SpringerLink
Log in

PDIFT++: System-Wide Memory Tracking Using a Single-Process Memory Tracker

  • Original Research
  • Published:
SN Computer Science Aims and scope Submit manuscript

Abstract

Information-flow tracking is useful for preventing malicious code execution and sensitive information leakage. Unfortunately, the performance penalty of the currently available solutions is too high for real-world applications. This paper presents PDIFT++, a hybrid system-wide dynamic information-flow tracker. PDIFT++ uses a hypervisor for coarse memory tracking and an emulator for fine memory tracking. The switching between the two modes allows PDIFT++ to achieve high performance without compromising the memory tracking precision. In addition, PDIFT++ provides system-wide tracking by monitoring system calls that can transmit information between two processes and between a process and a file system. The results show that PDIFT++ induces a performance penalty of 26% on average.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (Germany)

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

References

  1. You I, Yim K. Malware obfuscation techniques: a brief survey. In: 2010 International Conference on Broadband, Wireless Computing, Communication and Applications, pp. 297–300, 2010; IEEE.

  2. Kiperberg M. Preventing malicious communication using virtualization. J Inf Secur Appl. 2021;61: 102871.

    Google Scholar 

  3. Chen K, Guo X, Deng Q, ** Y. Dynamic information flow tracking: taxonomy, challenges, and opportunities. Micromachines. 2021;12(8):898.

    Article  Google Scholar 

  4. Chen S, Kozuch M, Strigkos T, Falsafi B, Gibbons PB, Mowry TC, Ramachandran V, Ruwase O, Ryan M, Vlachos E. Flexible hardware acceleration for instruction-grain program monitoring. ACM SIGARCH Comput Arch News. 2008;36(3):377–88.

    Article  Google Scholar 

  5. Venkataramani, G., Doudalis, I., Solihin, Y., Prvulovic, M.: Flexitaint: A programmable accelerator for dynamic taint propagation. In: 2008 IEEE 14th International Symposium on High Performance Computer Architecture, 2008; pp. 173–184, IEEE.

  6. Yan, L.K., Yin, H.: \(\{\)DroidScope\(\}\): Seamlessly reconstructing the \(\{\)OS\(\}\) and dalvik semantic views for dynamic android malware analysis. In: 21st USENIX Security Symposium (USENIX Security 12), pp. 569–584 (2012)

  7. Xue L, Qian C, Zhou H, Luo X, Zhou Y, Shao Y, Chan AT. Ndroid: Toward tracking information flows across multiple android contexts. IEEE Trans Inf Forensics Secur. 2018;14(3):814–28.

    Article  Google Scholar 

  8. Kemerlis, V.P., Portokalidis, G., Jee, K., Keromytis, A.D.: libdft: Practical dynamic data flow tracking for commodity systems. In: Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments, pp. 121–132 (2012)

  9. Bornstein, D.: Dalvik vm internals. In: Google I/O Developer Conference, vol. 23, pp. 17–30 (2008)

  10. Ho, A., Fetterman, M., Clark, C., Warfield, A., Hand, S.: Practical taint-based protection using demand emulation. In: Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006, pp. 29–41 (2006)

  11. Shinagawa, T., Eiraku, H., Tanimoto, K., Omote, K., Hasegawa, S., Horie, T., Hirano, M., Kourai, K., Oyama, Y., Kawai, E., et al.: Bitvisor: a thin hypervisor for enforcing i/o device security. In: Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, pp. 121–130 (2009)

  12. Alshamrani A, Myneni S, Chowdhary A, Huang D. A survey on advanced persistent threats: Techniques, solutions, challenges, and research opportunities. IEEE Communications Surveys & Tutorials. 2019;21(2):1851–77.

    Article  Google Scholar 

  13. Kreindl, J., Bonetta, D., Stadler, L., Leopoldseder, D., Mössenböck, H.: Multi-language dynamic taint analysis in a polyglot virtual machine (2020) https://doi.org/10.1145/3426182.3426184

  14. Tian, Z., Sun, C., Zeng, D., Tan, G.: Podft: On accelerating dynamic taint analysis with precise path optimization (2023) doi:10.14722/bar.2023.23010

  15. Schwartz EJ, Avgerinos T, Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). 2010. https://doi.org/10.1109/sp.2010.26.

    Article  Google Scholar 

  16. Liu K, Xu S, Xu G, Zhang M, Sun D, Liu H. A review of android malware detection approaches based on machine learning. Ieee Access. 2020. https://doi.org/10.1109/access.2020.3006143.

    Article  Google Scholar 

  17. Huang Y, He C, He C, Wang C. Effective dynamic taint analysis of java web applications. 2022. https://doi.org/10.2991/978-94-6463-030-5_97.

    Article  Google Scholar 

  18. Das, D., Bose, P., Machiry, A., Mariani, S., Shoshitaishvili, Y., Vigna, G., Kruegel, C.: Hybrid pruning: Towards precise pointer and taint analysis. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 1–22 (2022). Springer

  19. Enck W, Gilbert P, Han S, Tendulkar V, Chun B-G, Cox LP, Jung J, McDaniel P, Sheth AN. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS). 2014;32(2):1–29.

    Article  Google Scholar 

  20. Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In: Proceedings of Twenty-first ACM SIGOPS Symposium on Operating Systems Principles, pp. 335–350 (2007)

  21. Leon RS, Kiperberg M, Zabag AAL, Resh A, Algawi A, Zaidenberg NJ. Hypervisor-based white listing of executables. IEEE Security & Privacy. 2019;17(5):58–67.

    Article  Google Scholar 

  22. Kiperberg, M., Yehuda, R.B., Zaidenberg, N.J.: Hyperwall: A hypervisor for detection and prevention of malicious communication. In: Network and System Security: 14th International Conference, NSS 2020, Melbourne, VIC, Australia, November 25–27, 2020, Proceedings 14, pp. 79–93 (2020). Springer

  23. Kreindl, J., Bonetta, D., Stadler, L., Leopoldseder, D., Mössenböck, H.: Dynamic taint analysis with label-defined semantics. In: Proceedings of the 19th International Conference on Managed Programming Languages and Runtimes, pp. 64–84 (2022)

  24. Sang, Q., Wang, Y., Liu, Y., Jia, X., Bao, T., Su, P.: Airtaint: Making dynamic taint analysis faster and easier. In: 2024 IEEE Symposium on Security and Privacy (SP), pp. 45–45 (2023). IEEE Computer Society

  25. Tian, Z., Sun, C., Zeng, D., Tan, G.: podft: On accelerating dynamic taint analysis with precise path optimization (2023)

  26. Dangl, T., Taubmann, B., Reiser, H.: Rapidvmi: Fast and multi-core aware active virtual machine introspection (2021) doi:10.1145/3465481.3465752

  27. Bugnion E, Devine S, Rosenblum M, Sugerman J, Wang E. Bringing virtualization to the x86 architecture with the original vmware workstation. ACM Trans Comput Syst. 2012;30:1–51. https://doi.org/10.1145/2382553.2382554.

    Article  Google Scholar 

  28. Ganesan R, Murarka Y, Sarkar S, Frey K. Empirical study of performance benefits of hardware assisted virtualization. 2013. https://doi.org/10.1145/2522548.2522598.

    Article  Google Scholar 

  29. Lu, Z. K., W., X. Wang, Luján, M., Nisbet, A.: Flexible page-level memory access monitoring based on virtualization hardware (2017) https://doi.org/10.1145/3050748.3050751

  30. Aguiar A, Hessel F. Current techniques and future trends in embedded system’s virtualization. Softw Pract Exper. 2012;42:917–44. https://doi.org/10.1002/spe.1156.

    Article  Google Scholar 

  31. Oracle: VirtualBox. https://www.virtualbox.org/ (Accessed Nov. 2022)

  32. VMware: VMware Workstation Pro. https://www.vmware.com/products/workstation-pro.html (Accessed Nov. 2022)

  33. Deshane, T., Shepherd, Z., Matthews, J., Ben-Yehuda, M., Shah, A., Rao, B.: Quantitative comparison of Xen and KVM. Xen Summit, Boston, MA, USA, 1–2 (2008)

  34. VMware: VMware ES**. https://www.vmware.com/il/products/esxi-and-esx.html (Accessed Nov. 2022)

  35. Zimmer, R.: Hale, “UEFI: From Reset Vector to Operating System,” Chapter 3 of Hardware-Dependent Software. Springer (2009)

  36. Ming, J., Wu, D., Wang, J., **ao, G., Liu, P.: Straighttaint: Decoupled offline symbolic taint analysis. In: Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering. ASE ’16, pp. 308–319. Association for Computing Machinery, New York, NY, USA (2016). doi:10.1145/2970276.2970299.

  37. Tripp, O., Pistoia, M., Cousot, P., Cousot, R., Guarnieri, S.A.: Andromeda: Accurate and scalable security analysis of web applications (2013) doi:10.1007/978-3-642-37057-1_15

  38. Milanova, A.: Flowcfl: A framework for type-based reachability analysis in the presence of mutable data (2020) doi:10.48550/arxiv.2005.06496

  39. Wei S, Ryder BG. Practical blended taint analysis for javascript. 2013. https://doi.org/10.1145/2483760.2483788.

    Article  Google Scholar 

  40. Lawton, K.P.: Bochs: A portable pc emulator for unix/x. Linux Journal 1996(29es), 7 (1996)

  41. Bellard, F.: Qemu, a fast and portable dynamic translator. In: USENIX Annual Technical Conference, FREENIX Track, vol. 41, pp. 10–5555 (2005). California, USA

  42. wfeldt: libx86emu. https://github.com/wfeldt/libx86emu (2022)

  43. Cattaneo, G., Catuogno, L., Del Sorbo, A., Persiano, P.: The design and implementation of a transparent cryptographic file system for unix. In: USENIX Annual Technical Conference, FREENIX Track, pp. 10–3 (2001)

  44. Rostedt, S.: Ftrace linux kernel tracing. In: Linux Conference Japan (2010)

  45. Leon RS, Kiperberg M, Leon Zabag AA, Zaidenberg NJ. Hypervisor-assisted dynamic malware analysis Cybersecurity. 2021;4(1):1–14.

    Google Scholar 

  46. Sibai FN. Evaluating the performance of single and multiple core processors with PCMARK® 05 and benchmark analysis. ACM SIGMETRICS Performance Evaluation Review. 2008;35(4):62–71.

    Article  Google Scholar 

Download references

Author information

Author notes

  1. M. Kiperberg and N. Zaidenberg have contributed equally to this work.

Authors and Affiliations

  1. Department of Software Engineering, Shamoon College of Engineering, Beer-Sheva, Israel

    Michael Kiperberg

  2. Department of Computer Sciences, Ariel University, Ariel, Israel

    Nezer Zaidenberg

Authors
  1. Michael Kiperberg
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nezer Zaidenberg
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Michael Kiperberg.

Ethics declarations

Conflict of Interest

On behalf of all authors, the corresponding author states that there is no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article is part of the topical collection “Recent Trends on Information Systems Security and Privacy” guest edited by Steven Furnell and Paolo Mor.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kiperberg, M., Zaidenberg, N. PDIFT++: System-Wide Memory Tracking Using a Single-Process Memory Tracker. SN COMPUT. SCI. 5, 226 (2024). https://doi.org/10.1007/s42979-023-02555-w

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s42979-023-02555-w

Keywords

Search

Navigation