On the Limits of Information Flow Techniques for Malware Analysis and Containment

Taint-tracking is emerging as a general technique in software security to complement virtualization and static analysis. It has been applied for accurate detection of a wide range of attacks on benign software, as well as in malware defense. Although it is quite robust for tackling the former problem, application of taint analysis to untrusted (and potentially malicious) software is riddled with several difficulties that lead to gaping holes in defense. These holes arise not only due to the limitations of information flow analysis techniques, but also the nature of today's software architectures and distribution models. This paper highlights these problems using an array of simple but powerful evasion techniques that can easily defeat taint-tracking defenses. Given today's binary-based software distribution and deployment models, our results suggest that information flow techniques will be of limited use against future malware that has been designed with the intent of evading these defenses.

[1]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[2]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[3]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[4]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[5]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[6]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[7]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[8]  John C. Mitchell,et al.  Characterizing the Remote Control Behavior of Bots , 2007 .

[9]  Ravishankar K. Iyer,et al.  Defeating memory corruption attacks via pointer taintedness detection , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[10]  Dachuan Yu,et al.  A Typed Assembly Language for Confidentiality , 2006, ESOP.

[11]  Huiyang Zhou,et al.  Improving software security via runtime instruction-level taint checking , 2006, ASID '06.

[12]  Gilles Barthe,et al.  A Certified Lightweight Non-interference Java Bytecode Verifier , 2007, ESOP.

[13]  Herbert Bos,et al.  Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation , 2006, EuroSys.

[14]  Pavel Laskov,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment: 19th International Conference, DIMVA 2022, Cagliari, Italy, June 29 –July 1, 2022, Proceedings , 2022, International Conference on Detection of intrusions and malware, and vulnerability assessment.

[15]  Dennis M. Volpano Safety versus Secrecy , 1999, SAS.

[16]  Yunheung Paek,et al.  Advances in Computer Systems Architecture , 2008 .

[17]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[18]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[19]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[20]  Tzi-cker Chiueh,et al.  BIRD: binary interpretation using runtime disassembly , 2006, International Symposium on Code Generation and Optimization (CGO'06).

[21]  Amit Vasudevan,et al.  Wildcat: an integrated stealth environment for dynamic malware analysis , 2007 .

[22]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[23]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[24]  Zhenkai Liang,et al.  HookFinder: Identifying and Understanding Malware Hooking Behaviors , 2008, NDSS.

[25]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[26]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[27]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[28]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[29]  Cheng Wang,et al.  LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[30]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[31]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[32]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[33]  Gilles Barthe,et al.  Preventing Timing Leaks Through Transactional Branching Instructions , 2006, QAPL.

[34]  Dawson R. Engler,et al.  EXE: Automatically Generating Inputs of Death , 2008, TSEC.

[35]  Heng Yin,et al.  Dynamic Spyware Analysis , 2007, USENIX Annual Technical Conference.

[36]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[37]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[38]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[39]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.