Advertisement

Taint-Exchange: A Generic System for Cross-Process and Cross-Host Taint Tracking

  • Angeliki Zavou
  • Georgios Portokalidis
  • Angelos D. Keromytis
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7038)

Abstract

Dynamic taint analysis (DTA) has been heavily used by security researchers for various tasks, including detecting unknown exploits, analyzing malware, preventing information leaks, and many more. Recently, it has been also utilized to track data across processes and hosts to shed light on the interaction of distributed components, but also for security purposes. This paper presents Taint-Exchange, a generic cross-process and cross-host taint tracking framework. Our goal is to provide researchers with a valuable tool for rapidly developing prototypes that utilize cross-host taint tracking. Taint-Exchange builds on the libdft open source data flow tracking framework for processes, so unlike previous work it does not require extensive maintenance and setup. It intercepts I/O related system calls to transparently multiplex fine-grained taint information into existing communication channels, like sockets and pipes. We evaluate Taint-Exchange using the popular lmbench suite, and show that it incurs only moderate overhead.

Keywords

System Call Taint Source Tainted Data USENIX Security Symposium Taint Propagation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Attariyan, M., Flinn, J.: Automating configuration troubleshooting with dynamic information flow analysis. In: Proceedings of the 9th Symposium on Operating Systems Design and Implementation (OSDI), pp. 1–11 (2010)Google Scholar
  2. 2.
    Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: Proceedings of the 19th Symposium on Operating Systems Principles (SOSP), pp. 164–177 (2003)Google Scholar
  3. 3.
    Bellard, F.: QEMU, a fast and portable dynamic translator. In: Proceedings of the USENIX Annual Technical Conference, pp. 41–46 (April 2005)Google Scholar
  4. 4.
    Bochs: The cross platform IA-32 emulator (2001), http://bochs.sourceforge.net
  5. 5.
    Borin, E., Wang, C., Wu, Y., Araujo, G.: Software-based transparent and comprehensive control-flow error detection. In: Proceedings of the International Symposium on Code Generation and Optimization (CGO), pp. 333–345 (2006)Google Scholar
  6. 6.
    Cheng, W., Zhao, Q., Yu, B., Hiroshige, S.: TaintTrace: Efficient flow tracing with dynamic binary rewriting. In: Proceedings of the IEEE Symposium on Computers and Communications (ISCC), pp. 749–754 (2006)Google Scholar
  7. 7.
    Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding Data Lifetime via Whole System Simulation. In: Proceedings of the 13th USENIX Security Symposium, pp. 321–336 (2004)Google Scholar
  8. 8.
    Clause, J., Li, W., Orso, A.: Dytan: a generic dynamic taint analysis framework. In: Proceedings of the 2007 International Symposium on Software Testing and Analysis (ISSTA), pp. 196–206 (2007)Google Scholar
  9. 9.
    Crandall, J.R., Chong, F.T.: Minos: Control data attack prevention orthogonal to memory model. In: Proceedings of the 37th Annual International Symposium on Microarchitecture, pp. 221–232 (2004)Google Scholar
  10. 10.
    Dalton, M., Kannan, H., Kozyrakis, C.: Real-world buffer overflow protection for userspace & kernelspace. In: Proceedings of the 17th USENIX Security Symposium, pp. 395–410 (2008)Google Scholar
  11. 11.
    Davis, B., Chen, H.: DBTaint: cross-application information flow tracking via databases. In: Proceedings of the 2010 USENIX Conference on Web Application Development, WebApps (2010)Google Scholar
  12. 12.
    Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th Symposium on Operating Systems Design and Implementation (OSDI), pp. 393–407 (2010)Google Scholar
  13. 13.
    Ho, A., Fetterman, M., Warfield, C.C.A., Hand, S.: Practical taint-based protection using demand emulation. In: Proceedings of the 1st European Conference on Computer Systems (EuroSys), pp. 29–41 (2006)Google Scholar
  14. 14.
    Kemerlis, V.P.: libdft (2010), http://www.cs.columbia.edu/~vpk/research/libdft/
  15. 15.
    Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: Building customized program analysis tools with dynamic instrumentation. In: Proceedings of the Conference on Programming Language Design and Implementation (PLDI), pp. 190–200 (2005)Google Scholar
  16. 16.
    McVoy, L., Staelin, C.: lmbench (2005), http://lmbench.sourceforge.net/
  17. 17.
    Mysore, S., Mazloom, B., Agrawal, B., Sherwood, T.: Understanding and visualizing full systems with data flow tomography. In: Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pp. 211–221 (2008)Google Scholar
  18. 18.
    Nethercote, N., Seward, J.: Valgrind: A framework for heavyweight dynamic binary instrumentation. In: Proceedings of the Conference on Programming Language Design and Implementation (PLDI), pp. 89–100 (2007)Google Scholar
  19. 19.
    Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium, NDSS (2005)Google Scholar
  20. 20.
    Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks. In: Proceedings of the 1st European Conference on Computer Systems (EuroSys), pp. 15–27 (2006)Google Scholar
  21. 21.
    Qin, F., Wang, C., Li, Z., Kim, H.s., Zhou, Y., Wu, Y.: LIFT: A low-overhead practical information flow tracking system for detecting security attacks. In: Proceedings of the 39th Annual International Symposium on Microarchitecture, pp. 135–148 (2006)Google Scholar
  22. 22.
    Slowinska, A., Bos, H.: Pointless tainting? Evaluating the practicality of pointer tainting. In: Proceedings of EuroSys 2009, Nuremberg, Germany (March-April 2009)Google Scholar
  23. 23.
    Suh, G.E., Lee, J., Devadas, S.: Secure program execution via dynamic information flow tracking. In: Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pp. 85–96 (2004)Google Scholar
  24. 24.
    Vachharajani, N., Bridges, M.J., Chang, J., Rangan, R., Ottoni, G., Blome, J.A., Reis, G.A., Vachharajani, M., August, D.I.: RIFLE: An architectural framework for user-centric information-flow security. In: Proceedings of the 37th International Symposium on Microarchitecture (MICRO), pp. 243–254 (2004)Google Scholar
  25. 25.
    Wang, T., Wei, T., Gu, G., Zou, W.: TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 497–512 (2010)Google Scholar
  26. 26.
    Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In: Proceedings of the 15th USENIX Security Symposium (2006)Google Scholar
  27. 27.
    Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedings of the 14th Conference on Computer and Communications Security (CCS), pp. 116–127 (2007)Google Scholar
  28. 28.
    Zhang, Q., McCullough, J., Ma, J., Schear, N., Vrable, M., Vahdat, A., Snoeren, A.C., Voelker, G.M., Savage, S.: Neon: system support for derived data management. In: Proceedings of the 6th International Conference on Virtual Execution Environments (VEE), pp. 63–74 (2010)Google Scholar
  29. 29.
    Zhu, D., Jung, J., Song, D., Kohno, T., Wetherall, D.: TaintEraser: protecting sensitive data leaks using application-level taint tracking. SIGOPS Operating Systems Review 45, 142–154 (2011)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Angeliki Zavou
    • 1
  • Georgios Portokalidis
    • 1
  • Angelos D. Keromytis
    • 1
  1. 1.Network Security Lab, Department of Computer ScienceColumbia UniversityNew YorkUSA

Personalised recommendations