Pointless Tainting? Evaluating the Practicality of Pointer Tainting

Pointless Tainting? Evaluating the Practicality of Pointer Tainting (2009)

Cached

Download Links

by Asia Slowinska , Herbert Bos

Venue:	EUROSYS '09
Citations:	18 - 0 self

BibTeX

@MISC{Slowinska09pointlesstainting?,
    author = {Asia Slowinska and Herbert Bos},
    title = {Pointless Tainting? Evaluating the Practicality of Pointer Tainting},
    year = {2009}
}

Bookmark

OpenURL

Abstract

This paper evaluates pointer tainting, an incarnation of Dynamic Information Flow Tracking (DIFT), which has recently become an important technique in system security. Pointer tainting has been used for two main purposes: detection of privacy-breaching malware (e.g., trojan keyloggers obtaining the characters typed by a user), and detection of memory corruption attacks against non-control data (e.g., a buffer overflow that modifies a user’s privilege level). In both of these cases the attacker does not modify control data such as stored branch targets, so the control flow of the target program does not change. Phrased differently, in terms of instructions executed, the program behaves ‘normally’. As a result, these attacks are exceedingly difficult to detect. Pointer tainting is considered one of the only methods for detecting them in unmodified binaries. Unfortunately, almost all of the incarnations of pointer tainting are flawed. In particular, we demonstrate that the application of pointer tainting to the detection of keyloggers and other privacybreaching malware is problematic. We also discuss whether pointer tainting is able to reliably detect memory corruption attacks against non-control data. We found that pointer tainting generates itself the conditions for false positives. We analyse the problems in detail and investigate various ways to improve the technique. Most have serious drawbacks in that they are either impractical (and incur many false positives still), and/or cripple the technique’s ability to detect attacks. In conclusion, we argue that depending on architecture and operating system, pointer tainting may have some

Citations

407	Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks - Cowan, Pu, et al.
380	Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software - Newsome, Song - 2005
348	Certification of programs for secure information flow - Denning, Denning - 1977
274	Cyclone: A Safe Dialect - Jim, Morrisett, et al. - 2002
217	Improving host security with system call policies - Provos - 2003
206	Vigilante: End-to-end containment of internet worms - Cost, Crowcroft, et al. - 2005
166	Secure program execution via dynamic information flow tracking - Suh, Lee, et al. - 2004
147	Minos: Control data attack prevention orthogonal to memory model - Crandall, Chong - 2004
114	Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks - Xu, Bhatkar, et al. - 2006
107	Non-control-data attacks are realistic threats - Chen, Xu, et al. - 2005
86	Panorama: capturing system-wide information flow for malware detection and analysis - Yin, Song, et al. - 2007
71	Efficient Context-Sensitive Intrusion Detection - Giffin, Jha, et al. - 2004
63	Raksha: A flexible information flow architecture for software security - Dalton, Kannan, et al. - 2007
61	Efficient Techniques for Comprehensive Protection from Memory Error Exploits - Bhatkar, Sekar, et al. - 2005
57	Argos: an emulator for fingerprinting zero-day attacks - Portokalidis, Slowinska, et al. - 2006
55	Practical taint-based protection using demand emulation - Ho, Fetterman, et al. - 2006
53	Securing software by enforcing data-flow integrity - Castro, Costa, et al. - 2006
49	Dynamic Spyware Analysis - Egele, Kruegel, et al. - 2007
44	Defeating Memory Corruption Attacks via Pointer Taintedness Detection - Chen, Xu, et al.
32	Preventing memory error exploits with WIT - Akritidis, Cadar, et al. - 2008
19	Towards a practical, verified kernel - Elphinstone, Klein, et al. - 2007
19	Flexitaint: A programmable accelerator for dynamic taint propagation - Venkataramani, Doudalis, et al. - 2008
18	HookFinder: Identifying and understanding malware hooking behaviors - Yin, Liang, et al. - 2008
15	On the limits of information flow techniques for malware analysis and containment - Cavallaro, Saxena, et al. - 2008
15	Deconstructing hardware architectures for security - Dalton, Kannan, et al. - 2006
10	Real-world buffer overflow protection for userspace and kernelspace - Dalton, Kannan, et al. - 2008
6	Eudaemon: Involuntary and On-Demand Emulation Against Zero- Day Exploits - Portokalidis, Bos
6	The Age of Data: Pinpointing guilty bytes in polymorphic buffer overflows on heap or stack - Slowinska, Bos - 2007
5	Formal reasoning of various categories of widely exploited security vulnerabilities using pointer taintedness semantics - Chen, Pattabiraman, et al. - 2004
2	Base address recognition with data flow tracking for injection attack detection - Katsunuma, Kurita, et al. - 2006
1	http: //www.processlibrary.com/directory/files/zango - exe
1	Sinowal trojan steals data from around 500,000 cards and accounts - Raywood - 2008