skip to main content
article

Practical taint-based protection using demand emulation

Published: 18 April 2006 Publication History

Abstract

Many software attacks are based on injecting malicious code into a target host. This paper demonstrates the use of a well-known technique, data tainting, to track data received from the network as it propagates through a system and to prevent its execution. Unlike past approaches to taint tracking, which track tainted data by running the system completely in an emulator or simulator, resulting in considerable execution overhead, our work demonstrates the ability to dynamically switch a running system between virtualized and emulated execution. Using this technique, we are able to explore hardware support for taint-based protection that is deployable in real-world situations, as emulation is only used when tainted data is being processed by the CPU. By modifying the CPU, memory, and I/O devices to support taint tracking and protection, we guarantee that data received from the network may not be executed, even if it is written to, and later read from disk. We demonstrate near native speeds for workloads where little taint data is present.

References

[1]
James Newsome and Dawn Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium, February 2005.
[2]
Vladimir Kiriansky, Derek Bruening, and Saman Amarasinghe. Secure Execution Via Program Shepherding. In Proceedings of the 11th USENIX Security Symposium, August 2002.
[3]
Wei Xu, Sandeep Bhatkar, and R. Sekar. A Unified Approach for Preventing Attacks Exploiting a Range of Software Vulnerabilities. Technical Report Technical Report SECLAB-05-05, Department of Computer Science, Stony Brook University, August 2005.
[4]
G. Edward Suh, Jae W. Lee, David Zhang, and Srinivas Devadas. Secure Program Execution via Dynamic Information Flow Tracking. In Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS-XI), pages 85--96, 2004.
[5]
Jedidiah R. Crandall and Frederic T Chong. Minos: Control Data Attack Prevention Orthogonal to Memory Model. In Proceedings of the 37th International Symposium on Microarchitecture (MICRO), December 2004.
[6]
Shuo Chen, Jun Xu, Nithin Nakka, Abigniew Kalbarezyk, and Ravi Iyer. Defeating Memory Corruption Attacks via Pointer Taintedness Detection. In Proceedings of IEEE International Conference on Dependable Systems and Networks (DSN-2005), June 2005.
[7]
Dana Madsen. An Operating System Analog to the Perl Data Tainting Functionality. In Proceedings of the 23rd National Information Systems Security Conference, June 2000.
[8]
Randal L. Schwartz. Perl Advisor: Taint so Easy, Is It? Unix Review, August 2000.
[9]
David Thomas and Andrew Hung. Programming Ruby: The Pragmatic Programmer's Guide. Addison Wesley Longman, first edition, 2001.
[10]
David Flannagan. JavaScript: The Definitive Guide. O'Reilly, second edition, January 2001.
[11]
Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeffrey Shirley, and David Evans. Automatically Hardening Web Applications Using Precise Tainting. In Proceedings of the 20th IF IP International Information Security Conference (SEC2005), May 2005.
[12]
Jim Chow, Ben Pfaff, Tal Garfinkel, Kevin Christopher, and Mendel Rosenblum. Understanding Data Lifetime via Whole System Simulation. In Proceedings of the 13th USENIX Security Symposium, pages 321--336, August 2004.
[13]
Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex Snoeren, Geoff Voelker, and Stefan Savage. Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm. In Proceedings of the 20th ACM Symposium on Operating Systems Principles, October 2005.
[14]
Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, and Paul Barham. Vigilante: End-to-End Containment of Internet Worms. In Proceedings of the 20th ACM Symposium on Operating Systems Principles, October 2005.
[15]
Georgios Portokalidis, Asia Slowinska, and Herbert Bos. Argos: an Emulator for Fingerprinting Zero-Day Attacks. In Proceedings of the first EuroSys Conference, April 2006.
[16]
Pax project, http://pax.pgsecurity.com/.
[17]
Edouard Bugnion, Scott Devine, Kinshuk Govil, and Mendel Rosenblum. Disco: Running Commodity Operating Systems on Scalable Multiprocessors. In Proceedings of the 16th ACM Symposium on Operating Systems Principles, pages 143--156, October 1997.
[18]
Dean M. Tullsen, Susan Eggers, and Henry M. Levy. Simultaneous Multithreading: Maximizing On-Chip Parallelism. In Proceedings of the 22th Annual International Symposium on Computer Architecture, 1995.
[19]
Emmett Witchel, Junghwan Rhee, and Krste Asanovic. Mondrix: Memory Isolation for Linux using Mondriaan Memory Protection. In Proceedings of the 20th ACM Symposium on Operating Systems Principles, October 2005.
[20]
Paul Starzetz. Quick Analysiss {sic} of the recent crc32 ssh(d) bug. Email to [email protected], February 2001.
[21]
Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. Xen and the Art of Virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles, pages 164--177, October 2003.
[22]
Fabrice Bellard. QEMU, a Fast and Portable Dynamic Translator. In Proceedings of the 2005 USENIX Annual Technical Conference, April 2005.
[23]
Carl A. Waldspurger. Memory Resource Management in VMware ESX Server. In OSDI 2002: Proceedings of the Fifth Symposium on Operating Systems Design and Implementation, December 2002.
[24]
P. H. Gum. System/370 Extended Architecture: Facilities for Virtual Machines. IBM Journal of Research and Development, 27(6): 530--544, November 1983.
[25]
Judith S. Hall and Paul T. Robinson. Virtualizing the VAX Architecture. In ISCA '91: Proceedings of the 18th Annual International Symposium on Computer Architecture, pages 380--389, New York, NY, 1991.
[26]
Christopher Clark, Keir Fraser, Steven Hand, Jacob Gorm Hansen, Eric Jul, Christian Limpach, Ian Pratt, and Andrew Warfield. Live Migration of Virtual Machines. In Proceedings of the 2nd Symposium on Networked Systems Design and Implementation, May 2005.
[27]
Andrew Warfield, Steven Hand, Keir Fraser, and Tim Deegan. Facilitating the Development of Soft Devices. In Proceedings of the 2005 USENIX Annual Technical Conference, April 2005.
[28]
George C. Necula, Scott McPeak, S. R. Rahul, and Westley Weimer. Cil: Intermediate Language and Tools for Analysis and Transformation of C Programs. In Proceedings of the 11th Annual Conference on Compiler Construction, April 2002.
[29]
Steven K. Reinhardt, Babak Falsafi, and David A. Wood. Kernel Support for the Wisconsin Wind Tunnel. In Proceedings of the 2nd USENIX Symposium on Microkernels and Other Kernel Architectures, September 1993.
[30]
Feng Qin, Shan Lu, and Yuanyuan Zhou. SafeMem: Exploiting ECC-Memory for Detecting Memory Leaks and Memory Corruption During Production Runs. In Proceedings of the 11th International Symposium on High-Performance Computer Architecture (HPCA-11), February 2005.

Cited By

View all
  • (2022)Hybrid Pruning: Towards Precise Pointer and Taint AnalysisDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-09484-2_1(1-22)Online publication date: 24-Jun-2022
  • (2020)Scaling static taint analysis to industrial SOA applications: a case study at AlibabaProceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3368089.3417059(1477-1486)Online publication date: 8-Nov-2020
  • (2019)Reducing Security Risks of Suspicious Data and Codes Through a Novel Dynamic Defense ModelIEEE Transactions on Information Forensics and Security10.1109/TIFS.2019.290179814:9(2427-2440)Online publication date: Sep-2019
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM SIGOPS Operating Systems Review
ACM SIGOPS Operating Systems Review  Volume 40, Issue 4
Proceedings of the 2006 EuroSys conference
October 2006
383 pages
ISSN:0163-5980
DOI:10.1145/1218063
Issue’s Table of Contents
  • cover image ACM Conferences
    EuroSys '06: Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006
    April 2006
    420 pages
    ISBN:1595933220
    DOI:10.1145/1217935

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 April 2006
Published in SIGOPS Volume 40, Issue 4

Check for updates

Author Tags

  1. QEMU
  2. Xen
  3. demand emulation
  4. emulation
  5. false tainting
  6. tainting
  7. virtual machine
  8. virtualization

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)14
  • Downloads (Last 6 weeks)3
Reflects downloads up to 30 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2022)Hybrid Pruning: Towards Precise Pointer and Taint AnalysisDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-09484-2_1(1-22)Online publication date: 24-Jun-2022
  • (2020)Scaling static taint analysis to industrial SOA applications: a case study at AlibabaProceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3368089.3417059(1477-1486)Online publication date: 8-Nov-2020
  • (2019)Reducing Security Risks of Suspicious Data and Codes Through a Novel Dynamic Defense ModelIEEE Transactions on Information Forensics and Security10.1109/TIFS.2019.290179814:9(2427-2440)Online publication date: Sep-2019
  • (2019)A New Quantitative Evaluation Method for FuzzingArtificial Intelligence and Security10.1007/978-3-030-24265-7_16(181-190)Online publication date: 11-Jul-2019
  • (2014)TaintDroidACM Transactions on Computer Systems10.1145/261909132:2(1-29)Online publication date: 1-Jun-2014
  • (2014)On quantitative dynamic data flow trackingProceedings of the 4th ACM conference on Data and application security and privacy10.1145/2557547.2557551(211-222)Online publication date: 3-Mar-2014
  • (2012)Dataflow TomographyACM Transactions on Architecture and Code Optimization10.1145/2133382.21333859:1(1-26)Online publication date: 1-Mar-2012
  • (2011)Fine-grained user-space security through virtualizationACM SIGPLAN Notices10.1145/2007477.195270346:7(157-168)Online publication date: 9-Mar-2011
  • (2011)Fine-grained user-space security through virtualizationProceedings of the 7th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments10.1145/1952682.1952703(157-168)Online publication date: 9-Mar-2011
  • (2011)TaintEraserACM SIGOPS Operating Systems Review10.1145/1945023.194503945:1(142-154)Online publication date: 18-Feb-2011
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media