Skip to main content
Springer Nature Link
Log in

Minemu: The World’s Fastest Taint Tracker

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6961))

Included in the following conference series:

Abstract

Dynamic taint analysis is a powerful technique to detect memory corruption attacks. However, with typical overheads of an order of magnitude, current implementations are not suitable for most production systems. The research question we address in this paper is whether the slow-down is a fundamental speed barrier, or an artifact of bolting information flow tracking on emulators really not designed for it. In other words, we designed a new type of emulator from scratch with the goal of removing superfluous instructions to propagate taint. The results are very promising. The emulator, known as Minemu, incurs a slowdown of 1.5x-3x for real and complex applications and 2.4x for SPEC INT2006, while tracking taint at byte level granularity. Minemu’s performance is significantly better than that of existing systems, despite the fact that we have not applied some of their optimizations yet. We believe that the new design may be suitable for certain classes of applications in production systems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. CVE-2009-2629: Buffer underflow vulnerability in nginx (2009), http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2629 (2009)

  2. Bellard, F.: QEMU, a fast and portable dynamic translator. In: Proc. of the USENIX Annual Technical Conference (2005)

    Google Scholar 

  3. Bhatkar, S., Varney, D.D., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: Proc. of the 12th USENIX Security Symposium, pp. 105–120 (August 2003)

    Google Scholar 

  4. Cheng, W., Zhao, Q., Yu, B., Hiroshige, S.: TaintTrace: Efficient flow tracing with dynamic binary rewriting. In: Proc. of the 11th Symposium on Computers and Communications (2006)

    Google Scholar 

  5. Chow, J., Garfinkel, T., Chen, P.M.: Decoupling dynamic program analysis from execution in virtual environments. In: USENIX Annual Technical Conference (2008) (Best Paper Award)

    Google Scholar 

  6. Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: end-to-end containment of internet worms. In: Proc. of SOSP 2005 (2005)

    Google Scholar 

  7. Cowan, C., Pu, C., Maier, D., Hintony, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: 7th USENIX Security Symposium (1998)

    Google Scholar 

  8. Crandall, J., Chong, F.: Minos: Control data attack prevention orthogonal to memory model. In: 37th Interational Symposium on Microarchitecture (2004)

    Google Scholar 

  9. Dalton, M., Kannan, H., Kozyrakis, C.: Raksha: A flexible information flow architecture for software security. In: Proceedings of the 34th Annual International Symposium on Computer Architecture, ISCA 2007 (2007)

    Google Scholar 

  10. Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Commun. ACM 20(7), 504–513 (1977)

    Article  MATH  Google Scholar 

  11. Deutsch, L.P., Schiffman, A.M.: Efficient implementation of the smalltalk-80 system. In: Proc. of the 11th Symposium on Principles of programming languages, POPL (1984)

    Google Scholar 

  12. Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.: Dynamic Spyware Analysis. In: ATC 2007: 2007 USENIX Annual Technical Conference (2007)

    Google Scholar 

  13. Enck, W., Gilbert, P., Chun, B.-G., Cox, L., Jung, J., McDaniel, P., Sheth, A.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smart phones. In: Proceedings of OSDI 2010, Vancouver, BC (October 2010)

    Google Scholar 

  14. Ermolinskiy, A., Katti, S., Shenker, S., Fowler, L.L., McCauley, M.: Towards practical taint tracking. Technical Report UCB/EECS-2010-92, University of California (2010)

    Google Scholar 

  15. Ho, A., Fetterman, M., Clark, C., Warfield, A., Hand, S.: Practical taint-based protection using demand emulation. In: Proc. ACM SIGOPS EUROSYS 2006 (2006)

    Google Scholar 

  16. Newsome, J., Song, D.: Dynamic taint analysis: Automatic detection, analysis, and signature generation of exploit attacks on commodity software. In: Proc. of NDSS (2005)

    Google Scholar 

  17. One, A.: Smashing the stack for fun and profit. Phrack 7(49) (1996)

    Google Scholar 

  18. PaX. Pax (2000), http://pax.grsecurity.net/

  19. Payer, M., Gross, T.R.: Generating low-overhead dynamic binary translators. In: Proceedings of the 3rd Annual Haifa Experimental Systems Conference (2010)

    Google Scholar 

  20. Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks. In: Proc. ACM SIGOPS EUROSYS 2006 (2006)

    Google Scholar 

  21. Probst, M., Krall, A., Scholz, B.: Register liveness analysis for optimizing dynamic binary translation. In: Proc. of WCRE 2002 (2002)

    Google Scholar 

  22. Qin, F., Wang, C., Li, Z., Kim, H.-s., Zhou, Y., Wu, Y.: LIFT: A low-overhead practical information flow tracking system for detecting security attacks. In: Proc. of MICRO (2006)

    Google Scholar 

  23. Saxena, P., Sekar, R., Parunik, V.: Efficient fine-grained instrumentation with applications to tain-tracking. In: Proc. of ACM CGO 2008, Boston, MA (April 2008)

    Google Scholar 

  24. Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: Proceedings of the IEEE Symposium on Security and Privacy, SP 2010 (2010)

    Google Scholar 

  25. Secunia. DEP/ASLR implementation progress in popular third-party windows applications (June 2010), http://secunia.com/gfx/pdf/DEPASLR2010paper.pdf

  26. Slowinska, A., Bos, H.: The Age of Data: Pinpointing guilty bytes in polymorphic buffer overflows on heap or stack. In: Proc. of ACSAC 2007 (2007)

    Google Scholar 

  27. Sridhar, S., Shapiro, J.S., Northup, E.: Hdtrans: An open source, low-level dynamic instrumentation system. In: Proc. of VEE 2006 (2006)

    Google Scholar 

  28. Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: ASPLOS-XI. ACM, New York (2004)

    Google Scholar 

  29. Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In: 15th USENIX Security Symposium (2006)

    Google Scholar 

  30. Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: CCS 2007 (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Vrije Universiteit, Amsterdam, The Netherlands

    Erik Bosman, Asia Slowinska & Herbert Bos

Authors
  1. Erik Bosman
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Asia Slowinska
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Herbert Bos
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Robin Sommer Davide Balzarotti Gregor Maier

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Bosman, E., Slowinska, A., Bos, H. (2011). Minemu: The World’s Fastest Taint Tracker. In: Sommer, R., Balzarotti, D., Maier, G. (eds) Recent Advances in Intrusion Detection. RAID 2011. Lecture Notes in Computer Science, vol 6961. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23644-0_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-23644-0_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-23643-3

  • Online ISBN: 978-3-642-23644-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics