This paper evaluates pointer tainting, an incarnation of Dynamic Information Flow Tracking (DIFT), which has recently become an important technique in system security. Pointer tainting has been used for two main purposes: detection of privacy-breaching malware (e.g., trojan keyloggers obtaining the characters typed by a user), and detection of memory corruption attacks against non-control data (e.g., a buffer overflow that modifies a user's privilege level). In both of these cases the attacker does not modify control data such as stored branch targets, so the control flow of the target program does not change. Phrased differently, in terms of instructions executed, the program behaves 'normally'. As a result, these attacks are exceedingly difficult to detect. Pointer tainting is considered one of the onlymethods for detecting them in unmodified binaries. Unfortunately, almost all of the incarnations of pointer tainting are flawed. In particular, we demonstrate that the application of pointer tainting to the detection of keyloggers and other privacybreaching malware is problematic. We also discuss whether pointer tainting is able to reliably detect memory corruption attacks against non-control data. Pointer tainting generates itself the conditions for false positives. We analyse the problems in detail and investigate various ways to improve the technique. Most have serious drawbacks in that they are either impractical (and incur many false positives still), and/or cripple the technique's ability to detect attacks. In conclusion, we argue that depending on architecture and operating system, pointer tainting may have some value in detecting memory orruption attacks (albeit with false negatives and not on the popular x86 architecture), but it is fundamentally not suitable for automated detecting of privacy-breaching malware such as keyloggers.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Periklis Akritidis , Cristian Cadar , Costin Raiciu , Manuel Costa , Miguel Castro, Preventing Memory Error Exploits with WIT, Proceedings of the 2008 IEEE Symposium on Security and Privacy, p.263-277, May 18-21, 2008  [doi>10.1109/SP.2008.30]
	2	Fabrice Bellard, QEMU, a fast and portable dynamic translator, Proceedings of the annual conference on USENIX Annual Technical Conference, p.41-41, April 10-15, 2005, Anaheim, CA
	3	Sandeep Bhatkar , R. Sekar , Daniel C. DuVarney, Efficient techniques for comprehensive protection from memory error exploits, Proceedings of the 14th conference on USENIX Security Symposium, p.17-17, July 31-August 05, 2005, Baltimore, MD
	4	Miguel Castro , Manuel Costa , Tim Harris, Securing software by enforcing data-flow integrity, Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, p.11-11, November 06-08, 2006, Seattle, WA
	5	Lorenzo Cavallaro , Prateek Saxena , R. Sekar, On the Limits of Information Flow Techniques for Malware Analysis and Containment, Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, July 10-11, 2008, Paris, France  [doi>10.1007/978-3-540-70542-0_8]
	6	S. Chen, K. Pattabiraman, Z. Kalbarczyk, and R. K. Iyer. Formal reasoning of various categories of widely exploited security vulnerabilities using pointer taintedness semantics. In Proc. of IFIP SEC, 2004.
	7	Jun Xu , Nithin Nakka, Defeating Memory Corruption Attacks via Pointer Taintedness Detection, Proceedings of the 2005 International Conference on Dependable Systems and Networks, p.378-387, June 28-July 01, 2005  [doi>10.1109/DSN.2005.36]
	8	Shuo Chen , Jun Xu , Emre C. Sezer , Prachi Gauriar , Ravishankar K. Iyer, Non-control-data attacks are realistic threats, Proceedings of the 14th conference on USENIX Security Symposium, p.12-12, July 31-August 05, 2005, Baltimore, MD
	9	Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: end-to-end containment of internet worms, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
	10	Crispin Cowan , Calton Pu , Dave Maier , Heather Hintony , Jonathan Walpole , Peat Bakke , Steve Beattie , Aaron Grier , Perry Wagle , Qian Zhang, StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks, Proceedings of the 7th conference on USENIX Security Symposium, p.5-5, January 26-29, 1998, San Antonio, Texas
	11	Jedidiah R. Crandall , Frederic T. Chong, Minos: Control Data Attack Prevention Orthogonal to Memory Model, Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture, p.221-232, December 04-08, 2004, Portland, Oregon  [doi>10.1109/MICRO.2004.26]
	12	M. Dalton, H. Kannan, and C. Kozyrakis. Deconstructing hardware architectures for security. In WDDD'06: 5th Annual Workshop on Duplicating, Deconstructing, and Debunking, 2006.
	13	Michael Dalton , Hari Kannan , Christos Kozyrakis, Raksha: a flexible information flow architecture for software security, Proceedings of the 34th annual international symposium on Computer architecture, June 09-13, 2007, San Diego, California, USA
	14	Michael Dalton , Hari Kannan , Christos Kozyrakis, Real-world buffer overflow protection for userspace & kernelspace, Proceedings of the 17th conference on Security symposium, p.395-410, July 28-August 01, 2008, San Jose, CA
	15	Dorothy E. Denning , Peter J. Denning, Certification of programs for secure information flow, Communications of the ACM, v.20 n.7, p.504-513, July 1977  [doi>10.1145/359636.359712]
	16	Manuel Egele , Christopher Kruegel , Engin Kirda , Heng Yin , Dawn Song, Dynamic spyware analysis, 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference, p.1-14, June 17-22, 2007, Santa Clara, CA
	17	Kevin Elphinstone , Gerwin Klein , Philip Derrin , Timothy Roscoe , Gernot Heiser, Towards a practical, verified kernel, Proceedings of the 11th USENIX workshop on Hot topics in operating systems, p.1-6, May 07-09, 2007, San Diego, CA
	18	J. Giffin, S. Jha, and B. Miller. Efficient context-sensitive intrusion detection. In The 11th Annual Network and Distributed System Security Symposium (NDSS), 2004.
	19	Alex Ho , Michael Fetterman , Christopher Clark , Andrew Warfield , Steven Hand, Practical taint-based protection using demand emulation, Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006, April 18-21, 2006, Leuven, Belgium
	20	Trevor Jim , J. Greg Morrisett , Dan Grossman , Michael W. Hicks , James Cheney , Yanling Wang, Cyclone: A Safe Dialect of C, Proceedings of the General Track of the annual conference on USENIX Annual Technical Conference, p.275-288, June 10-15, 2002
	21	Satoshi Katsunuma , Hiroyuki Kurita , Ryota Shioya , Kazuto Shimizu , Hidetsugu Irie , Masahiro Goshima , Shuichi Sakai, Base Address Recognition with Data Flow Tracking for Injection Attack Detection, Proceedings of the 12th Pacific Rim International Symposium on Dependable Computing, p.165-172, December 18-20, 2006  [doi>10.1109/PRDC.2006.22]
	22	J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In 12th Annual Network and Distributed System Security Symposium (NDSS), 2005.
	23	Georgios Portokalidis , Asia Slowinska , Herbert Bos, Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation, Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006, April 18-21, 2006, Leuven, Belgium
	24	ProcessLibrary.com. zango.exe. http://www.processlibrary.com/directory/files/zango/.
	25	Niels Provos, Improving host security with system call policies, Proceedings of the 12th conference on USENIX Security Symposium, p.18-18, August 04-08, 2003, Washington, DC
	26	Dan Raywood. Sinowal trojan steals data from around 500,000 cards and accounts. SC Magazine, Oct 2008.
	27	E. Suh, J. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. SIGARCH Comput. Archit. News, 32 (5): 85--96, 2004.
	28	G. Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic. Flexitaint: A programmable accelerator for dynamic taint propagation. In HPCA'08, 2008.
	29	Wei Xu , Sandeep Bhatkar , R. Sekar, Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks, Proceedings of the 15th conference on USENIX Security Symposium, July 31-August 04, 2006, Vancouver, B.C., Canada
	30	H. Yin, Z. Liang, and D. Song. HookFinder: Identifying and understanding malware hooking behaviors. In 15th Annual Network and Distributed System Security Symposium (NDSS'08), 2008.
	31	Heng Yin , Dawn Song , Manuel Egele , Christopher Kruegel , Engin Kirda, Panorama: capturing system-wide information flow for malware detection and analysis, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA  [doi>10.1145/1315245.1315261]