libdft

Abstract: Dynamic data flow tracking (DFT) deals with tagging and tracking data of interest as they propagate during program execution. DFT has been repeatedly implemented by a variety of tools for numerous purposes, including protection from zero-day and cross-site scripting attacks, detection and prevention of information leaks, and for the analysis of legitimate and malicious software. We present libdft, a dynamic DFT framework that unlike previous work is at once fast, reusable, and works with commodity software and… Show more

“…One of its first practical instantiations was employed in detecting and defending against software attacks [19], while it has found many more applications since then. Currently, dynamic tracking approaches range from per-process taint tracking [6,8,14,19,21,25,29], to wholesystem tracking [9,10,20,27] using emulation environments and hardware extensions.…”

“…Most application-level taint tracking tools, like TaintCheck [19], TaintTrace [6], libdft [14], Dytan [8], and LIFT [21] use dynamic binary instrumentation (DBI) frameworks, like PIN [15], StarDBT [5] and Valgrind [18]. While quite effective and useful, as they do not require any modifications to source code or customized hardware, they impose significant impact on the performance, as every instruction needs to be instrumented, and additional storage, usually called shadow memory, is required for storing the tags.…”

“…In contrast to previous approaches, that use slow-emulators or VMs to perform system-wide taint tracking, in Taint-Exchange we use an already available and fast single-process taint-tracking framework [14], and extend it to perform fine-grained, cross-process, and cross-host transfer of taint information. Although our design was inspired by prior works, it addresses different challenges, is more general, and completely transparent to applications.…”

“…This paper presents a generic cross-process and cross-host taint tracking framework, called Taint-Exchange. Our system, builds on the libdft open-source data flow tracking (DFT) framework [14], which performs taint tracking on unmodified binary processes using Intel's Pin dynamic binary instrumentation framework [15]. We have extended libdft to enable transfer of taint information for data exchanged between hosts through network sockets, and between processes using pipes and unix sockets.…”

“…Taint-Exchange is based on libdft [14], a customizable DFT framework that offers an extensive API for creating tools -Taint-Exchange operates transparently on unmodified x86 Linux binaries, allowing real-world legacy applications to take advantage of our framework transparently -We offer flexible configuration of taint sources, as well as allowing mixing our own fine-grained taint transferring sockets with ordinary sockets. For example, many security-oriented DTA implementations [19] do not support configurable taint sources, and mark all incoming network as tainted -We improved on inter-process taint tracking over previous system-wide tracking systems (e.g.…”

Taint-Exchange: A Generic System for Cross-Process and Cross-Host Taint Tracking

“…One of its first practical instantiations was employed in detecting and defending against software attacks [19], while it has found many more applications since then. Currently, dynamic tracking approaches range from per-process taint tracking [6,8,14,19,21,25,29], to wholesystem tracking [9,10,20,27] using emulation environments and hardware extensions.…”

“…Most application-level taint tracking tools, like TaintCheck [19], TaintTrace [6], libdft [14], Dytan [8], and LIFT [21] use dynamic binary instrumentation (DBI) frameworks, like PIN [15], StarDBT [5] and Valgrind [18]. While quite effective and useful, as they do not require any modifications to source code or customized hardware, they impose significant impact on the performance, as every instruction needs to be instrumented, and additional storage, usually called shadow memory, is required for storing the tags.…”

“…In contrast to previous approaches, that use slow-emulators or VMs to perform system-wide taint tracking, in Taint-Exchange we use an already available and fast single-process taint-tracking framework [14], and extend it to perform fine-grained, cross-process, and cross-host transfer of taint information. Although our design was inspired by prior works, it addresses different challenges, is more general, and completely transparent to applications.…”

“…This paper presents a generic cross-process and cross-host taint tracking framework, called Taint-Exchange. Our system, builds on the libdft open-source data flow tracking (DFT) framework [14], which performs taint tracking on unmodified binary processes using Intel's Pin dynamic binary instrumentation framework [15]. We have extended libdft to enable transfer of taint information for data exchanged between hosts through network sockets, and between processes using pipes and unix sockets.…”

“…Taint-Exchange is based on libdft [14], a customizable DFT framework that offers an extensive API for creating tools -Taint-Exchange operates transparently on unmodified x86 Linux binaries, allowing real-world legacy applications to take advantage of our framework transparently -We offer flexible configuration of taint sources, as well as allowing mixing our own fine-grained taint transferring sockets with ordinary sockets. For example, many security-oriented DTA implementations [19] do not support configurable taint sources, and mark all incoming network as tainted -We improved on inter-process taint tracking over previous system-wide tracking systems (e.g.…”

Taint-Exchange: A Generic System for Cross-Process and Cross-Host Taint Tracking

ProPatrol: Attack Investigation via Extracted High-Level Tasks

Application II: Security Validation