TY - GEN
T1 - V-DIFT
T2 - 11th International Conference on Availability, Reliability and Security, ARES 2016
AU - Espinoza, Antonio M.
AU - Knockel, Jeffrey
AU - Crandall, Jedidiah R.
AU - Comesaña-Alfaro, Pedro
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2016/12/14
Y1 - 2016/12/14
N2 - Dynamic Information Flow Tracking (DIFT) is a technique for tracking information as it flows through a program's execution. DIFT systems track information by tainting data and propagating the taint marks throughout execution. These systems are designed to have minimal overhead and thus often miss indirect flows. If indirect flows were propagated naively overtainting would result, whereas propagating them effectively causes overhead. We describe the design and evaluation of a system intended for offline analysis, such as reverse engineering, that can track information through indirect flows. Our system, V-DIFT, uses a vector of floating point values for each taint mark. The use of vectors enables us to track a taint's provenance and handle indirect flows, trading off some performance for these abilities. These indirect flows via control and address dependencies are thought to be critical to tracking information flow of cryptographic programs. Therefore we tested V-DIFT's effectiveness by automatically locating keys in simple programs that use a variety of symmetric cryptographic algorithms found in three common libraries. This application does not require that the program run in real time, just that it be much faster than a manual approach. Our V-DIFT implementation tests average 3.6 seconds, and with the right parameters can identify memory locations that contain keys for 24 out of 27 algorithms tested. Our results show that many cryptographic algorithm implementations' address and/or control dependencies must be tracked for DIFT to be effective.
AB - Dynamic Information Flow Tracking (DIFT) is a technique for tracking information as it flows through a program's execution. DIFT systems track information by tainting data and propagating the taint marks throughout execution. These systems are designed to have minimal overhead and thus often miss indirect flows. If indirect flows were propagated naively overtainting would result, whereas propagating them effectively causes overhead. We describe the design and evaluation of a system intended for offline analysis, such as reverse engineering, that can track information through indirect flows. Our system, V-DIFT, uses a vector of floating point values for each taint mark. The use of vectors enables us to track a taint's provenance and handle indirect flows, trading off some performance for these abilities. These indirect flows via control and address dependencies are thought to be critical to tracking information flow of cryptographic programs. Therefore we tested V-DIFT's effectiveness by automatically locating keys in simple programs that use a variety of symmetric cryptographic algorithms found in three common libraries. This application does not require that the program run in real time, just that it be much faster than a manual approach. Our V-DIFT implementation tests average 3.6 seconds, and with the right parameters can identify memory locations that contain keys for 24 out of 27 algorithms tested. Our results show that many cryptographic algorithm implementations' address and/or control dependencies must be tracked for DIFT to be effective.
UR - http://www.scopus.com/inward/record.url?scp=85015318491&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85015318491&partnerID=8YFLogxK
U2 - 10.1109/ARES.2016.97
DO - 10.1109/ARES.2016.97
M3 - Conference contribution
AN - SCOPUS:85015318491
T3 - Proceedings - 2016 11th International Conference on Availability, Reliability and Security, ARES 2016
SP - 266
EP - 271
BT - Proceedings - 2016 11th International Conference on Availability, Reliability and Security, ARES 2016
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 31 August 2016 through 2 September 2016
ER -