research-article

PIFT: Predictive Information-Flow Tracking

Authors:

Negin Salajegheh,

Mihai ChristodorescuAuthors Info & Claims

ASPLOS '16: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems

Pages 713 - 725

https://doi.org/10.1145/2872362.2872403

Published: 25 March 2016 Publication History

Abstract

Phones today carry sensitive information and have a great number of ways to communicate that data. As a result, malware that steal money, information, or simply disable functionality have hit the app stores. Current security solutions for preventing undesirable data leaks are mostly high-overhead and have not been practical enough for smartphones. In this paper, we show that simply monitoring just some instructions (only memory loads and stores) it is possible to achieve low overhead, highly accurate information flow tracking. Our method achieves 98% accuracy (0% false positive and 2% false negative) over DroidBench and was able to successfully catch seven real-world malware instances that steal phone number, location, and device ID using SMS messages and HTTP connections.

References

[1]

Run-time ABI for the ARM architecture. http://infocenter.arm.com/help/topic/com.arm.doc.ihi0043d/IHI0043D_rtabi.pdf.

[2]

Bbench-gem5. http://www.m5sim.org/BBench-gem5.

[3]

Dalvik bytecode. https://source.android.com/devices/tech/dalvik/dalvik-bytecode.html.

[4]

DroidBench Version 1.1. http://sseblog.ec-spride.de/tools/droidbench/.

[5]

S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI, 2014.

Digital Library

[6]

N. Binkert, B. Beckmann, G. Black, S. K. Reinhardt, A. Saidi, A. Basu, J. Hestness, D. R. Hower, T. Krishna, S. Sardashti, R. Sen, K. Sewell, M. Shoaib, N. Vaish, M. D. Hill, and D. A. Wood. The gem5 simulator. SIGARCH Comput. Archit. News, 39 (2): 1--7, Aug. 2011.

Digital Library

[7]

Y. Cao, Y. Fratantonio, A. Bianchi, M. Egele, C. Kruegel, G. Vigna, and Y. Chen. Edgeminer: Automatically detecting implicit control flow transitions through the android framework. In Proceedings of the 22nd Network and Distributed System Security Symposium, NDSS, 2015.

[8]

M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: A flexible information flow architecture for software security. In Proceedings of the 34th Annual International Symposium on Computer Architecture, ISCA, 2007.

Digital Library

[9]

W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI, 2010.

[10]

C. Gibler, J. Crussell, J. Erickson, and H. Chen. Androidleaks: Automatically detecting potential privacy leaks in android applications on a large scale. In Proceedings of the 5th International Conference on Trust and Trustworthy Computing, TRUST, 2012.

Digital Library

[11]

A. Ho, M. Fetterman, C. Clark, A. Warfield, and S. Hand. Practical taint-based protection using demand emulation. In Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems, EuroSys, 2006.

Digital Library

[12]

M. G. Kang, S. McCamant, P. Poosankam, and D. Song. Dta+: Dynamic taint analysis with targeted control-flow propagation. In phProceedings of the 18th Network and Distributed System Security Symposium, NDSS, 2011.

[13]

K. Lu, Z. Li, V. Kemerlis, Z. Wu, L. Lu, C. Zheng, Z. Qian, W. Lee, and G. Jiang. Checking more and alerting less: Detecting privacy leakages via enhanced data-flow analysis and peer voting. In Proceedings of the 22nd Network and Distributed System Security Symposium, NDSS, 2015.

[14]

J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Network and Distributed System Security Symposium, NDSS, 2005.

[15]

F. Qin, C. Wang, Z. Li, H.-s. Kim, Y. Zhou, and Y. Wu. Lift: A low-overhead practical information flow tracking system for detecting security attacks. In Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO, 2006.

Digital Library

[16]

G. E. Suh, J. Lee, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS, 2004.

Digital Library

[17]

M. Tiwari, B. Agrawal, S. Mysore, J. Valamehr, and T. Sherwood. A small cache of large ranges: Hardware methods for efficiently searching, storing, and updating big dataflow tags. In Proceedings of the 41st Annual IEEE/ACM International Symposium on Microarchitecture, MICRO, 2008.

Digital Library

[18]

M. Tiwari, H. M. Wassel, B. Mazloom, S. Mysore, F. T. Chong, and T. Sherwood. Complete information flow tracking from the gates up. In Proceedings of the 14th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS, 2009.

Digital Library

[19]

G. Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic. Flexitaint: A programmable accelerator for dynamic taint propagation. In Proceedings of the 14th IEEE International Symposium on High Performance Computer Architecture, HPCA, 2008.

[20]

E. Witchel, J. Cates, and K. Asanović. Mondrian memory protection. In Proceedings of the 10th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS, 2002.

Digital Library

[21]

L. K. Yan and H. Yin. Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In Proceedings of the 21st USENIX Conference on Security Symposium, Security, 2012.

Digital Library

[22]

H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS, 2007.

Digital Library

[23]

D. Y. Zhu, J. Jung, D. Song, T. Kohno, and D. Wetherall. Tainteraser: Protecting sensitive data leaks using application-level taint tracking. SIGOPS Oper. Syst. Rev., 45 (1): 142--154, 2011.

Digital Library

Cited By

Buddhadev BFaruki PGaur MKharche SZemmari A(2020)FloVasion: Towards Detection of non-sensitive Variable Based Evasive Information-Flow in Android AppsIETE Journal of Research10.1080/03772063.2020.172133868:4(2580-2594)Online publication date: 2-Mar-2020
https://doi.org/10.1080/03772063.2020.1721338
Mirzaei OSuarez-Tangil GTapiador Jde Fuentes JKarri RSinanoglu OSadeghi AYi X(2017)TriFlowProceedings of the 2017 ACM on Asia Conference on Computer and Communications Security10.1145/3052973.3053001(640-651)Online publication date: 2-Apr-2017
https://dl.acm.org/doi/10.1145/3052973.3053001
Yalew SMaguire GHaridi SCorreia M(2017)T2Droid: A TrustZone-Based Dynamic Analyser for Android Applications2017 IEEE Trustcom/BigDataSE/ICESS10.1109/Trustcom/BigDataSE/ICESS.2017.243(240-247)Online publication date: Aug-2017
https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.243
Show More Cited By

Index Terms

PIFT: Predictive Information-Flow Tracking
1. Security and privacy
  1. Systems security
    1. Information flow control

Recommendations

PIFT: Predictive Information-Flow Tracking
ASPLOS '16

Phones today carry sensitive information and have a great number of ways to communicate that data. As a result, malware that steal money, information, or simply disable functionality have hit the app stores. Current security solutions for preventing ...
PIFT: Predictive Information-Flow Tracking
ASPLOS'16

Phones today carry sensitive information and have a great number of ways to communicate that data. As a result, malware that steal money, information, or simply disable functionality have hit the app stores. Current security solutions for preventing ...
iPanda: A comprehensive malware analysis tool
ICOIN '13: Proceedings of the 2013 International Conference on Information Networking (ICOIN)

Malware analysis is the process of dissecting a given malware sample in order to determine its purpose and functionality. It is a necessary step to develop effective detection techniques of malicious code and removal tools. The public malware analysis ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASPLOS '16: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems

March 2016

824 pages

ISBN:9781450340915

DOI:10.1145/2872362

General Chair:
Tom Conte
Georgia Tech, USA
,
Program Chair:
Yuanyuan Zhou
University of California, San Diego, USA

ACM SIGPLAN Notices Volume 51, Issue 4
ASPLOS '16
April 2016
774 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/2954679
Editor:
Andy Gill
University of Kansas, Lawrence, KS
Issue’s Table of Contents
ACM SIGARCH Computer Architecture News Volume 44, Issue 2
ASPLOS'16
May 2016
774 pages
ISSN:0163-5964
DOI:10.1145/2980024
Editor:
Doug DeGroot
acm dot org
Issue’s Table of Contents

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

SIGBED: ACM Special Interest Group on Embedded Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 March 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ASPLOS '16

Sponsor:

ASPLOS '16: Architectural Support for Programming Languages and Operating Systems

April 2 - 6, 2016

Georgia, Atlanta, USA

Acceptance Rates

ASPLOS '16 Paper Acceptance Rate 53 of 232 submissions, 23%;

Overall Acceptance Rate 535 of 2,713 submissions, 20%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
562
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)1

Reflects downloads up to 01 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Buddhadev BFaruki PGaur MKharche SZemmari A(2020)FloVasion: Towards Detection of non-sensitive Variable Based Evasive Information-Flow in Android AppsIETE Journal of Research10.1080/03772063.2020.172133868:4(2580-2594)Online publication date: 2-Mar-2020
https://doi.org/10.1080/03772063.2020.1721338
Mirzaei OSuarez-Tangil GTapiador Jde Fuentes JKarri RSinanoglu OSadeghi AYi X(2017)TriFlowProceedings of the 2017 ACM on Asia Conference on Computer and Communications Security10.1145/3052973.3053001(640-651)Online publication date: 2-Apr-2017
https://dl.acm.org/doi/10.1145/3052973.3053001
Yalew SMaguire GHaridi SCorreia M(2017)T2Droid: A TrustZone-Based Dynamic Analyser for Android Applications2017 IEEE Trustcom/BigDataSE/ICESS10.1109/Trustcom/BigDataSE/ICESS.2017.243(240-247)Online publication date: Aug-2017
https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.243
Townley DKhasawneh KPonomarev DAbu-Ghazaleh NYu L(2019)LATCHProceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture10.1145/3352460.3358327(969-982)Online publication date: 12-Oct-2019
https://dl.acm.org/doi/10.1145/3352460.3358327
Huang YLi YJin Q(2018)Distributed Computing Security Model Based on Type SystemApplications and Techniques in Information Security10.1007/978-981-13-2907-4_9(109-117)Online publication date: 7-Oct-2018
https://doi.org/10.1007/978-981-13-2907-4_9
Ren YDong WLin JMiao X(2019)A Dynamic Taint Analysis Framework Based on Entity EquipmentIEEE Access10.1109/ACCESS.2019.29611447(186308-186318)Online publication date: 2019
https://doi.org/10.1109/ACCESS.2019.2961144

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten