TY - GEN
T1 - Libdft
T2 - 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments, VEE'12
AU - Kemerlis, Vasileios P.
AU - Portokalidis, Georgios
AU - Jee, Kangkook
AU - Keromytis, Angelos D.
PY - 2012
Y1 - 2012
N2 - Dynamic data flow tracking (DFT) deals with tagging and tracking data of interest as they propagate during program execution. DFT has been repeatedly implemented by a variety of tools for numerous purposes, including protection from zero-day and cross-site scripting attacks, detection and prevention of information leaks, and for the analysis of legitimate and malicious software. We present libdft, a dynamic DFT framework that unlike previous work is at once fast, reusable, and works with commodity software and hardware. libdft provides an API for building DFT-enabled tools that work on unmodified binaries, running on common operating systems and hardware, thus facilitating research and rapid prototyping. We explore different approaches for implementing the low-level aspects of instruction-level data tracking, introduce a more efficient and 64-bit capable shadow memory, and identify (and avoid) the common pitfalls responsible for the excessive performance overhead of previous studies. We evaluate libdft using real applications with large codebases like the Apache and MySQL servers, and the Firefox web browser. We also use a series of benchmarks and utilities to compare libdft with similar systems. Our results indicate that it performs at least as fast, if not faster, than previous solutions, and to the best of our knowledge, we are the first to evaluate the performance overhead of a fast dynamic DFT implementation in such depth. Finally, libdft is freely available as open source software.
AB - Dynamic data flow tracking (DFT) deals with tagging and tracking data of interest as they propagate during program execution. DFT has been repeatedly implemented by a variety of tools for numerous purposes, including protection from zero-day and cross-site scripting attacks, detection and prevention of information leaks, and for the analysis of legitimate and malicious software. We present libdft, a dynamic DFT framework that unlike previous work is at once fast, reusable, and works with commodity software and hardware. libdft provides an API for building DFT-enabled tools that work on unmodified binaries, running on common operating systems and hardware, thus facilitating research and rapid prototyping. We explore different approaches for implementing the low-level aspects of instruction-level data tracking, introduce a more efficient and 64-bit capable shadow memory, and identify (and avoid) the common pitfalls responsible for the excessive performance overhead of previous studies. We evaluate libdft using real applications with large codebases like the Apache and MySQL servers, and the Firefox web browser. We also use a series of benchmarks and utilities to compare libdft with similar systems. Our results indicate that it performs at least as fast, if not faster, than previous solutions, and to the best of our knowledge, we are the first to evaluate the performance overhead of a fast dynamic DFT implementation in such depth. Finally, libdft is freely available as open source software.
KW - data flow tracking
KW - dynamic binary instrumentation
KW - exploit prevention
KW - information leak detection
KW - taint analysis
UR - http://www.scopus.com/inward/record.url?scp=84858781777&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84858781777&partnerID=8YFLogxK
U2 - 10.1145/2151024.2151042
DO - 10.1145/2151024.2151042
M3 - Conference contribution
AN - SCOPUS:84858781777
SN - 9781450311755
T3 - VEE'12 - Proceedings of the ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments
SP - 121
EP - 132
BT - VEE'12 - Proceedings of the ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments
Y2 - 3 March 2012 through 4 March 2012
ER -