research-article

Pointless tainting?: evaluating the practicality of pointer tainting

Authors:
Asia Slowinska

Vrije Universiteit Amsterdam, Amsterdam, Netherlands

Vrije Universiteit Amsterdam, Amsterdam, Netherlands
View Profile

,
Herbert Bos

Vrije Universiteit Amsterdam and NICTA, Amsterdam, Netherlands

Vrije Universiteit Amsterdam and NICTA, Amsterdam, Netherlands
View Profile

EuroSys '09: Proceedings of the 4th ACM European conference on Computer systemsApril 2009Pages 61–74https://doi.org/10.1145/1519065.1519073

Published:01 April 2009Publication History

EuroSys '09: Proceedings of the 4th ACM European conference on Computer systems

Pages 61–74

ABSTRACT

This paper evaluates pointer tainting, an incarnation of Dynamic Information Flow Tracking (DIFT), which has recently become an important technique in system security. Pointer tainting has been used for two main purposes: detection of privacy-breaching malware (e.g., trojan keyloggers obtaining the characters typed by a user), and detection of memory corruption attacks against non-control data (e.g., a buffer overflow that modifies a user's privilege level). In both of these cases the attacker does not modify control data such as stored branch targets, so the control flow of the target program does not change. Phrased differently, in terms of instructions executed, the program behaves 'normally'. As a result, these attacks are exceedingly difficult to detect. Pointer tainting is considered one of the onlymethods for detecting them in unmodified binaries. Unfortunately, almost all of the incarnations of pointer tainting are flawed. In particular, we demonstrate that the application of pointer tainting to the detection of keyloggers and other privacybreaching malware is problematic. We also discuss whether pointer tainting is able to reliably detect memory corruption attacks against non-control data. Pointer tainting generates itself the conditions for false positives. We analyse the problems in detail and investigate various ways to improve the technique. Most have serious drawbacks in that they are either impractical (and incur many false positives still), and/or cripple the technique's ability to detect attacks. In conclusion, we argue that depending on architecture and operating system, pointer tainting may have some value in detecting memory orruption attacks (albeit with false negatives and not on the popular x86 architecture), but it is fundamentally not suitable for automated detecting of privacy-breaching malware such as keyloggers.

References

P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with WIT. In SP '08: 2008 IEEE Symposium on Security and Privacy, 2008. Google ScholarDigital Library
F. Bellard. Qemu, a fast and portable dynamic translator. In ATEC '05: 2005 USENIX Annual Technical Conference, 2005. Google ScholarDigital Library
S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In SSYM'05: 14th USENIX Security Symposium, 2005. Google ScholarDigital Library
M. Castro, M. Costa, and T. Harris. Securing software by enforcing data-flow integrity. In OSDI '06: 7th symposium on Operating systems design and implementation, 2006. Google ScholarDigital Library
L. Cavallaro, P. Saxena, and R. Sekar. On the limits of information flow techniques for malware analysis and containment. In DIMVA '08: 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2008. Google ScholarDigital Library
S. Chen, K. Pattabiraman, Z. Kalbarczyk, and R. K. Iyer. Formal reasoning of various categories of widely exploited security vulnerabilities using pointer taintedness semantics. In Proc. of IFIP SEC, 2004.Google ScholarCross Ref
S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and I. Ravishankar. Defeating memory corruption attacks via pointer taintedness detection. In DSN '05: Proceedings of the 2005 International Conference on Dependable Systems and Networks, 2005. Google ScholarDigital Library
S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. In SSYM'05: 14th USENIX Security Symposium, 2005. Google ScholarDigital Library
M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of internet worms. In 20th ACM Symposium on Operating Systems Principles (SOSP), 2005. Google ScholarDigital Library
C. Cowan, C. Pu, D. Maier, H. Hintony, Walpole J., P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In 7th USENIX Security Symposium, 1998. Google ScholarDigital Library
J. Crandall and F. Chong. Minos: Control data attack prevention orthogonal to memory model. In 37th Interational Symposium on Microarchitecture, 2004. Google ScholarDigital Library
M. Dalton, H. Kannan, and C. Kozyrakis. Deconstructing hardware architectures for security. In WDDD'06: 5th Annual Workshop on Duplicating, Deconstructing, and Debunking, 2006.Google Scholar
M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: a flexible information flow architecture for software security. In ISCA '07: Proceedings of the 34th annual international symposium on Computer architecture, 2007. Google ScholarDigital Library
M. Dalton, H. Kannan, and C. Kozyrakis. Real-world buffer overflow protection for userspace and kernelspace. In SSYM'08: 17th Usenix Security Symposium, 2008. Google ScholarDigital Library
D. Denning and P. Denning. Certification of programs for secure information flow. Commnic. ACM, 20 (7), 1977. Google ScholarDigital Library
M. Egele, Ch. Kruegel, E. Kirda, H. Yin, and D. Song. Dynamic Spyware Analysis. In ATC'07: 2007 USENIX Annual Technical Conference, 2007. Google ScholarDigital Library
K. Elphinstone, G. Klein, P. Derrin, T. Roscoe, and G. Heiser. Towards a practical, verified kernel. In HOTOS'07: 11th USENIX workshop on Hot topics in operating systems, 2007. Google ScholarDigital Library
J. Giffin, S. Jha, and B. Miller. Efficient context-sensitive intrusion detection. In The 11th Annual Network and Distributed System Security Symposium (NDSS), 2004.Google Scholar
A. Ho, M. Fetterman, C. Clark, A. Warfield, and S. Hand. Practical taint-based protection using demand emulation. In EuroSys '06: 1st ACM SIGOPS/EuroSys European Conference on Computer Systems, 2006. Google ScholarDigital Library
T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In USENIX 2002 Annual Technical Conference, 2002. Google ScholarDigital Library
S. Katsunuma, H. Kurita, R. Shioya, K. Shimizu, H. Irie, M. Goshima, and S. Sakai. Base address recognition with data flow tracking for injection attack detection. In PRDC '06: 12th Pacific Rim International Symposium on Dependable Computing, 2006. Google ScholarDigital Library
J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In 12th Annual Network and Distributed System Security Symposium (NDSS), 2005.Google Scholar
G. Portokalidis, A. Slowinska, and H. Bos. Argos: an emulator for fingerprinting zero-day attacks. In EuroSys '06: 1st ACM SIGOPS/EuroSys European Conference on Computer Systems, 2006. Google ScholarDigital Library
ProcessLibrary.com. zango.exe. http://www.processlibrary.com/directory/files/zango/.Google Scholar
Niels Provos. Improving host security with system call policies. In 12th USENIX Security Symposium, 2003. Google ScholarDigital Library
Dan Raywood. Sinowal trojan steals data from around 500,000 cards and accounts. SC Magazine, Oct 2008.Google Scholar
E. Suh, J. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. SIGARCH Comput. Archit. News, 32 (5): 85--96, 2004. Google ScholarDigital Library
G. Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic. Flexitaint: A programmable accelerator for dynamic taint propagation. In HPCA'08, 2008.Google ScholarCross Ref
W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In 15th USENIX Security Symposium, 2006. Google ScholarDigital Library
H. Yin, Z. Liang, and D. Song. HookFinder: Identifying and understanding malware hooking behaviors. In 15th Annual Network and Distributed System Security Symposium (NDSS'08), 2008.Google Scholar
H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: capturing system-wide information flow for malware detection and analysis. In CCS '07: Proc. of the 14th ACM conference on Computer and communications security, 2007. Google ScholarDigital Library

Index Terms

Pointless tainting?: evaluating the practicality of pointer tainting
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Pointer tainting still pointless: (but we all see the point of tainting)
Read More
Tainting is not pointless

Pointer tainting is a form of Dynamic Information Flow Tracking used primarily to prevent software security attacks such as buffer overflows. Researchers have also applied pointer tainting to malware and virus analysis.

A recent paper by Slowinska and ...
Read More
TASEL: dynamic taint analysis with selective control dependency
RACS '14: Proceedings of the 2014 Conference on Research in Adaptive and Convergent Systems

Dynamic Taint Analysis (DTA) is an approach used for software testing and vulnerability analysis. The vanilla DTA method is widely used, but its simple taint propagation does not consider any control dependency. Therefore, vanilla DTA generally suffers ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
EuroSys '09: Proceedings of the 4th ACM European conference on Computer systems
April 2009
342 pages
ISBN:9781605584829
DOI:10.1145/1519065
General Chair:
Wolfgang Schröder-Preikschat
FAU Erlangen-Nuremberg, Germany
,
Program Chairs:
John Wilkes
Google, Inc., USA
,
Rebecca Isaacs
Microsoft Research, Cambridge, UK
Copyright © 2009 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 April 2009
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
dynamic taint analysis
pointer tainting
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate241of1,308submissions,18%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 77
  Total Citations
  View Citations
- 835
  Total Downloads
- Downloads (Last 12 months)18
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Pointless tainting?: evaluating the practicality of pointer tainting

EuroSys '09: Proceedings of the 4th ACM European conference on Computer systems

ABSTRACT

References

Cited By

Index Terms

Recommendations

Pointer tainting still pointless: (but we all see the point of tainting)

Tainting is not pointless

TASEL: dynamic taint analysis with selective control dependency