Abstract
Information-flow tracking is useful for preventing malicious code execution and sensitive information leakage. Unfortunately, the performance penalty of the currently available solutions is too high for real-world applications. This paper presents PDIFT++, a hybrid system-wide dynamic information-flow tracker. PDIFT++ uses a hypervisor for coarse memory tracking and an emulator for fine memory tracking. The switching between the two modes allows PDIFT++ to achieve high performance without compromising the memory tracking precision. In addition, PDIFT++ provides system-wide tracking by monitoring system calls that can transmit information between two processes and between a process and a file system. The results show that PDIFT++ induces a performance penalty of 26% on average.
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs42979-023-02555-w/MediaObjects/42979_2023_2555_Fig1_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs42979-023-02555-w/MediaObjects/42979_2023_2555_Fig2_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs42979-023-02555-w/MediaObjects/42979_2023_2555_Fig3_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs42979-023-02555-w/MediaObjects/42979_2023_2555_Fig4_HTML.png)
Similar content being viewed by others
References
You I, Yim K. Malware obfuscation techniques: a brief survey. In: 2010 International Conference on Broadband, Wireless Computing, Communication and Applications, pp. 297–300, 2010; IEEE.
Kiperberg M. Preventing malicious communication using virtualization. J Inf Secur Appl. 2021;61: 102871.
Chen K, Guo X, Deng Q, ** Y. Dynamic information flow tracking: taxonomy, challenges, and opportunities. Micromachines. 2021;12(8):898.
Chen S, Kozuch M, Strigkos T, Falsafi B, Gibbons PB, Mowry TC, Ramachandran V, Ruwase O, Ryan M, Vlachos E. Flexible hardware acceleration for instruction-grain program monitoring. ACM SIGARCH Comput Arch News. 2008;36(3):377–88.
Venkataramani, G., Doudalis, I., Solihin, Y., Prvulovic, M.: Flexitaint: A programmable accelerator for dynamic taint propagation. In: 2008 IEEE 14th International Symposium on High Performance Computer Architecture, 2008; pp. 173–184, IEEE.
Yan, L.K., Yin, H.: \(\{\)DroidScope\(\}\): Seamlessly reconstructing the \(\{\)OS\(\}\) and dalvik semantic views for dynamic android malware analysis. In: 21st USENIX Security Symposium (USENIX Security 12), pp. 569–584 (2012)
Xue L, Qian C, Zhou H, Luo X, Zhou Y, Shao Y, Chan AT. Ndroid: Toward tracking information flows across multiple android contexts. IEEE Trans Inf Forensics Secur. 2018;14(3):814–28.
Kemerlis, V.P., Portokalidis, G., Jee, K., Keromytis, A.D.: libdft: Practical dynamic data flow tracking for commodity systems. In: Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments, pp. 121–132 (2012)
Bornstein, D.: Dalvik vm internals. In: Google I/O Developer Conference, vol. 23, pp. 17–30 (2008)
Ho, A., Fetterman, M., Clark, C., Warfield, A., Hand, S.: Practical taint-based protection using demand emulation. In: Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006, pp. 29–41 (2006)
Shinagawa, T., Eiraku, H., Tanimoto, K., Omote, K., Hasegawa, S., Horie, T., Hirano, M., Kourai, K., Oyama, Y., Kawai, E., et al.: Bitvisor: a thin hypervisor for enforcing i/o device security. In: Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, pp. 121–130 (2009)
Alshamrani A, Myneni S, Chowdhary A, Huang D. A survey on advanced persistent threats: Techniques, solutions, challenges, and research opportunities. IEEE Communications Surveys & Tutorials. 2019;21(2):1851–77.
Kreindl, J., Bonetta, D., Stadler, L., Leopoldseder, D., Mössenböck, H.: Multi-language dynamic taint analysis in a polyglot virtual machine (2020) https://doi.org/10.1145/3426182.3426184
Tian, Z., Sun, C., Zeng, D., Tan, G.: Podft: On accelerating dynamic taint analysis with precise path optimization (2023) doi:10.14722/bar.2023.23010
Schwartz EJ, Avgerinos T, Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). 2010. https://doi.org/10.1109/sp.2010.26.
Liu K, Xu S, Xu G, Zhang M, Sun D, Liu H. A review of android malware detection approaches based on machine learning. Ieee Access. 2020. https://doi.org/10.1109/access.2020.3006143.
Huang Y, He C, He C, Wang C. Effective dynamic taint analysis of java web applications. 2022. https://doi.org/10.2991/978-94-6463-030-5_97.
Das, D., Bose, P., Machiry, A., Mariani, S., Shoshitaishvili, Y., Vigna, G., Kruegel, C.: Hybrid pruning: Towards precise pointer and taint analysis. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 1–22 (2022). Springer
Enck W, Gilbert P, Han S, Tendulkar V, Chun B-G, Cox LP, Jung J, McDaniel P, Sheth AN. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS). 2014;32(2):1–29.
Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In: Proceedings of Twenty-first ACM SIGOPS Symposium on Operating Systems Principles, pp. 335–350 (2007)
Leon RS, Kiperberg M, Zabag AAL, Resh A, Algawi A, Zaidenberg NJ. Hypervisor-based white listing of executables. IEEE Security & Privacy. 2019;17(5):58–67.
Kiperberg, M., Yehuda, R.B., Zaidenberg, N.J.: Hyperwall: A hypervisor for detection and prevention of malicious communication. In: Network and System Security: 14th International Conference, NSS 2020, Melbourne, VIC, Australia, November 25–27, 2020, Proceedings 14, pp. 79–93 (2020). Springer
Kreindl, J., Bonetta, D., Stadler, L., Leopoldseder, D., Mössenböck, H.: Dynamic taint analysis with label-defined semantics. In: Proceedings of the 19th International Conference on Managed Programming Languages and Runtimes, pp. 64–84 (2022)
Sang, Q., Wang, Y., Liu, Y., Jia, X., Bao, T., Su, P.: Airtaint: Making dynamic taint analysis faster and easier. In: 2024 IEEE Symposium on Security and Privacy (SP), pp. 45–45 (2023). IEEE Computer Society
Tian, Z., Sun, C., Zeng, D., Tan, G.: podft: On accelerating dynamic taint analysis with precise path optimization (2023)
Dangl, T., Taubmann, B., Reiser, H.: Rapidvmi: Fast and multi-core aware active virtual machine introspection (2021) doi:10.1145/3465481.3465752
Bugnion E, Devine S, Rosenblum M, Sugerman J, Wang E. Bringing virtualization to the x86 architecture with the original vmware workstation. ACM Trans Comput Syst. 2012;30:1–51. https://doi.org/10.1145/2382553.2382554.
Ganesan R, Murarka Y, Sarkar S, Frey K. Empirical study of performance benefits of hardware assisted virtualization. 2013. https://doi.org/10.1145/2522548.2522598.
Lu, Z. K., W., X. Wang, Luján, M., Nisbet, A.: Flexible page-level memory access monitoring based on virtualization hardware (2017) https://doi.org/10.1145/3050748.3050751
Aguiar A, Hessel F. Current techniques and future trends in embedded system’s virtualization. Softw Pract Exper. 2012;42:917–44. https://doi.org/10.1002/spe.1156.
Oracle: VirtualBox. https://www.virtualbox.org/ (Accessed Nov. 2022)
VMware: VMware Workstation Pro. https://www.vmware.com/products/workstation-pro.html (Accessed Nov. 2022)
Deshane, T., Shepherd, Z., Matthews, J., Ben-Yehuda, M., Shah, A., Rao, B.: Quantitative comparison of Xen and KVM. Xen Summit, Boston, MA, USA, 1–2 (2008)
VMware: VMware ES**. https://www.vmware.com/il/products/esxi-and-esx.html (Accessed Nov. 2022)
Zimmer, R.: Hale, “UEFI: From Reset Vector to Operating System,” Chapter 3 of Hardware-Dependent Software. Springer (2009)
Ming, J., Wu, D., Wang, J., **ao, G., Liu, P.: Straighttaint: Decoupled offline symbolic taint analysis. In: Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering. ASE ’16, pp. 308–319. Association for Computing Machinery, New York, NY, USA (2016). doi:10.1145/2970276.2970299.
Tripp, O., Pistoia, M., Cousot, P., Cousot, R., Guarnieri, S.A.: Andromeda: Accurate and scalable security analysis of web applications (2013) doi:10.1007/978-3-642-37057-1_15
Milanova, A.: Flowcfl: A framework for type-based reachability analysis in the presence of mutable data (2020) doi:10.48550/arxiv.2005.06496
Wei S, Ryder BG. Practical blended taint analysis for javascript. 2013. https://doi.org/10.1145/2483760.2483788.
Lawton, K.P.: Bochs: A portable pc emulator for unix/x. Linux Journal 1996(29es), 7 (1996)
Bellard, F.: Qemu, a fast and portable dynamic translator. In: USENIX Annual Technical Conference, FREENIX Track, vol. 41, pp. 10–5555 (2005). California, USA
wfeldt: libx86emu. https://github.com/wfeldt/libx86emu (2022)
Cattaneo, G., Catuogno, L., Del Sorbo, A., Persiano, P.: The design and implementation of a transparent cryptographic file system for unix. In: USENIX Annual Technical Conference, FREENIX Track, pp. 10–3 (2001)
Rostedt, S.: Ftrace linux kernel tracing. In: Linux Conference Japan (2010)
Leon RS, Kiperberg M, Leon Zabag AA, Zaidenberg NJ. Hypervisor-assisted dynamic malware analysis Cybersecurity. 2021;4(1):1–14.
Sibai FN. Evaluating the performance of single and multiple core processors with PCMARK® 05 and benchmark analysis. ACM SIGMETRICS Performance Evaluation Review. 2008;35(4):62–71.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of Interest
On behalf of all authors, the corresponding author states that there is no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This article is part of the topical collection “Recent Trends on Information Systems Security and Privacy” guest edited by Steven Furnell and Paolo Mor.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Kiperberg, M., Zaidenberg, N. PDIFT++: System-Wide Memory Tracking Using a Single-Process Memory Tracker. SN COMPUT. SCI. 5, 226 (2024). https://doi.org/10.1007/s42979-023-02555-w
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s42979-023-02555-w