The Journal of Supercomputing

, Volume 70, Issue 3, pp 1433–1450 | Cite as

CloudTaint: an elastic taint tracking framework for malware detection in the cloud

  • Jinfeng Yuan
  • Weizhong QiangEmail author
  • Hai Jin
  • Deqing Zou


Full-system, fine-grained taint tracking has been proven to be a novel approach for the detection of malwares, especially for privacy-breaching and kernel buffer overflow malwares. On-demand emulation achieves a taint tracking framework in the cloud through switching a running system between virtual and emulated execution dynamically. However, facing the complexity of the cloud environment, it still suffers a high performance overhead. In this paper, we propose an approach for practical malware detection using elastic taint tracking, which provides the granularity and strategy of taint tracking according to the cloud applications’ security requirements, including providing a taint tracking configuration file based on script, automatic deployment and trigger mechanism of the sources for taint tracking based on data flow as well as control flow, and customizable security detection method. We present a prototype implementation named CloudTaint based on Xen virtualization environment. The experimental results indicate that CloudTaint is effective for malware detection in the cloud with acceptable performance overhead using elastic taint tracking.


Elastic taint tracking Malware detection Cloud computing On-demand emulation 



The work is supported by National Natural Science Foundation of China under Grant No.61370106, and National 973 Basic Research Program of China under grant No.2014CB340600.


  1. 1.
    Wang Z, Jiang X (2010) Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of 17th int symp on security and privacy, Oakland, CA, USA, May 2010, pp 380–395Google Scholar
  2. 2.
    Li J, Wang Z, Jiang X, Grace M, Bahram S (2010) Defeating return-oriented rootkits with return-less kernels. In: Proceedings of 5th european conference on computer systems, Paris, France, April 2010, pp 195–208Google Scholar
  3. 3.
    Son S, McKinley KS, Shmatikov V (2013) Diglossia: detecting code injection attacks with precision and efficiency. In: Proceedings of 20th ACM conference on computer and communications security (CCS’13), Berlin, Germany, November 2013, pp 1181–1192Google Scholar
  4. 4.
    Seshadri A, Luk M, Qu N, Perrig A (2007) SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of 21th SOSP, Stevenson, WA, USA, October 2007, pp 335–350Google Scholar
  5. 5.
    Riley R, Jiang X, Xu D (2008) Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In: Proceedings of 11th int symp on recent advances in intrusion detection, Cambridge, MA, USA, September 2008, pp 1–20Google Scholar
  6. 6.
    AI-Saleh M, Crandall J (2010) On information flow for intrusion detection: what if accurate full-system dynamic information flow tracking was possible. In: Proceedings of the 2010 workshop on new security paradigms, Concord, MA, USA, September 2010, pp 17–32Google Scholar
  7. 7.
    Zhu D, Jung J, Song D, Kohno T, Wetherall D (2011) TaintEraser: protecting sensitive data leaks using application-level taint tracking. ACM SIGOPS Oper Syst Rev 45(1):142–154CrossRefGoogle Scholar
  8. 8.
    Enck W, Gilbert P, Chun B, Cox P, Jung J, McDaniel P, Sheth A (2010) TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th OSDI, Vancouver, BC, Canada, October 2010, pp 255–270Google Scholar
  9. 9.
    Fu Y, Lin Z (2012) Space traveling across VM: automatically bridging the semantic gap in virtual machine Introspection via online kernel data redirection. In: Proceedings of 19th int symp on security and privacy, San Francisco Bay Area, California, USA, May 2012, pp 586–600Google Scholar
  10. 10.
    Ho A, Fetterman M, Clark C, Warfield A, Hand S (2006) Practical taint-based protection using demand emulation. In: Proceedings of the 1st european conference on computer systems, Leuven, Belgium, April 2006, pp 29–41Google Scholar
  11. 11.
    Vasileios P, Georgios P, Kangkook J, Angelos D (2012) libdft: practical dynamic data flow tracking for commodity systems. In: Proceedings of the 8th VEE, London, United Kingdom, March 2012, pp 121–132Google Scholar
  12. 12.
    Dinaburg A, Royal P, Sharif M, Lee W (2008) Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th CCS, Alexandria, VA, USA, October 2008, pp 51–62Google Scholar
  13. 13.
    Yan LK, Jayachandra M, Zhang M, Yin H (2012) V2E: combining hardware virtualization and software emulation for transparent and extensible malware analysis. In: Proceedings of 8th VEE, London, UK, March 2012, pp 227–238Google Scholar
  14. 14.
    Caballero J, Johnson NM, McCamant S, Song D (2010) Binary code extraction and interface identification for security applications. In: Proceedings of the 17th NDSS, San Diego, CA, USA, February 2010, pp 234–246Google Scholar
  15. 15.
    Yip A, Wang X, Zeldovich N, Kaashoek MF (2009) Improving application security with data flow assertions. In: Proceedings of the 22nd SOSP, New York, NY, USA, October, 2009, pp 291–304Google Scholar
  16. 16.
    Zeldovich N, Kannan H, Dalton M, Kozyrakis C (2008) Hardware enforcement of application security policies using tagged memory. In: Proceedings of the 8th OSDI, Berkeley, CA, USA, December 2008, pp 225–240Google Scholar
  17. 17.
    Caballero J, Poosankam P, Kreibich C, Song D (2009) Dispatcher: enabling active botnet infiltration using automatic protocol reverse engineering. In: Proceedings of the 16th CCS, New York, NY, USA, November 2009, pp 621–634Google Scholar
  18. 18.
    Caballero J, Yin H, Liang Z, Song D (2007) Polyglot: automatic extraction of protocol message format using dynamic binary analysis. In: Proceedings of the 14th CCS, New York, NY, USA, October 2007, pp 317–329Google Scholar
  19. 19.
  20. 20.
    Yin H, Song D, Egele M, Kruegel C, Kirda E (2007) Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedings of the 14th CCS, New York, NY, USA, October 2007, pp 283–295Google Scholar
  21. 21.
    Egele M, Kruegel C, Kirda E, Yin H, Song D (2007) Dynamic spyware analysis. In: Proceedings of the 2007 USENIX annual technical conference, Santa Clara, CA, USA, June 2007, pp 1–14Google Scholar
  22. 22.
    Yin H, Liang Z, Song D (2008) HookFinder: identifying and understanding malware hooking behaviors. In: Proceedings of the 16th NDSS, San Diego, CA, USA, February 2008, pp 29–41Google Scholar
  23. 23.
    Nightingale E, Peek D, Chen P, Flinn J (2008) Parallelizing security checks on commodity hardware. In: Proceedings of the 13th ASPLOS, New York, NY, USA, March 2008, pp 308–318Google Scholar
  24. 24.
    Jiang X, Wang X, Xu D (2007) Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In: Proceedings of the 14th CCS, Alexandria, Virginia, USA, October 2007, pp 128–138Google Scholar
  25. 25.
    Sharif MI, Lee W, Cui W, Lanzi A (2009) Secure in-VM monitoring using hardware virtualization. In: Proceedings of the 16th CCS, Chicago, Illinois, USA, November 2009, pp 477–487Google Scholar
  26. 26.
    Payne B, Carbone M, Sharif M, Lee W (2008) Lares: an architecture for secure active monitoring using virtualization. In: Proceedings of 15th int symp on security and privacy, Oakland, California, USA, May 2008, pp 233–247Google Scholar
  27. 27.
  28. 28.
    Song D, Brumley D, Yin H, Caballero J, Jager I, Kang MG, Liang Z, Newsome J, Poosankam P, Saxena P (2008) BitBlaze: a new approach to computer security via binary analysis. In: Proceedings of the 4th international conference on information systems security, Hyderabad, India, December 2008, pp 1–25Google Scholar

Copyright information

© Springer Science+Business Media New York 2014

Authors and Affiliations

  • Jinfeng Yuan
    • 1
  • Weizhong Qiang
    • 1
    Email author
  • Hai Jin
    • 1
  • Deqing Zou
    • 1
  1. 1.Services Computing Technology and System Lab, and Cluster and Grid Computing Lab, School of Computer Science and TechnologyHuazhong University of Science and TechnologyWuhan China

Personalised recommendations