–600

  10. 10.

    Ho A, Fetterman M, Clark C, Warfield A, Hand S (2006) Practical taint-based protection using demand emulation. In: Proceedings of the 1st european conference on computer systems, Leuven, Belgium, April 2006, pp 29–41

  11. 11.

    Vasileios P, Georgios P, Kangkook J, Angelos D (2012) libdft: practical dynamic data flow tracking for commodity systems. In: Proceedings of the 8th VEE, London, United Kingdom, March 2012, pp 121–132

  12. 12.

    Dinaburg A, Royal P, Sharif M, Lee W (2008) Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th CCS, Alexandria, VA, USA, October 2008, pp 51–62

  13. 13.

    Yan LK, Jayachandra M, Zhang M, Yin H (2012) V2E: combining hardware virtualization and software emulation for transparent and extensible malware analysis. In: Proceedings of 8th VEE, London, UK, March 2012, pp 227–238

  14. 14.

    Caballero J, Johnson NM, McCamant S, Song D (2010) Binary code extraction and interface identification for security applications. In: Proceedings of the 17th NDSS, San Diego, CA, USA, February 2010, pp 234–246

  15. 15.

    Yip A, Wang X, Zeldovich N, Kaashoek MF (2009) Improving application security with data flow assertions. In: Proceedings of the 22nd SOSP, New York, NY, USA, October, 2009, pp 291–304

  16. 16.

    Zeldovich N, Kannan H, Dalton M, Kozyrakis C (2008) Hardware enforcement of application security policies using tagged memory. In: Proceedings of the 8th OSDI, Berkeley, CA, USA, December 2008, pp 225–240

  17. 17.

    Caballero J, Poosankam P, Kreibich C, Song D (2009) Dispatcher: enabling active botnet infiltration using automatic protocol reverse engineering. In: Proceedings of the 16th CCS, New York, NY, USA, November 2009, pp 621–634

  18. 18.

    Caballero J, Yin H, Liang Z, Song D (2007) Polyglot: automatic extraction of protocol message format using dynamic binary analysis. In: Proceedings of the 14th CCS, New York, NY, USA, October 2007, pp 317–329

  19. 19.

    QEMU (2014). http://fabrice.bellard.free.fr/qemu/

  20. 20.

    Yin H, Song D, Egele M, Kruegel C, Kirda E (2007) Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedings of the 14th CCS, New York, NY, USA, October 2007, pp 283–295

  21. 21.

    Egele M, Kruegel C, Kirda E, Yin H, Song D (2007) Dynamic spyware analysis. In: Proceedings of the 2007 USENIX annual technical conference, Santa Clara, CA, USA, June 2007, pp 1–14

  22. 22.

    Yin H, Liang Z, Song D (2008) HookFinder: identifying and understanding malware hooking behaviors. In: Proceedings of the 16th NDSS, San Diego, CA, USA, February 2008, pp 29–41

  23. 23.

    Nightingale E, Peek D, Chen P, Flinn J (2008) Parallelizing security checks on commodity hardware. In: Proceedings of the 13th ASPLOS, New York, NY, USA, March 2008, pp 308–318

  24. 24.

    Jiang X, Wang X, Xu D (2007) Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In: Proceedings of the 14th CCS, Alexandria, Virginia, USA, October 2007, pp 128–138

  25. 25.

    Sharif MI, Lee W, Cui W, Lanzi A (2009) Secure in-VM monitoring using hardware virtualization. In: Proceedings of the 16th CCS, Chicago, Illinois, USA, November 2009, pp 477–487

  26. 26.

    Payne B, Carbone M, Sharif M, Lee W (2008) Lares: an architecture for secure active monitoring using virtualization. In: Proceedings of 15th int symp on security and privacy, Oakland, California, USA, May 2008, pp 233–247

  27. 27.

    LMbench (2013). http://www.bitmover.com/lmbench/

  28. 28.

    Song D, Brumley D, Yin H, Caballero J, Jager I, Kang MG, Liang Z, Newsome J, Poosankam P, Saxena P (2008) BitBlaze: a new approach to computer security via binary analysis. In: Proceedings of the 4th international conference on information systems security, Hyderabad, India, December 2008, pp 1–25

Download references

Acknowledgments

The work is supported by National Natural Science Foundation of China under Grant No.61370106, and National 973 Basic Research Program of China under grant No.2014CB340600.

Author information

Correspondence to Weizhong Qiang.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Yuan, J., Qiang, W., Jin, H. et al. CloudTaint: an elastic taint tracking framework for malware detection in the cloud. J Supercomput 70, 1433–1450 (2014). https://doi.org/10.1007/s11227-014-1235-5

Download citation

Keywords

  • Elastic taint tracking
  • Malware detection
  • Cloud computing
  • On-demand emulation