Dynamic Information Flow Tracking Research Articles

Hardware information flow tracking based on lightweight path awareness

Vulnerabilities and Trojans in hardware design may cause sensitive data to be leaked and tampered. Information flow tracking technology can effectively verify the confidentiality and integrity of hardware design. Currently, this technology mainly analyzes the reachability of information flow and lacks fine-grained analysis of information flow paths. It is difficult to find structural defects in information flow paths and malicious sensitive information processes in hardware design. To solve above problem, we propose Path-aware Dynamic Information Flow Tracking (PDIFT) technology, which performs taint tracking and path tracking while sensitive information is propagated. It analyzes the propagation of sensitive information in hardware design with fine-grained taint label propagation logic and inserts path label propagation logic only on basic blocks divided by branch nodes, which greatly simplifies the path tracing overhead compared to the full node sequence tracing on the path. Experiments have shown that compared to CellIFT, PDIFT has a 12.1% increase in static analysis time and a 0.1% increase in dynamic validation time. The average instrumentation area cost of each basic block has increased by 16.4 um2. In terms of detection capability, PDIFT makes up for the limitation of false negatives in traditional taint tracking technology through joint analysis of path labels and taint labels, then detect problems such as insufficient iterations of encryption components and malicious processing of important assets, thereby improving the accuracy of hardware security verification.

Cloud Security Using Fine-Grained Efficient Information Flow Tracking

This study provides a comprehensive review and comparative analysis of existing Information Flow Tracking (IFT) tools which underscores the imperative for mitigating data leakage in complex cloud systems. Traditional methods impose significant overhead on Cloud Service Providers (CSPs) and management activities, prompting the exploration of alternatives such as IFT. By augmenting consumer data subsets with security tags and deploying a network of monitors, IFT facilitates the detection and prevention of data leaks among cloud tenants. The research here has focused on preventing misuse, such as the exfiltration and/or extrusion of sensitive data in the cloud as well as the role of anonymization. The CloudMonitor framework was envisioned and developed to study and design mechanisms for transparent and efficient IFT (eIFT). The framework enables the experimentation, analysis, and validation of innovative methods for providing greater control to cloud service consumers (CSCs) over their data. Moreover, eIFT enables enhanced visibility to assess data conveyances by third-party services toward avoiding security risks (e.g., data exfiltration). Our implementation and validation of the framework uses both a centralized and dynamic IFT approach to achieve these goals. We measured the balance between dynamism and granularity of the data being tracked versus efficiency. To establish a security and performance baseline for better defense in depth, this work focuses primarily on unique Dynamic IFT tracking capabilities using e.g., Infrastructure as a Service (IaaS). Consumers and service providers can negotiate specific security enforcement standards using our framework. Thus, this study orchestrates and assesses, using a series of real-world experiments, how distinct monitoring capabilities combine to provide a comparatively higher level of security. Input/output performance was evaluated for execution time and resource utilization using several experiments. The results show that the performance is unaffected by the magnitude of the input/output data that is tracked. In other words, as the volume of data increases, we notice that the execution time grows linearly. However, this increase occurs at a rate that is notably slower than what would be anticipated in a strictly proportional relationship. The system achieves an average CPU and memory consumption overhead profile of 8% and 37% while completing less than one second for all of the validation test runs. The results establish a performance efficiency baseline for a better measure and understanding of the cost of preserving confidentiality, integrity, and availability (CIA) for cloud Consumers and Providers (C&P). Consumers can scrutinize the benefits (i.e., security) and tradeoffs (memory usage, bandwidth, CPU usage, and throughput) and the cost of ensuring CIA can be established, monitored, and controlled. This work provides the primary use-cases, formula for enforcing the rules of data isolation, data tracking policy framework, and the basis for managing confidential data flow and data leak prevention using the CloudMonitor framework.

Pervasive Micro Information Flow Tracking

Detection of advanced security attacks that exploit zero-day vulnerabilities or application-specific logic loopholes has been challenging due to the lack of attack signatures or substantial deviations in the overall system behavior. One has to zoom in to the affected code regions and look for local anomalies distinguishable from the benign workload to detect such attacks. We propose <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">pervasive micro information flow tracking</i> (P <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">E</small> RMIT) that realizes variable-level online dynamic information flow tracking (DIFT) as a means to detect the attacks. The system uses hardware virtualization extension to monitor access to taint source variables and performs asynchronous code emulation to infer the local information flow. We demonstrate that the pervasive micro information flow can sufficiently capture the attacks and incurs only a small overhead. Given the program source code, the system can further enrich the semantics of micro information flow by embedding the variable names. We have integrated the system with machine learning algorithms to demonstrate the effectiveness of anomaly detection for zero-day attacks with pervasive micro information flow.

Stochastic Dynamic Information Flow Tracking game using supervised learning for detecting advanced persistent threats

Advanced persistent threats (APTs) are organized prolonged cyberattacks by sophisticated attackers with the intent of stealing critical information. Although APT activities are stealthy and evade detection by traditional detection tools, they interact with the system components to make progress in the attack. These interactions lead to information flows that are recorded in the form of a system log. Dynamic Information Flow Tracking (DIFT) has been shown to be an effective way to detect APTs using information flows. A DIFT-based detection mechanism dynamically performs security analysis on the information flows to detect possible attacks. However, wide range security analysis using DIFT results in a significant increase in performance overhead and high rates of false-positives and false-negatives. In this paper, we model the strategic interaction between APT and DIFT as a non-cooperative stochastic game. The game unfolds on a state space constructed from an information flow graph (IFG) that is extracted from the system log. The objective of the APT in the game is to choose transitions in the IFG to find an optimal path in the IFG from an entry point of the attack to an attack target. On the other hand, the objective of DIFT is to dynamically select nodes in the IFG to perform security analysis for detecting APT. Our game model has imperfect information as the players are unaware of the actions of the opponent. We consider two scenarios of the game (i) the false-positive and false-negative rates of DIFT (i.e., transition probabilities of the game) are known and (ii) the false-positive and false-negative rates are unknown. For case (i), we propose a value iteration-based algorithm and prove that the solution converges to the optimal solution (Nash equilibrium). Case (ii) translates to an incomplete information game with unknown transition probabilities. For case (ii), we propose a supervised learning-based algorithm, referred to as Hierarchical Supervised Learning (HSL) algorithm. HSL integrates a neural network, to predict the value vector of the game, with a policy iteration algorithm to compute an approximate equilibrium. We implemented our algorithms for cases (i) and (ii) on real attack datasets for nation state and ransomware attacks and validated the performance of our approach. We compared the performance of the HSL algorithm when the transition probabilities are unknown with instances with known transition probabilities and demonstrated that HSL algorithm converges to a solution close to optimal (i.e., optimal value vector) while the value vector obtained using greedy does not converge to optimal for 44.4% of the states and the mean absolute error is almost 200 times that of the HSL.

FineDIFT: Fine-Grained Dynamic Information Flow Tracking for Data-Flow Integrity Using Coprocessor

Dynamic Information Flow Tracking (DIFT) is a technique that facilitates run-time data-flow analysis on a running process, allowing a system to overcome the limitations of finding data dependencies statically at compilation time. DIFT serves as the backbone for applications including data-flow integrity (DFI). However, previous uses of DIFT towards DFI often have large overhead in terms of hardware, software or both, and often cannot provide fine-granularity tracking for software object, such as variables. To address these limitations, we present FineDIFT as a DFI framework which utilizes DIFT to generate a live data-flow graph of a running process and perform hardware-based assisted analysis at fine-granularity, thus being able to enforce the application’s Data-Flow Graph (DFG). We provide a sample implementation on a RISC-V core with a performance overhead of 5.03% for BEEBS benchmarks and hardware overhead of 6% LUTs and 8% Flip-Flops in the FPGA implementation, if excluding the Content-Addressable Memory (CAM) like structure used for metadata storage. With CAM-like structure being synthesized using FPGA logic, the total hardware overhead is <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$\approx 2 \times $ </tex-math></inline-formula> LUTs and 33% Flip-Flops compared to the original RISC-V core. We also use the real-world application and customized vulnerable application to demonstrate the effectiveness of the proposed framework in protecting computing systems.

Hardware and software co-verification from security perspective in SoC platforms

Attacks which combine software and hardware vulnerabilities are emerging security problems. Although runtime verification or remote attestation can determine the correctness of program states on a processor core, existing methods rarely consider the software states on the whole System on Chip (SoC). Also, there are SoC level solutions focusing on addressing the threat in the RISC-V architecture, which provides an open Instruction Set Architecture (ISA) of the processor. In this paper, we propose a comprehensive software and hardware co-verification method to protect the entire RISC-V based SoC platform at runtime. The proposed method adopts the Dynamic Information Flow Tracking (DIFT) framework to implement a new Verifier and Prover security architecture for supporting runtime software and hardware co-verification. This framework also considers the security states of third-party IPs (3PIPs). The framework is implemented as a coprocessor, new bus and DIFT supported IP wrapper which does not change the architecture of the main processor core. The new security architecture can be integrated with other RISC-V processors. We implement a FPGA prototype on the Rocket-Chip, an RISC-V open-source processor core. The hardware overhead is 10% LUTs and 9.4% Flip-Flops and a performance overhead is 3%.

Challenges and Opportunities for Practical and Effective Dynamic Information Flow Tracking

Information flow tracking was proposed more than 40 years ago to address the limitations of access control mechanisms to guarantee the confidentiality and integrity of information flowing within a system, but has not yet been widely applied in practice for security solutions. Here, we survey and systematize literature on dynamic information flow tracking (DIFT) to discover challenges and opportunities to make it practical and effective for security solutions. We focus on common knowledge in the literature and lingering research gaps from two dimensions— (i) the layer of abstraction where DIFT is implemented (software, software/hardware, or hardware) and (ii) the security goal (confidentiality and/or integrity). We observe that two major limitations hinder the practical application of DIFT for on-the-fly security applications: (i) high implementation overhead and (ii) incomplete information flow tracking (low accuracy). We posit, after review of the literature, that addressing these major impedances via hardware parallelism can potentially unleash DIFT’s great potential for systems security, as it can allow security policies to be implemented in a built-in and standardized fashion. Furthermore, we provide recommendations for the next generation of practical and efficient DIFT systems with an eye towards hardware-supported implementations.

Dynamic Information Flow Tracking: Taxonomy, Challenges, and Opportunities.

Dynamic information flow tracking (DIFT) has been proven an effective technique to track data usage; prevent control data attacks and non-control data attacks at runtime; and analyze program performance. Therefore, a series of DIFT techniques have been developed recently. In this paper, we summarize the current DIFT solutions and analyze the features and limitations of these solutions. Based on the analysis, we classify the existing solutions into three categories, i.e., software, hardware, software and hardware co-design. We discuss the DIFT design from the perspective of whole system and point out the limitations of current DIFT frameworks. Potential enhancements to these solutions are also presented. Furthermore, we present suggestions about the possible future direction of DIFT solutions so that DIFT can help improve security levels.

A Game-Theoretic Approach for Dynamic Information Flow Tracking to Detect Multistage Advanced Persistent Threats

Advanced persistent threats (APTs) infiltrate cyber systems and compromise specifically targeted data and/or resources through a sequence of stealthy attacks consisting of multiple stages. Dynamic information flow tracking has been proposed to detect APTs. In this article, we develop a dynamic information flow tracking game for resource-efficient detection of APTs via multistage dynamic games. The game evolves on an information flow graph, whose nodes are processes and objects (e.g., file, network endpoints) in the system and the edges capture the interaction between different processes and objects. Each stage of the game has prespecified targets that are characterized by a set of nodes of the graph. The goal of the APT is to evade detection and reach a target node of each stage. The goal of the defender is to maximize the detection probability while minimizing performance overhead on the system. The resource costs of the players are different and the information structure is asymmetric, resulting in a nonzero-sum imperfect information game . We first calculate the best responses of the players and then compute Nash equilibrium for single-stage attacks. We then provide a polynomial-time algorithm to compute a correlated equilibrium for the multistage attack case. Finally, we simulate our model and algorithm on real-world nation state attack data obtained from the Refinable Attack INvestigation (RAIN) system.

TaintHLS: High-Level Synthesis for Dynamic Information Flow Tracking

Dynamic information flow tracking (DIFT) is a technique to track potential security vulnerabilities in software and hardware systems at run time. Untrusted data are marked with tags (tainted), which are propagated through the system and their potential for unsafe use is analyzed to prevent them. DIFT is not supported in heterogeneous systems especially hardware accelerators. Currently, DIFT is manually generated and integrated into the accelerators. This process is error-prone, potentially hurting the process of identifying security violations in heterogeneous systems. We present TaintHLS, to automatically generate a micro-architecture to support baseline operations and a shadow microarchitecture for intrinsic DIFT support in hardware accelerators while providing variable granularity of taint tags. TaintHLS offers a companion high-level synthesis (HLS) methodology to automatically generate such DIFT-enabled accelerators from a high-level specification. We extended a state-of-the-art HLS tool to generate DIFT-enhanced accelerators and demonstrated the approach on numerous benchmarks. The DIFT-enabled accelerators have negligible performance and no more than 30% hardware overhead.

Security validation of VP-based SoCs using dynamic information flow tracking

Abstract Modern System-on-Chips (SoCs) are notoriously insecure. Hence, the fundamental security feature of IP isolation is heavily used, e. g., secured Memory Mapped IOs (MMIOs), or secured address ranges in case of memories, are marked as non-accessible. One way to provide strong assurance of security is to define isolation as information flow policy in hardware using the notion of non-interference. Since, an insecure hardware opens up the door for attacks across the entire system stack (from software down to hardware), the security validation process should start as early as possible in the SoC design cycle, i. e. at Electronic System Level (ESL). Hence, in this paper we propose the first dynamic information flow analysis at ESL. Our approach allows to validate the run-time behavior of a given SoC implemented using Virtual Prototypes (VPs) against security threat models, such as information leakage (confidentiality) and unauthorized access to data in a memory (integrity). Experiments show the applicability and efficacy of the proposed method on various VPs including a real-world system.

PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely Coupled Accelerators

Software-based attacks exploit bugs or vulnerabilities to get unauthorized access or leak confidential information. Dynamic information flow tracking (DIFT) is a security technique to track spurious information flows and provide strong security guarantees against such attacks. To secure heterogeneous systems, the spurious information flows must be tracked through all their components, including processors, accelerators (i.e., application-specific hardware components) and memories. We present PAGURUS, a flexible methodology to design a low-overhead shell circuit that adds DIFT support to accelerators. The shell uses a coarse-grain DIFT approach, thus not requiring to make modifications to the accelerator's implementation. We analyze the performance and area overhead of the DIFT shell on FPGAs and we propose a metric, called information leakage, to measure its security guarantees. We perform a design-space exploration to show that we can synthesize accelerators with different characteristics in terms of performance, cost and security guarantees. We also present a case study where we use the DIFT shell to secure an accelerator running on a embedded platform with a DIFT-enhanced RISC-V core.

Covert Channels on GPGPUs

GPUs are increasingly used to accelerate the performance of not only graphics workloads, but also data intensive applications. In this paper, we explore the feasibility of covert channels in General Purpose Graphics Processing Units (GPGPUs). We consider the possibility of two colluding malicious applications using the GPGPU as a covert channel to communicate, in the absence of a direct channel between them. Such a situation may arise in cloud environments, or in environments employing containment mechanisms such as dynamic information flow tracking. We reverse engineer the block placement algorithm to understand co-residency of blocks from different applications on the same Streaming Multiprocessor (SM) core, or on different SMs concurrently. In either mode, we identify the shared resources that may be used to create contention. We demonstrate the bandwidth of two example channels: one that uses the L1 constant memory cache to enable communication on the same SM, and another that uses the L2 constant memory caches to enable communication between different SMs. We also examine the possibility of increasing the bandwidth of the channel by using the available parallelism on the GPU, achieving a bandwidth of over 400 Kbps. This study demonstrates that GPGPUs are a feasible medium for covert communication.

Efficient Security Monitoring with the Core Debug Interface in an Embedded Processor

For decades, various concepts in security monitoring have been proposed. In principle, they all in common in regard to the monitoring of the execution behavior of a program (e.g., control-flow or dataflow) running on the machine to find symptoms of attacks. Among the proposed monitoring schemes, software-based ones are known for their adaptability on the commercial products, but there have been concerns that they may suffer from nonnegligible runtime overhead. On the other hand, hardware-based solutions are recognized for their high performance. However, most of them have an inherent problem in that they usually mandate drastic changes to the internal processor architecture. More recent ones have strived to minimize such modifications by employing external hardware security monitors in the system. However, these approaches intrinsically suffer from the overhead caused by communication between the host and the external monitor. Our solution also relies on external hardware for security monitoring, but unlike the others, ours tackles the communication overhead by using the core debug interface (CDI), which is readily available in most commercial processors for debugging. We build our system simply by plugging our monitoring hardware into the processor via CDI, precluding the need for altering the processor internals. To validate the effectiveness of our approach, we implement two well-known monitoring techniques on our proposed framework: dynamic information flow tracking and branch regulation. The experimental results on our FPGA prototype show that our external hardware monitors efficiently perform monitoring tasks with negligible performance overhead, mainly with thanks to the support of CDI, which helps us reduce communication costs substantially.

SWIFT: Decoupled System-Wide Information Flow Tracking and its Optimizations

Information flow analysis is a widely-adopted technique in software testing and malware analysis. For information flow analysis, a system-level emulator equipped with dynamic information flow tracking capability, DIFT, is needed. However, its effectiveness comes at a price of severe performance degradation due to interleaved system emulation and DIFT analysis. In this paper, a decoupled system-wide information flow tracking scheme, SWIFT, is proposed. Through decoupling system-wide information flow tracking from emulation, SWIFT regains the memory locality and code optimization. The proposed methods are able to aggressively eliminate dependency between the system-level emulator and the analysis thread. Our performance evaluation indicates that, under the same hardware specifications, SWIFT runs 2.74~7.48 times faster than the conventional interleaved design while being benchmarked by PassMark Performance Test 6.0. The performance improvement consequently makes the online analysis feasible in practice.

An Enhanced Dynamic Information Flow Tracking Method with Reverse Stack Execution

Memory errors have long been a critical security issue primarily for C/C++ programming languages and are still considered one of the top three most dangerous software errors according to the MITRE ranking. In this paper the authors focus on their exploitation via control-flow hijacking and data-only attacks (stack, and partially heap (G. Novarck &amp; E. Berger, 2010)) by proposing a synergistic security methodology, which can accurately detect and thwart them. Their methodology is based on the Dynamic Information Flow Tracking (DIFT) technique and improves its data-only attack detection by utilizing features from the Reverse Stack Execution (RSE) security technique. Thus, the authors can significantly lower the resource consumption of the latter methodology, while increasing the former's accuracy. Their proof-of-concept compiler implementation verifies their assumptions and is able to protect vulnerable C programs against various real-world attack scenarios.

A detection model for SQL injection attack

Among all attacks on the web application system, SQL injection is one of the most serious security issues. Combining the dynamic and static information flow tracking technology, dynamic taint-based tracking technology and white list and black list, this paper designs and implements a prevention model of SQL injection attacks, which can effectively prevent three major types of SQL injection attacks and block the frequent SQL injection as well as support single/batch website scanning and generate scanning reports in HTML format. Multi-thread mechanism is adopted to improve program performance as well as acquiring much information about vulnerability. Testing proved that it can effectively prevent three types of SQL injection attacks, and effectively block frequent SQL injection attacks, helping users confirm the information about SQL injection vulnerability in single/batch websites through the returned information.

SIFT: Low-Complexity Energy-Efficient Information Flow Tracking on SMT Processors

Dynamic information flow tracking (DIFT) is a powerful technique that can protect unmodified binaries from a broad range of vulnerabilities including buffer overflow and format string attacks. Software DIFT implementations suffer from very high performance overheads, while comprehensive hardware implementations add substantial complexity to the microarchitecture, making it unlikely for chip manufacturers to adopt them. In this paper, we propose SIFT (SMT-based DIFT), where a separate thread performing taint propagation and policy checking is executed in a spare context of an SMT processor. The instructions for the checking thread are generated in hardware using self-contained off-the-critical path logic at the commit stage of the pipeline. We investigate several performance optimizations to the base design including: 1) Prefetching of the taint data from shadow memory when the corresponding data is accessed by the primary thread; 2) Optimizing the generation of the taint code to remove unneeded security instructions; and 3) The use of aggregated instructions for collapsing the frequently used groups of security instructions into a single new instruction. Together, these optimizations reduce the performance penalty of SIFT to under 20 percent on SPEC CPU 2006 benchmarks-much lower than the overhead of previously proposed software-based DIFT schemes. We also analyze the energy overhead of SIFT and show it to be very high - 113 percent for SPEC 2006 benchmarks. We then propose several techniques that reduce this overhead to only 23 percent, making SIFT design practical from the energy standpoint. To demonstrate the feasibility of SIFT, we design and synthesize a core with SIFT logic and show that the area overhead of SIFT is only 4.5 percent and that instruction generation can be performed in one additional cycle at commit time.

Practical automatic loop specialization

Program specialization optimizes a program with respect to program invariants, including known, fixed inputs. These invariants can be used to enable optimizations that are otherwise unsound. In many applications, a program input induces predictable patterns of values across loop iterations, yet existing specializers cannot fully capitalize on this opportunity. To address this limitation, we present Invariant-induced Pattern based Loop Specialization (IPLS), the first fully-automatic specialization technique designed for everyday use on real applications. Using dynamic information-flow tracking, IPLS profiles the values of instructions that depend solely on invariants and recognizes repeating patterns across multiple iterations of hot loops. IPLS then specializes these loops, using those patterns to predict values across a large window of loop iterations. This enables aggressive optimization of the loop; conceptually, this optimization reconstructs recurring patterns induced by the input as concrete loops in the specialized binary. IPLS specializes real-world programs that prior techniques fail to specialize without requiring hints from the user. Experiments demonstrate a geomean speedup of 14.1% with a maximum speedup of 138% over the original codes when evaluated on three script interpreters and eleven scripts each.

Practical automatic loop specialization

Program specialization optimizes a program with respect to program invariants, including known, fixed inputs. These invariants can be used to enable optimizations that are otherwise unsound. In many applications, a program input induces predictable patterns of values across loop iterations, yet existing specializers cannot fully capitalize on this opportunity. To address this limitation, we present Invariant-induced Pattern based Loop Specialization (IPLS), the first fully-automatic specialization technique designed for everyday use on real applications. Using dynamic information-flow tracking, IPLS profiles the values of instructions that depend solely on invariants and recognizes repeating patterns across multiple iterations of hot loops. IPLS then specializes these loops, using those patterns to predict values across a large window of loop iterations. This enables aggressive optimization of the loop; conceptually, this optimization reconstructs recurring patterns induced by the input as concrete loops in the specialized binary. IPLS specializes real-world programs that prior techniques fail to specialize without requiring hints from the user. Experiments demonstrate a geomean speedup of 14.1% with a maximum speedup of 138% over the original codes when evaluated on three script interpreters and eleven scripts each.