On Some Limitations of Information Flow Tracking in Full-system Emulators

Tracking and verification of data flows includes set of techniques that can be applied to make applications more secure, to perform software analysis for debugging or reverse engineering, and so on. Taint analysis is one of the techniques used to control data flows. This paper presents an approach for system-wide lightweight platform-aware taint analysis. We implemented proof-of-concept tool based on our approach for i386 platform upon the multi-platform simulator QEMU. Our approach uses instrumentation of QEMU intermediate representation of binary code and processes up to 8 taints simultaneously. Most of the taint analysis code is target-independent and may be used with other target platforms. For some platforms (i386 with Windows XP and Windows 7) we present Virtual Machine Introspection plugins for automatic file tainting. We demonstrate how our taint analysis system may be used to detect exploitation of software vulnerabilities.

taint analysis, dynamic analysis, QEMU

1. ortokalidis G., Slowinska A., Bos H. Argos: An emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. Proceedings of the 1st ACMSIGOPS/EuroSys European Conference on Computer Systems. New York. 2006. pp. 15-27.

2. Srinivasan D., Jiang X. Timescope: Time-Traveling Forensic Analysis of VM-Based High-Interaction Honeypots. In: Security and Privacy in Communication Networks: 7th International ICST Conference, SecureComm 2011, London, UK, September 7-9, 2011, Revised Selected Papers. Springer Berlin Heidelberg, 2012. pp. 209-226.

3. Kemerlis V.P., Portokalidis G., Jee K., Keromytis A.D. libdft: practical dynamic data flow tracking for commodity systems. VEE. 2012. pp. 121-132.

4. Clause J.A., Li W., Orso A. Dytan: a generic dynamic taint analysis framework. ISSTA. 2007. pp. 196-206.

5. Bosman E., Slowinska A., Bos H. Minemu: The World's Fastest Taint Tracker. RAID. 2011. Vol. 6961. pp. 1-20.

6. J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum, “Understanding data lifetime via whole system simulation,” in Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13, ser. SSYM’04. Berkeley, CA, USA: USENIX Associati [web-resource]

7. Henderson A., Prakash A., Yan L.K., Hu X., Wang X., Zhou R., Yin H. Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform. The International Symposium on Software Testing and Analysis (ISSTA'14). San Jose. 2014.

8. R. Whelan T.L.D.K. Architecture-independent dynamic information flow tracking. Proceedings of the 22Nd International Conference on Compiler Construction. Berlin. 2013.

9. Lattner C., Adve V. LLVM: A compilation framework for lifelong program analysis & transformation. Proceedings of the 2004 International Symposium on Code Generation and Optimization. 2004.

10. Clang [web-resource]. http://clang.llvm.org/ (last visit: 29.09.2015).

11. Raffetseder T., Kruegel C., Kirda E. Detecting system emulators. Proceedings of the 10th International Conference on Information Security. 2007. pp. 1 - 18.

12. Kang M.G., McCamant S., Poosankam P., Song D. DTA++: dynamic taint analysis with targeted control-flow propagation. Proceedings of the Network and Distributed System Security Symposium. San Diego. 2011.