HardTaint: Production-Run Dynamic Taint Analysis via Selective Hardware Tracing
Yiyu Zhang, Tianyi Liu, Yueyang Wang, Yun Qi, Kai Ji, Jian Tang, Xiaoliang Wang, Xuandong Li, Zhiqiang Zuo
TL;DR
HardTaint enables production-run dynamic taint analysis by decoupling runtime data collection from taint propagation and leveraging selective hardware tracing on commodity hardware. It combines static analysis to prune trace points, selective PT-based data collection, and highly parallel decoding and taint propagation offloaded to an analysis machine via RDMA. The system achieves about 9% runtime overhead on average, with sub-second analysis latency and strong taint-detection accuracy across a wide set of benchmarks and CVEs. This approach makes real-time taint monitoring feasible in production environments, offering precise security telemetry without the prohibitive overhead of prior software-based or naive hardware-t tracing methods.
Abstract
Dynamic taint analysis (DTA), as a fundamental analysis technique, is widely used in security, privacy, and diagnosis, etc. As DTA demands to collect and analyze massive taint data online, it suffers extremely high runtime overhead. Over the past decades, numerous attempts have been made to lower the overhead of DTA. Unfortunately, the reductions they achieved are marginal, causing DTA only applicable to the debugging/testing scenarios. In this paper, we propose and implement HardTaint, a system that can realize production-run dynamic taint tracking. HardTaint adopts a hybrid and systematic design which combines static analysis, selective hardware tracing and parallel graph processing techniques. The comprehensive evaluations demonstrate that HardTaint introduces only around 9% runtime overhead which is an order of magnitude lower than the state-of-the-arts, while without sacrificing any taint detection capability.