A General Approach for Efficiently Accelerating Software-based Dynamic Data Flow Tracking on Commodity Hardware [abstract] (PDF)
Kangkook Jee, Georgios Portokalidis, Vasileios P. Kemerlis, Soumyadeep Ghosh, David I. August, and Angelos D. Keromytis
Proceedings of the 19th Internet Society (ISOC) Symposium on Network
and Distributed Systems Security (NDSS), February 2012.
Despite the demonstrated usefulness of dynamic data flow tracking (DDFT)
techniques in a variety of security applications, the poor performance achieved
by available prototypes prevents their widespread adoption and use in
production systems. We present and evaluate a novel methodology for improving
the performance overhead of DDFT frameworks, by combining static and dynamic
analysis. Our intuition is to separate the program logic from the corresponding
tracking logic, extracting the semantics of the latter and abstracting them
using a Taint Flow Algebra. We then apply optimization techniques to eliminate
redundant tracking logic and minimize interference with the target program. Our
optimizations are directly applicable to binary-only software and do not
require any high level semantics. Furthermore, they do not require additional
resources to improve performance, neither do they restrict or remove
functionality. Most importantly, our approach is orthogonal to optimizations
devised in the past, and can deliver additive performance benefits. We
extensively evaluate the correctness and impact of our optimizations by
augmenting a freely available high-performance DDFT framework, and applying it
to multiple applications, including command line utilities, server
applications, language runtimes, and web browsers. Our results show a speedup
of DDFT by as much as 2.23x, with an average of 1.72x across all tested
applications.