ABSTRACT
This paper evaluates pointer tainting, an incarnation of Dynamic Information Flow Tracking (DIFT), which has recently become an important technique in system security. Pointer tainting has been used for two main purposes: detection of privacy-breaching malware (e.g., trojan keyloggers obtaining the characters typed by a user), and detection of memory corruption attacks against non-control data (e.g., a buffer overflow that modifies a user's privilege level). In both of these cases the attacker does not modify control data such as stored branch targets, so the control flow of the target program does not change. Phrased differently, in terms of instructions executed, the program behaves 'normally'. As a result, these attacks are exceedingly difficult to detect. Pointer tainting is considered one of the onlymethods for detecting them in unmodified binaries. Unfortunately, almost all of the incarnations of pointer tainting are flawed. In particular, we demonstrate that the application of pointer tainting to the detection of keyloggers and other privacybreaching malware is problematic. We also discuss whether pointer tainting is able to reliably detect memory corruption attacks against non-control data. Pointer tainting generates itself the conditions for false positives. We analyse the problems in detail and investigate various ways to improve the technique. Most have serious drawbacks in that they are either impractical (and incur many false positives still), and/or cripple the technique's ability to detect attacks. In conclusion, we argue that depending on architecture and operating system, pointer tainting may have some value in detecting memory orruption attacks (albeit with false negatives and not on the popular x86 architecture), but it is fundamentally not suitable for automated detecting of privacy-breaching malware such as keyloggers.
- P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with WIT. In SP '08: 2008 IEEE Symposium on Security and Privacy, 2008. Google ScholarDigital Library
- F. Bellard. Qemu, a fast and portable dynamic translator. In ATEC '05: 2005 USENIX Annual Technical Conference, 2005. Google ScholarDigital Library
- S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In SSYM'05: 14th USENIX Security Symposium, 2005. Google ScholarDigital Library
- M. Castro, M. Costa, and T. Harris. Securing software by enforcing data-flow integrity. In OSDI '06: 7th symposium on Operating systems design and implementation, 2006. Google ScholarDigital Library
- L. Cavallaro, P. Saxena, and R. Sekar. On the limits of information flow techniques for malware analysis and containment. In DIMVA '08: 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2008. Google ScholarDigital Library
- S. Chen, K. Pattabiraman, Z. Kalbarczyk, and R. K. Iyer. Formal reasoning of various categories of widely exploited security vulnerabilities using pointer taintedness semantics. In Proc. of IFIP SEC, 2004.Google ScholarCross Ref
- S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and I. Ravishankar. Defeating memory corruption attacks via pointer taintedness detection. In DSN '05: Proceedings of the 2005 International Conference on Dependable Systems and Networks, 2005. Google ScholarDigital Library
- S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. In SSYM'05: 14th USENIX Security Symposium, 2005. Google ScholarDigital Library
- M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of internet worms. In 20th ACM Symposium on Operating Systems Principles (SOSP), 2005. Google ScholarDigital Library
- C. Cowan, C. Pu, D. Maier, H. Hintony, Walpole J., P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In 7th USENIX Security Symposium, 1998. Google ScholarDigital Library
- J. Crandall and F. Chong. Minos: Control data attack prevention orthogonal to memory model. In 37th Interational Symposium on Microarchitecture, 2004. Google ScholarDigital Library
- M. Dalton, H. Kannan, and C. Kozyrakis. Deconstructing hardware architectures for security. In WDDD'06: 5th Annual Workshop on Duplicating, Deconstructing, and Debunking, 2006.Google Scholar
- M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: a flexible information flow architecture for software security. In ISCA '07: Proceedings of the 34th annual international symposium on Computer architecture, 2007. Google ScholarDigital Library
- M. Dalton, H. Kannan, and C. Kozyrakis. Real-world buffer overflow protection for userspace and kernelspace. In SSYM'08: 17th Usenix Security Symposium, 2008. Google ScholarDigital Library
- D. Denning and P. Denning. Certification of programs for secure information flow. Commnic. ACM, 20 (7), 1977. Google ScholarDigital Library
- M. Egele, Ch. Kruegel, E. Kirda, H. Yin, and D. Song. Dynamic Spyware Analysis. In ATC'07: 2007 USENIX Annual Technical Conference, 2007. Google ScholarDigital Library
- K. Elphinstone, G. Klein, P. Derrin, T. Roscoe, and G. Heiser. Towards a practical, verified kernel. In HOTOS'07: 11th USENIX workshop on Hot topics in operating systems, 2007. Google ScholarDigital Library
- J. Giffin, S. Jha, and B. Miller. Efficient context-sensitive intrusion detection. In The 11th Annual Network and Distributed System Security Symposium (NDSS), 2004.Google Scholar
- A. Ho, M. Fetterman, C. Clark, A. Warfield, and S. Hand. Practical taint-based protection using demand emulation. In EuroSys '06: 1st ACM SIGOPS/EuroSys European Conference on Computer Systems, 2006. Google ScholarDigital Library
- T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In USENIX 2002 Annual Technical Conference, 2002. Google ScholarDigital Library
- S. Katsunuma, H. Kurita, R. Shioya, K. Shimizu, H. Irie, M. Goshima, and S. Sakai. Base address recognition with data flow tracking for injection attack detection. In PRDC '06: 12th Pacific Rim International Symposium on Dependable Computing, 2006. Google ScholarDigital Library
- J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In 12th Annual Network and Distributed System Security Symposium (NDSS), 2005.Google Scholar
- G. Portokalidis, A. Slowinska, and H. Bos. Argos: an emulator for fingerprinting zero-day attacks. In EuroSys '06: 1st ACM SIGOPS/EuroSys European Conference on Computer Systems, 2006. Google ScholarDigital Library
- ProcessLibrary.com. zango.exe. http://www.processlibrary.com/directory/files/zango/.Google Scholar
- Niels Provos. Improving host security with system call policies. In 12th USENIX Security Symposium, 2003. Google ScholarDigital Library
- Dan Raywood. Sinowal trojan steals data from around 500,000 cards and accounts. SC Magazine, Oct 2008.Google Scholar
- E. Suh, J. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. SIGARCH Comput. Archit. News, 32 (5): 85--96, 2004. Google ScholarDigital Library
- G. Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic. Flexitaint: A programmable accelerator for dynamic taint propagation. In HPCA'08, 2008.Google ScholarCross Ref
- W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In 15th USENIX Security Symposium, 2006. Google ScholarDigital Library
- H. Yin, Z. Liang, and D. Song. HookFinder: Identifying and understanding malware hooking behaviors. In 15th Annual Network and Distributed System Security Symposium (NDSS'08), 2008.Google Scholar
- H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: capturing system-wide information flow for malware detection and analysis. In CCS '07: Proc. of the 14th ACM conference on Computer and communications security, 2007. Google ScholarDigital Library
Index Terms
- Pointless tainting?: evaluating the practicality of pointer tainting
Recommendations
Tainting is not pointless
Pointer tainting is a form of Dynamic Information Flow Tracking used primarily to prevent software security attacks such as buffer overflows. Researchers have also applied pointer tainting to malware and virus analysis.
A recent paper by Slowinska and ...
TASEL: dynamic taint analysis with selective control dependency
RACS '14: Proceedings of the 2014 Conference on Research in Adaptive and Convergent SystemsDynamic Taint Analysis (DTA) is an approach used for software testing and vulnerability analysis. The vanilla DTA method is widely used, but its simple taint propagation does not consider any control dependency. Therefore, vanilla DTA generally suffers ...
Comments