Pervasive Micro Information Flow Tracking

Detection of advanced security attacks that exploit zero-day vulnerabilities or application-specific logic loopholes has been challenging due to the lack of attack signatures or substantial deviations in the overall system behavior. One has to zoom in to the affected code regions and look for local anomalies distinguishable from the benign workload to detect such attacks. We propose pervasive micro information flow tracking (PerMIT) that realizes variable-level online dynamic information flow tracking (DIFT) as a means to detect the attacks. The system uses hardware virtualization extension to monitor access to taint source variables and performs asynchronous code emulation to infer the local information flow. We demonstrate that the pervasive micro information flow can sufficiently capture the attacks and incurs only a small overhead. Given the program source code, the system can further enrich the semantics of micro information flow by embedding the variable names. We have integrated the system with machine learning algorithms to demonstrate the effectiveness of anomaly detection for zero-day attacks with pervasive micro information flow.