Xiao-Song Zhang,Liu Zhi,Da-Peng Chen

DOI: https://doi.org/10.1109/icacia.2008.4769974

2008-01-01

Abstract:Malware has posted a great risk to the privacy of users and data. Unfortunately, current anomaly detection is both coarse-grained and ineffective to detect them, because some behaviors can only be triggered in specific circumstances, moreover, it is difficult to analyze and evaluate compromised data. In this paper, we address the two problems via taint-based analysis. First, we precisely characterize malware behaviors in virtual environments, where behaviors can be completely explored by tainting return values of security-related system calls in order to traverse multiple execution branches. Second, sensitive data are also tainted to track their propagation to determine whether they are transmitted maliciously. A supporting distributed architecture is presented to optimize efficiency. Our approach is an effective complement to current anomaly-based models. The initial experiment demonstrates our system can detect a variety of malware with high accuracy and low overhead.

Ping Wang,Wen-Hui Lin,Wun Jie Chao,Kuo-Ming Chao,Chi-Chun Lo

DOI: https://doi.org/10.1109/icebe.2015.75

2015-01-01

Abstract:Most existing approaches focus on examining the values are dangerous for information flow within inter-suspicious modules of cloud applications (apps) in a host by using malware threat analysis, rather than the risk posed by suspicious apps were connected to the cloud computing server. Accordingly, this paper proposes a taint propagation analysis model incorporating a weighted spanning tree analysis scheme to track data with taint marking using several taint checking tools. In the proposed model, Android programs perform dynamic taint propagation to analyse the spread of and risks posed by suspicious apps were connected to the cloud computing server. In determining the risk of taint propagation, risk and defence capability are used for each taint path for assisting a defender in recognising the attack results against network threats caused by malware infection and estimate the losses of associated taint sources. Finally, a case of threat analysis of a typical cyber security attack is presented to demonstrate the proposed approach. Our approach verified the details of an attack sequence for malware infection by incorporating a finite state machine (FSM) to appropriately reflect the real situations at various configuration settings and safeguard deployment. The experimental results proved that the threat analysis model allows a defender to convert the spread of taint propagation to loss and practically estimate the risk of a specific threat by using behavioural analysis with real malware infection.

Ping Wang,Wun Jie Chao,Kuo-Ming Chao,Chi-Chun Lo

DOI: https://doi.org/10.1109/icebe.2014.40

2014-01-01

Abstract:Most existing approaches to developing cloud applications using threat analysis involve program vulnerability analyses for identifying the security holes associated with malware attacks. New malware attacks can bypass firewall-based detection by bypassing stack protection and by using Hypertext Transfer Protocol logging, kernel hacks, and library hack techniques, and to the cloud applications. In performing threat analysis for unspecified malware attacks, software engineers can use a taint analysis technique for tracking information flows between attack sources (malware) and detect vulnerabilities of targeted network applications. This paper proposes a threat risk analysis model incorporating an improved attack tree analysis scheme for solving the mobile security problem, in the model, Android programs perform taint checking to analyse the risks posed by suspicious applications. In probabilistic risk analysis, defence evaluation metrics are used for each attack path for assisting a defender simulate the attack results against malware attacks and estimate the impact losses. Finally, a case of threat analysis of a typical cyber security attack is presented to demonstrate the proposed approach.

Erzhou Zhu,Feng Liu,Zuo Wang,Alei Liang,Yiwen Zhang,Xuejian Li,Xuejun Li

DOI: https://doi.org/10.1016/j.cose.2015.03.008

IF: 5.105

2015-01-01

Computers & Security

Abstract:By analyzing information flow at runtime, dynamic taint analysis can precisely detect a wide range of vulnerabilities of software. However, it suffers from substantial runtime overhead and is incapable of discovering potential threats. Yet, realistically, the interested analyst doesn't have access to the source code of the malware. Therefore, the task of software flaw tracking becomes rather complicated. In order to cope with these issues, this paper proposes Dytaint, a novel lightweight 3-state dynamic taint analysis framework, for diagnosing more software vulnerabilities with lower runtime overhead. The framework works for the x86 binary executables and requires no special hardware assistance. Besides the tainted and the untainted states that are discussed by many popularly used taint analysis tools, the third state, controlled-taint state, is proposed to detect more types of software vulnerabilities. The new Chaining Hash Table which reduces the space for storing taint information without increasing the accessing time is also incorporated in the framework. Furthermore, two mechanisms, namely, the irrelevant API filtering based on the function recognition method and basic block handling, are introduced to optimize the runtime performance of our framework. The testing results by running SPEC CINT2006 benchmarks and various popular software have demonstrated that Dytaint is efficient which incurs only 3.1 times overhead to the native on average and practical which is able to discover not only all the real threats but also most of the potential ones.

Heping Tang,Shuguang Huang,Yongliang Li,Lei Bao

DOI: https://doi.org/10.1109/ICCET.2010.5485224

2010-01-01

Abstract:Untrusted Data originating from network input and configuration files, causes many software security problems. Keeping track of the propagation of untrusted data in program runtime is the main idea of dynamic taint analysis for vulnerability exploits detection. In this method data from network user input and configuration files were labeled as taint. In virtue of data flow analysis we design taint propagating algorithm, and define several taint detection policies for security-critical function which used taint data in dangerous ways that could cause vulnerability exploit. A vulnerability exploit detection prototype system was implemented. In contrast to other taint analysis systems, our prototype system has higher accuracy and vulnerability exploits coverage and low workloads.

Donghai Tian,Qianjin Ying,Xiaoqi Jia,Rui Ma,Changzhen Hu,Wenmao Liu

DOI: https://doi.org/10.1016/j.comnet.2021.108394

IF: 5.493

2021-01-01

Computer Networks

Abstract:With the development of cloud computing, more and more enterprises and institutes have deployed important computing tasks and data into virtualization environments. Virtualization security has become very important for cloud computing. When an attacker controls a victim’s virtual machine, he (or she) may launch malware for malicious purpose in that virtual machine. To defend against malware attacks in the cloud, many virtualization-based approaches are proposed. However, the existing methods suffer from limitations in terms of transparency and performance cost. To address these issues, we propose MDCHD, a novel malware detection solution for virtualization environments. This method first utilizes the Intel Processor Trace (IPT) mechanism to collect the run-time control flow information of the target program. Then, it converts the control flow information into color images. By doing so, we can utilize a CNN-based deep learning method to identify malware from the images. To improve the performance of our detection mechanism, we leverage Lamport’s ring buffer algorithm. In this way, the control flow information collector and security checker can work concurrently. The evaluation shows that our approach can achieve acceptable detection accuracy with a minimal performance cost.

Wei You,Bin Liang,Wenchang Shi,Peng Wang,Xiangyu Zhang

DOI: https://doi.org/10.1109/tdsc.2017.2740169

2020-01-01

Abstract:Dynamic taint analysis (DTA), as a mainstream information flow tracking technique, has been widely used in mobile security. On the Android platform, the existing DTA approaches are typically implemented by instrumenting the Dalvik virtual machine (DVM) interpreter or the Android emulator with taint enforcement code. The most prominent problem of the interpreter-based approaches is that they cannot work in the new Android RunTime (ART) environment introduced since the 5.0 release. For the emulator-based approaches, the most prominent problem is that they cannot be deployed on real devices. In addition, almost all the existing Android DTA approaches only concern the explicit information flow caused by data dependence, while completely ignore the impact of implicit information flow caused by control dependence. These problems limit their adoption in the latest Android system and make them ineffective in detecting the state-of-the-art malware whose privacy-breaching behaviors are inactivated in the analyzed environment (e.g., the emulator) or conducted via implicit information flow. In this paper, we present TaintMan, an ART-compatible DTA framework that can be deployed on unmodified and non-rooted Android devices. In TaintMan, the taint enforcement code is statically instrumented into both the target application and the system class libraries to track data flow and common control flow. A specially designed execution environment reconstruction technique, named reference hijacking, is proposed to force the target application to reference the instrumented system class libraries. By enforcing on-demand instrumentation and on-demand tracking, the performance overhead is significantly reduced. We have developed TaintMan and deployed it on two popular stock smartphones (HTC One S equipped with Android-4.0 and Motorola MOTO G equipped with Android-5.0). The evaluation with malware samples and real-world applications shows that TaintMan can effectively detect privacy leakage behaviors with an acceptable performance overhead.

Pankaj Kohli

DOI: https://doi.org/10.48550/arXiv.0906.4481

2009-07-01

Abstract:Memory corruption attacks remain the primary threat for computer security. Information flow tracking or taint analysis has been proven to be effective against most memory corruption attacks. However, there are two shortcomings with current taint analysis based techniques. First, these techniques cause application slowdown by about 76% thereby limiting their practicality. Second, these techniques cannot handle non-control data attacks i.e., attacks that do not overwrite control data such as return address, but instead overwrite critical application configuration data or user identity data. In this work, to address these problems, we describe a coarse-grained taint analysis technique that uses information flow tracking at the level of application data objects. We propagate a one-bit taint over each application object that is modified by untrusted data thereby reducing the taint management overhead considerably. We performed extensive experimental evaluation of our approach and show that it can detect all critical attacks such as buffer overflows, and format string attacks, including non-control data attacks. Unlike the currently known approaches that can detect such a wide range of attacks, our approach does not require the source code or any hardware extensions. Run-time performance overhead evaluation shows that, on an average, our approach causes application slowdown by only 37% which is an order of magnitude improvement over existing approaches. Finally, since our approach performs run-time binary instrumentation, it is easier to integrate it with existing applications and systems.

Cryptography and Security

Chengxu Yang,Yuanchun Li,Mengwei Xu,Zhenpeng Chen,Yunxin Liu,Gang Huang,Xuanzhe Liu

DOI: https://doi.org/10.1145/3468264.3468532

2021-01-01

Abstract:Big data has become valuable property for enterprises and enabled various intelligent applications. Today, it is common to host data in big data platforms (e.g., Spark), where developers can submit scripts to process the original and intermediate data tables. Meanwhile, it is highly desirable to manage the data to comply with various privacy requirements. To enable flexible and automated privacy policy enforcement, we propose TaintStream, a fine-grained taint tracking framework for Spark-like big data platforms. TaintStream works by automatically injecting taint tracking logic into the data processing scripts, and the injected scripts are dynamically translated to maintain a taint tag for each cell during execution. The dynamic translation rules are carefully designed to guarantee non-interference in the original data operation. By defining different semantics of taint tags, TaintStream can enable various data management applications such as access control, data retention, and user data erasure. Our experiments on a self-crafted benchmarksuite show that TaintStream is able to achieve accurate cell-level taint tracking with a precision of 93.0% and less than 15% overhead. We also demonstrate the usefulness of TaintStream through several real-world use cases of privacy policy enforcement.

Ruoyu Zhang,Shan Huang,Zhengwei Qi

DOI: https://doi.org/10.1109/CMC.2011.76

2011-01-01

Abstract:Software security has drawn much attention recently. As an effective approach to detect software vulnerabilities and improve software security, dynamic taint analysis has been frequently researched in the last few years. In this paper, we implement a dynamic taint tracking system LTTS. In order to address the efficiency problem which exists in many of the current taint tracking systems, we also propose a taint behavior summary mechanism to optimize the system. According to our experiments, LTTS has achieved relative high efficiency compared to the existing techniques.

Haibo Chen,Xi Wu,Liwei Yuan,Binyu Zang,Pen-chung Yew,Frederic T. Chong

DOI: https://doi.org/10.1145/1394608.1382156

2008-01-01

ACM SIGARCH Computer Architecture News

Abstract:Dynamic information flow tracking (also known as taint tracking) is an appealing approach to combat various security attacks. However, the performance of applications can severely degrade without hardware support for tracking taints. This paper observes that information flow tracking can be efficiently emulated using deferred exception tracking in microprocessors supporting speculative execution. Based on this observation, we propose SHIFT, a low-overhead, software-based dynamic information flow tracking system to detect a wide range of attacks. The key idea is to treat tainted state (describing untrusted data) as speculative state (describing deferred exceptions). SHIFT leverages existing architectural support for speculative execution to track tainted state in registers and needs to instrument only load and store instructions to track tainted state in memory using a bitmap, which results in significant performance advantages. Moreover, by decoupling mechanisms for taint tracking from security policies, SHIFT can detect a wide range of exploits, including high-level semantic attacks. We have implemented SHIFT using the Itanium processor, which has support for deferred exceptions, and by modifying GCC to instrument loads and stores. A security assessment shows that SHIFT can detect both low-level memory corruption exploits as well as high-level semantic attacks with no false positives. Performance measurements show that SHIFT incurs about 1% overhead for server applications. The performance slowdown for SPEC-INT2000 is 2.81X and 2.27X for tracking at byte-level and wordlevel respectively. Minor architectural improvements to the Itanium processor (adding three simple instructions) can reduce the performance slowdown down to 2.32X and 1.8X for byte-level and word-level tracking, respectively.

唐和平,黄曙光,张亮

DOI: https://doi.org/10.3969/j.issn.1002-137x.2010.07.036

2010-01-01

Computer Science

Abstract:Untrusted data originating from network user input and configuration files,causes many software security problems,when operated by security-critical function without strict data validation.Keeping track of the propagation of untrusted data is the main idea of dynamic taint analysis for vulnerability exploits detection.Data derived from network user input and configuration files were labeled as taint.Executed taint propagating algorithm by virtue of data flow analysis,and carried out several taint detection policies for each security-critical function.A vulnerability exploits detection prototype system was implemented on open source emulator and many optimization mechanisms were deployed.

Ping Wang,Kuo-Ming Chao,Chi-Chun Lo,Wen-Hui Lin,Hsiao-Chung Lin,Wun-Jie Chao

DOI: https://doi.org/10.1177/1550147716662947

IF: 1.938

2016-01-01

International Journal of Distributed Sensor Networks

Abstract:Numerous security concerns exist in smart home systems in which Internet of Things devices are connected through a home network to enable control using a centralised gateway with a handset device from the Internet. Safeguarding personal information privacy is an increasing concern in smart living services. To guarantee the mobile security of smart living services, security managers use taint checking approaches with dynamic taint propagation analysis operations to examine how a software-defined networking app uses sensitive information and investigate suspicious security vulnerabilities of devices and the effects of the spread of taint propagation over the Internet by identifying taint paths. For solving the dynamic taint propagation analysis problem, most approaches focus on cloud computing applications (apps) with malware threat analysis that involves program vulnerability analyses, rather than on the risk posed by suspicious apps connected to the cloud computing server. Accordingly, this article proposes a taint propagation analysis model incorporating a weighted spanning tree analysis scheme for tracking data with taint marking using several taint checking tools with an open software-defined networking architecture for solving the dynamic taint propagation analysis problem. In the proposed model, Android programs perform dynamic taint propagation to analyse the spread of risks posed by suspicious apps connected to the centralised gateway in a smart home system. In probabilistic risk analysis, risk and defence capability are used for each taint path to assist a defender in recognising the attack results against network threats caused by malware infection and to estimate the losses of associated taint sources. A case of threat analysis of a typical cyber security attack is presented to demonstrate the proposed approach. A new approach was used for verifying the details of an attack sequence for malware infection by incorporating a finite state machine to appropriately represent the real dynamic taint propagation analysis situations at various configuration settings and safeguard deployment. The experimental results proved that the threat analysis model enables a defender to convert the spread of taint propagation to loss and estimate the risk of a specific threat using behavioural analysis associated with 60 families of real malware. Consequently, our scheme was significantly effective in predicting the risk and loss of tainted data propagation for security concerns in smart home systems when the number of taint paths associated with the propagation rules discovered through taint analysis was increased.

CHEN Yan-ling,ZHAO Jing

DOI: https://doi.org/10.3724/sp.j.1087.2011.02367

2011-01-01

Abstract:The record of the current taint analysis tool is not accurate.To solve this,dynamic taint analysis based on the virtual technology was studied and implemented.A virtualization based dynamic taint analysis framework was designed,and two kinds of taint signature models based on Hook technology and Hash-traversal technology were given respectively for memory taint and hard disk taint.A taint propagation strategy was put forward according to the instruction type which was classified by instruction encoding format of InterAMD,and a taint record strategy based on instruction filtering was given to solve the problem of redundant information records.The experimental results prove that the proposed method is effective,and can be well used in test case generation and vulnerability detection of fuzzy test.

Haibo Chen,Xi Wu,Liwei Yuan,Binyu Zang,Pen-chung Yew,Frederic T. Chong

DOI: https://doi.org/10.1109/isca.2008.18

2008-01-01

Abstract:Dynamic information flow tracking (also known as taint tracking) is an appealing approach to combat various security attacks. However, the performance of applications can severely degrade without hardware support for tracking taints. This paper observes that information flow tracking can be efficiently emulated using deferred exception tracking in microprocessors supporting speculative execution. Based on this observation, we propose SHIFT, a low-overhead, software-based dynamic information flow tracking system to detect a wide range of attacks. The key idea is to treat tainted state (describing untrusted data) as speculative state (describing deferred exceptions). SHIFT leverages existing architectural support for speculative execution to track tainted state in registers and needs to instrument only load and store instructions to track tainted state in memory using a bitmap, which results in significant performance advantages. Moreover, by decoupling mechanisms for taint tracking from security policies, SHIFT can detect a wide range of exploits, including high-level semantic attacks. We have implemented SHIFT using the Itanium processor, which has support for deferred exceptions, and by modifying GCC to instrument loads and stores. A security assessment shows that SHIFT can detect both low-level memory corruption exploits as well as high-level semantic attacks with no false positives. Performance measurements show that SHIFT incurs about 1% overhead for server applications. The performance slowdown for SPEC-INT2000 is 2.81X and 2.27X for tracking at byte-level and wordlevel respectively. Minor architectural improvements to the Itanium processor (adding three simple instructions) can reduce the performance slowdown down to 2.32X and 1.8X for byte-level and word-level tracking, respectively.

Maoyu Yang,Xu Zhou,Danjun Liu,Lei Zhou,Yong Tang

DOI: https://doi.org/10.1109/eiect60552.2023.10442540

2023-01-01

Abstract:Dynamic taint analysis is a common and efficient technique in program analysis. IoT devices are widespread and generally have weak protection, making them a hotspot for vulnerabilities. Although some dynamic taint analysis tools and frameworks have been proposed for IoT firmware, they all suffer from one or more issues: performance degradation, lack of generality, or being limited to user mode only. We propose a cross-platform, full-system simulation dynamic taint analysis framework for IoT firmware, Firmware Dynamic Taint Analysis Framework (FDTAF). FDTAF provides a novel Virtual Machine Introspection (VMI) combined with bit-level taint propagation at TCG layer of QEMU. Additionally, we provide analysis tools for the generated taint data flow to improve the usability of dynamic taint analysis when analyzing IoT devices. The implementation of FDTAF includes 1680 lines of C++ code, 9490 lines of C code, and 320 lines of Python code. We present a comparison of the applicability of FDTAF and DECAF in firmware analysis and validate the practicality of the analysis framework using real-world vulnerabilities.

Deqing Zou,Jian Zhao,Weiming Li,Yueming Wu,Weizhong Qiang,Hai Jin,Ye Wu,Yifei Yang

DOI: https://doi.org/10.1109/jiot.2018.2838569

IF: 10.6

2018-01-01

IEEE Internet of Things Journal

Abstract:The problem of cloud forensics aims at processing multidimensional, massive, and heterogeneous data to collect and recover evidence in cloud environment. Existing approaches focus on excavating all suspicious behaviors from data and ignore privacy leakage details and behavioral characteristics. In order to conduct privacy leakage analysis in cloud specifically, we propose a multigranularity privacy leakage forensics method to analyze privacy violations caused by malware in cloud environment. By simulating the target virtual machine environment, our method can detect privacy leakage behaviors of malware without touching user's privacy data. We combine continuous RAM mirroring technology and dynamic taint analysis to assist the forensics investigation. To demonstrate the efficacy and utility of our method, we evaluate its performance with some real-world malware samples by comparing with some state-of-the-art malware analysis systems. Experimental results indicate that our method can identify more privacy leakage paths and behaviors.

Jie Lin,Chuanyi Liu,Binxing Fang

DOI: https://doi.org/10.1145/2660267.2662377

2014-01-01

Abstract:Building a trustworthy cloud is critical for its practical use. Most current researches usually take integrity measurements using trusted computing to address trust issue, such as integrity measurement architecture (IMA) implemented in Linux kernel. However, some runtime attacks intrude the system while not tampering with the programs, which cannot be detected by integrity mechanism. We call them non-tampering attacks. This paper presents TraceVirt, a framework for detecting these non-tampering attacks, which combines the strong isolation and event-driven capacity to log runtime information. The logging data is processed by remote intrusion analysis cluster to analyze potential attacks. The experimental results show that TraceVirt can detect the real world non-tampering attacks and the performance overhead is acceptable.

Erzhou Zhu,Haibing Guan,Alei Liang,Rongbin Xu,Xuejian Li,Feng Liu

DOI: https://doi.org/10.1007/978-3-642-38715-9_28

2013-01-01

Abstract:For the purpose of discovering security flaws in software, many dynamic and static taint analyzing techniques have been proposed. The dynamic techniques can precisely find the security flaws of the software; but it suffers from substantial runtime overhead. On the other hand, the static techniques require no runtime overhead; but it is often not accurate enough. In this paper, we propose HYBit, a novel hybrid framework which integrates dynamic and static taint analysis to diagnose the security flaws for binary programs. In the framework, the source binary is first analyzed by the dynamic taint analyzer; then, with the runtime information provided by its dynamic counterpart, the static taint analyzer can process the unexecuted part of the target program easily. Furthermore, a taint behavior filtration mechanism is proposed to optimize the performance of the framework. We evaluate our framework from three perspectives: efficiency, coverage, and effectiveness, and the results are encouraging. © 2013 Springer-Verlag Berlin Heidelberg.

Wang Lei,Fang Chen,Mao Bing,Xie Li

DOI: https://doi.org/10.1109/DEPEND.2009.33

2009-01-01

Abstract:Memory corruption attacks account for most parts of malicious attacks toward software security. Recently dynamic taint analysis is proposed and is gaining momentum. This proposed technique attempts to defeat attacks by checking the taintedness and integrity of pointers when accessing memory since vulnerabilities are always motivated by tainting pointers. Unfortunately, there exists some class of attacks without tainting pointers, such as array bounds violation attacks using pointers. In this paper, we propose a novel approach to defeat this kind of undetected attacks using taint-based tracking analysis. Our notion is based on the memory access control, that is, first, we will check the taintedness of the pointers when accessing memory like existing taint-based approaches, second, we will check whether or not the memory area is in the legitimate range of a pointer used to access this memory. Our implementation dose not need source code and is based on Valgrind, hence works on commodity software. To demonstrate our idea, we performed a preliminary empirical experiments, the results are quite promising: TMAC can effectively detect a wide range of attacks, and the average runtime overhead is close to Memcheck, a widely memory error detector. © 2009 IEEE.