Sdft: A PDG-based Summarization for Efficient Dynamic Data Flow Tracking

TL;DR

Sdft introduces a novel PDG-based summarization technique that enhances dynamic taint analysis efficiency by combining instruction-level precision with function-level abstraction, significantly reducing performance overhead.

Contribution

The paper presents Sdft, a new method that automatically summarizes library functions using reachability analysis on PDGs to improve taint tracking performance.

Findings

Achieves 1.58x speedup over Libdft64 in taint tracking.

Effectively detects real-world vulnerabilities.

Validates hybrid taint tracking accuracy.

Abstract

Dynamic taint analysis (DTA) has been widely used in various security-relevant scenarios that need to track the runtime information flow of programs. Dynamic binary instrumentation (DBI) is a prevalent technique in achieving effective dynamic taint tracking on commodity hardware and systems. However, the significant performance overhead incurred by dynamic taint analysis restricts its usage in production systems. Previous efforts on mitigating the performance penalty fall into two categories, parallelizing taint tracking from program execution and abstracting the tainting logic to a higher granularity. Both approaches have only met with limited success. In this work, we propose Sdft, an efficient approach that combines the precision of DBI-based instruction-level taint tracking and the efficiency of function-level abstract taint propagation. First, we build the library function summaries automatically with reachability analysis on the program dependency graph (PDG) to specify the control- and data dependencies between the input parameters, output parameters, and global variables of the target library. Then we derive the taint rules for the target library functions and develop taint tracking for library function that is tightly integrated into the state-of-the-art DTA framework Libdft. By applying our approach to the core C library functions of glibc, we report an average of 1.58x speed up of the tracking performance compared with Libdft64. We also validate the effectiveness of the hybrid taint tracking and the ability on detecting real-world vulnerabilities.