基於污染語意萃取與重播的低耦合度資訊流追蹤機制

Abstract

動態資訊流追蹤是一種眾所周知用於安全分析的技術。過去許多研究大多基於字節層級並使用內嵌的污染傳播方式來達到細粒度的污染分析，因此資訊流追蹤的邏輯與應用程式本身高度耦合，而且實作上通常與程式語言或處理器架構高度相依。此外，這種作法對於效能的影響可能致使其不適合用於生產環境中。在本研究中，我們提出了一個低耦合度的資訊流追蹤機制，將資訊流追蹤的邏輯自程式執行中抽離。我們所設計的工具在編譯時期自目標程式的 LLVM 中繼碼中萃取出污染傳播語意，將 LLVM 中繼碼轉譯為專為資訊流追蹤所設計的中繼碼，並且注入追蹤記錄的程式碼。在程式執行的過程中，注入的程式碼會將程式執行的追蹤紀錄與必要的變數資訊寫入至紀錄檔或傳送至資訊流追蹤引擎。追蹤引擎基於收到的紀錄重建出程式執行時期的控制流程，並透過模擬呼叫堆疊及污染傳播的方式來重播污染傳播語意。如此低耦合度的架構能有效降低資訊流追蹤對於程式執行所產生的效能影響，並且能提供離線資料流分析更多彈性與應用情境。

Dynamic information flow tracking is a well-known technique for security analysis. Most of previous researches perform inline taint propagation at byte-level to achieve fine-grained taint analysis, hence the information flow tracking logic is tightly-coupled with program itself, and the implementations are typically language-dependent or architecture-dependent. Furthermore, it could make the performance overhead not applicable for production systems. In this research, we propose a mechanism for decoupling the information flow tracking from program execution. Our tool extracts the taint semantics from the LLVM IR of target program during compile-time, translates them into an intermediate representation designed for information flow tracking, and instruments logging code into the program. During program execution, the instrumented program emits execution trace and runtime information to the information flow tracking engine for taint analysis. The engine reconstructs the control flow and replays the taint semantics by simulating the call stack and taint propagation. The loosely-coupled architecture effectively reduces the performance overhead to make information flow tracking to be more practical for production, and also provides more flexibility and application scenarios for offline data flow analysis.