TY - GEN
T1 - MITOS
T2 - 40th IEEE International Conference on Distributed Computing Systems, ICDCS 2020
AU - Sapountzis, Nikolaos
AU - Sun, Ruimin
AU - Wei, Xuetao
AU - Jin, Yier
AU - Crandall, Jedidiah
AU - Oliveira, Daniela
N1 - Publisher Copyright:
©2020 IEEE
PY - 2020/11
Y1 - 2020/11
N2 - —Dynamic Information Flow Tracking (DIFT), also called Dynamic Taint Analysis (DTA), is a technique for tracking the information as it flows through a program’s execution. Specifically, some inputs or data get tainted and then these taint marks (tags) propagate usually at the instruction-level. While DIFT has been a fundamental concept in computer and network security for the past decade, it still faces open challenges that impede its widespread application in practice; one of them being the indirect flow propagation dilemma: should the tags involved in an indirect flow, e.g., in a control or address dependency, be propagated? Propagating all these tags, as is done for direct flows, leads to overtainting (all taintable objects become tainted), while not propagating them leads to undertainting (information flow becomes incomplete). In this paper, we analytically model that decisioning problem for indirect flows, by considering various tradeoffs including undertainting versus overtainting, importance of heterogeneous code semantics and context. Towards tackling this problem, we design MITOS, a distributed-optimization algorithm, that: decides about the propagation of indirect flows by properly weighting all these tradeoffs, is of low-complexity, is scalable, is able to flexibly adapt to different application scenarios and security needs of large distributed systems. Additionally, MITOS is applicable to most DIFT systems that consider an arbitrary number of tag types, and introduces the key properties of fairness and tag-balancing to the DIFT field. To demonstrate MITOS’s applicability in practice, we implement and evaluate MITOS on top of an open-source DIFT, and we shed light on the open problem. We also perform a case-study scenario with a real in-memory only attack and show that MITOS improves simultaneously (i) system’s spatiotemporal overhead (up to 40%), and (ii) system’s fingerprint on suspected bytes (up to 167%) compared to traditional DIFT, even though these metrics usually conflict.
AB - —Dynamic Information Flow Tracking (DIFT), also called Dynamic Taint Analysis (DTA), is a technique for tracking the information as it flows through a program’s execution. Specifically, some inputs or data get tainted and then these taint marks (tags) propagate usually at the instruction-level. While DIFT has been a fundamental concept in computer and network security for the past decade, it still faces open challenges that impede its widespread application in practice; one of them being the indirect flow propagation dilemma: should the tags involved in an indirect flow, e.g., in a control or address dependency, be propagated? Propagating all these tags, as is done for direct flows, leads to overtainting (all taintable objects become tainted), while not propagating them leads to undertainting (information flow becomes incomplete). In this paper, we analytically model that decisioning problem for indirect flows, by considering various tradeoffs including undertainting versus overtainting, importance of heterogeneous code semantics and context. Towards tackling this problem, we design MITOS, a distributed-optimization algorithm, that: decides about the propagation of indirect flows by properly weighting all these tradeoffs, is of low-complexity, is scalable, is able to flexibly adapt to different application scenarios and security needs of large distributed systems. Additionally, MITOS is applicable to most DIFT systems that consider an arbitrary number of tag types, and introduces the key properties of fairness and tag-balancing to the DIFT field. To demonstrate MITOS’s applicability in practice, we implement and evaluate MITOS on top of an open-source DIFT, and we shed light on the open problem. We also perform a case-study scenario with a real in-memory only attack and show that MITOS improves simultaneously (i) system’s spatiotemporal overhead (up to 40%), and (ii) system’s fingerprint on suspected bytes (up to 167%) compared to traditional DIFT, even though these metrics usually conflict.
UR - http://www.scopus.com/inward/record.url?scp=85101968212&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85101968212&partnerID=8YFLogxK
U2 - 10.1109/ICDCS47774.2020.00093
DO - 10.1109/ICDCS47774.2020.00093
M3 - Conference contribution
AN - SCOPUS:85101968212
T3 - Proceedings - International Conference on Distributed Computing Systems
SP - 1090
EP - 1100
BT - Proceedings - 2020 IEEE 40th International Conference on Distributed Computing Systems, ICDCS 2020
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 29 November 2020 through 1 December 2020
ER -