On the Limits of Information Flow Techniques for Malware Analysis and Containment

  • Lorenzo Cavallaro
  • Prateek Saxena
  • R. Sekar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5137)


Taint-tracking is emerging as a general technique in software security to complement virtualization and static analysis. It has been applied for accurate detection of a wide range of attacks on benign software, as well as in malware defense. Although it is quite robust for tackling the former problem, application of taint analysis to untrusted (and potentially malicious) software is riddled with several difficulties that lead to gaping holes in defense. These holes arise not only due to the limitations of information flow analysis techniques, but also the nature of today’s software architectures and distribution models. This paper highlights these problems using an array of simple but powerful evasion techniques that can easily defeat taint-tracking defenses. Given today’s binary-based software distribution and deployment models, our results suggest that information flow techniques will be of limited use against future malware that has been designed with the intent of evading these defenses.


Malicious Code Covert Channel Malicious Behavior Host Application Taint Tracking 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis. In: IEEE Symposium on Security and Privacy (2007)Google Scholar
  2. 2.
    Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically Hardening Web Applications Using Precise Tainting. In: 20th IFIP International Information Security Conference (2005)Google Scholar
  3. 3.
    Bala, V., Duesterwald, E., Banerjia, S.: Dynamo: a transparent dynamic optimization system. SIGPLAN Not. 35(5) (2000)Google Scholar
  4. 4.
    Barthe, G., Pichardie, D., Rezk, T.: A certified lightweight non-interference java bytecode verifier. Programming Languages and Systems (2007)Google Scholar
  5. 5.
    Barthe, G., Rezk, T., Warnier, M.: Preventing timing leaks through transactional branching instructions. In: Proceedings of 3rd Workshop on Quantitative Aspects of Programming Languages (QAPL 2005) (2005)Google Scholar
  6. 6.
    Bell, D.E., LaPadula, L.J.: Secure computer systems: Mathematical foundations. Technical Report MTR-2547, vol. 1, MITRE Corp. (1973)Google Scholar
  7. 7.
    Bellard, F.: Qemu, a fast and portable dynamic translator. In: ATEC 2005: Proceedings of the USENIX Annual Technical Conference 2005 on USENIX Annual Technical Conference (2005)Google Scholar
  8. 8.
    Biba, K.J.: Integrity considerations for secure computer systems. Technical Report ESD-TR-76-372, USAF Electronic Systems Division, Hanscom Air Force Base, Bedford, Massachusetts (1977)Google Scholar
  9. 9.
    Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: Exe: automatically generating inputs of death. In: CCS 2006: Proceedings of the 13th ACM conference on Computer and communications security (2006)Google Scholar
  10. 10.
    Chen, S., Xu, J., Nakka, N., Kalbarczyk, Z., Iyer, R.K.: Defeating memory corruption attacks via pointer taintedness detection. In: IEEE International Conference on Dependable Systems and Networks (DSN) (2005)Google Scholar
  11. 11.
    Chen, S., Xu, J., Nakka, N., Kalbarczyk, Z., Iyer, R.K.: Defeating Memory Corruption Attacks via Pointer Taintedness Detection. In: DSN 2005: Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN 2005) (2005)Google Scholar
  12. 12.
    Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Communications of the ACM 20(7) (1977)Google Scholar
  13. 13.
    Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.: Dynamic spyware analysis. In: Usenix Tech Conference (2007)Google Scholar
  14. 14.
    Fenton, J.S.: Memoryless subsystems. Computing Journal 17(2) (1974)Google Scholar
  15. 15.
    Newsome, J., Song, D.: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2005) (2005)Google Scholar
  16. 16.
    Kong, J., Zou, C.C., Zhou, H.: Improving Software Security via Runtime Instruction-level Taint Checking. In: ASID 2006: Proceedings of the 1st workshop on Architectural and sys tem support for improving software dependability (2006)Google Scholar
  17. 17.
    Luk, C., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Janapa Reddi, V., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. SIGPLAN Not. 40(6) (2005)Google Scholar
  18. 18.
    McAfee. W32/hiv. virus information library (2000)Google Scholar
  19. 19.
    McAfee. W32/mydoom@mm. virus information library (2004)Google Scholar
  20. 20.
    McLean, J.: A general theory of composition for trace sets closed under selective interleaving functions. In: IEEE Symposium on Security and Privacy (1994)Google Scholar
  21. 21.
    Medel, R.: Typed Assembly Languages for Software Security. PhD thesis, Department of Computer Science, Stevens Institute of Technology (2006)Google Scholar
  22. 22.
    Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Choi, L., Paek, Y., Cho, S. (eds.) ACSAC 2007. LNCS, vol. 4697. Springer, Heidelberg (2007)Google Scholar
  23. 23.
    Myers, A.C.: JFlow: Practical mostly-static information flow control. In: ACM POPL, pp. 228–241 (1999)Google Scholar
  24. 24.
    Nanda, S., Li, W., Lam, L., Chiueh, T.: BIRD: Binary interpretation using runtime disassembly. In: IEEE/ACM Conference on Code Generation and Optimization (CGO) (2006)Google Scholar
  25. 25.
    Necula, G.C.: Proof-carrying code. In: Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Langauges (POPL 1997) (1997)Google Scholar
  26. 26.
    Nethercote, N., Seward, J.: Valgrind: A framework for heavyweight dynamic binary instrumentation. In: ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation (PLDI 2007) (2007)Google Scholar
  27. 27.
    Perl. Perl taint mode,
  28. 28.
    Pietraszek, T., Berghe, C.V.: Defending against injection attacks through context-sensitive string evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  29. 29.
    Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. SIGOPS Oper. Syst. Rev. 40(4) (2006)Google Scholar
  30. 30.
    Qin, F., Wang, C., Li, Z., Kim, H., Zhou, Y., Wu, Y.: LIFT: A low-overhead practical information flow tracking system for detecting general security attacks. In: IEEE/ACM International Symposium on Microarchitecture (2006)Google Scholar
  31. 31.
    Wojtczuk, R.N.: The Advanced return-into-lib(c) Exploits: PaX Case Study. Phrack Magazine 0x0b(0x3a). Phile #0x04 of 0x0e (2001)Google Scholar
  32. 32.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1) (2003)Google Scholar
  33. 33.
    Saxena, P., Sekar, R., Puranik, V.: A practical technique for integrity protection from untrusted plug-ins. Technical Report SECLAB08-01, Stony Brook University (2008)Google Scholar
  34. 34.
    Stinson, E., Mitchell, J.C.: Characterizing bots’ remote control behavior. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 89–108. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  35. 35.
    Clad “RORIV” Strife and Xdream ROJIV Blue. Ret onto Ret into VsyscallsGoogle Scholar
  36. 36.
    Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure Program Execution via Dynamic Information Flow Tracking. In: ASPLOS-XI: Proceedings of the 11th international conference on Architectural support for programming languages and operating systems (2004)Google Scholar
  37. 37.
    Szor, P.: The Art of Computer Virus Research and Defense. Symantec Press (2005)Google Scholar
  38. 38.
    TrendMicro. Bkdr.surila.g (w32/ratos). virus encyclopedia (2004)Google Scholar
  39. 39.
    Vasudevan, A.: WiLDCAT: An Integrated Stealth Environment for Dynamic Malware Analysis. PhD thesis, The University of Texas at Arlington, USA (2007)Google Scholar
  40. 40.
    Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In: Proceeding of the Network and Distributed System Security Symposium (NDSS) (2007)Google Scholar
  41. 41.
    Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. Journal of Computer Security (JCS) 4(3) (1996)Google Scholar
  42. 42.
    Volpano, D.M.: Safety versus secrecy. In: Cortesi, A., Filé, G. (eds.) SAS 1999. LNCS, vol. 1694. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  43. 43.
    Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In: USENIX Security Symposium (2006)Google Scholar
  44. 44.
    Yin, H., Liang, Z., Song, D.: Hookfinder: Identifying and understanding malware hooking behaviors. In: NDSS (2008)Google Scholar
  45. 45.
    Yin, H., Song, D., Manuel, E., Kruegel, C., Kirda, E.: Panorama: Capturing system-wide information flow for malware detection and analysis. In: Proceedings of the 14th ACM Conferences on Computer and Communication Security (CCS 2007) (2007)Google Scholar
  46. 46.
    Yu, D., Islam, N.: A typed assembly language for confidentiality. In: Sestoft, P. (ed.) ESOP 2006 and ETAPS 2006. LNCS, vol. 3924, pp. 162–179. Springer, Heidelberg (2006)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Lorenzo Cavallaro
    • 1
  • Prateek Saxena
    • 2
  • R. Sekar
    • 3
  1. 1.Dipartimento di Informatica e ComunicazioneUniversità degli Studi di MilanoItaly
  2. 2.Computer Science DepartmentUniversity of California at BerkeleyUSA
  3. 3.Computer Science DepartmentStony Brook UniversityUSA

Personalised recommendations