Home

Awesome

libdft: Practical Dynamic Data Flow Tracking

These code is modified from VUzzer64, and it is originally from libdft.

News

Features

Limitation of our taint propagation rules

TODO

Contributing guidance

As TaintInduce mentioned, libdft exists the soundness and completeness probelm.

If you want to contribute to this, modify the instructions in src/libdft_core.cpp, and pull requests on github for us.

Build

PREFIX=/path-to-install ./install_pin.sh
make

Docker

docker build -t libdft ./
docker run --privileged -v /path-to-dir:/data -it --rm libdft /bin/bash

Test

See tools/mini_test.cpp & tools/track.cpp for more defails

cd tools;
make test_mini

Introduction

Dynamic data flow tracking (DFT) deals with the tagging and tracking of "interesting" data as they propagate during program execution. DFT has been repeatedly implemented by a variety of tools for numerous purposes, including protection from buffer overflow and cross-site scripting attacks, analysis of legitimate and malicious software, detection and prevention of information leaks, etc. libdft is a dynamic DFT framework that is at once fast, reusable, and works with commodity software and hardware. It provides an API, which can be used to deliver DFT-enabled tools that can be applied on unmodified binaries running on common operating systems and hardware, thus facilitating research and rapid prototyping.

Installation & Usage

libdft relies on Intel Pin, which is a dynamic binary instrumentation (DBI) framework from Intel. In order to install libdft you first need a working copy on the latest Pin build, as well as the essential build tools for GNU/Linux (i.e., GCC, GNU Make, etc). After downloading and installing Intel Pin please follow the libdft installation instructions.

Tools

libdft is designed to facilitate the creation of "Pin tools" that employ dynamic DFT. As the name implies, libdft is also a shared library, which can be used to transparently perform DFT on binaries. Additionally, it provides an API that enables tool authors to adjust the applied DFT by specifying data sources and sinks, and customize the tag propagation policy. We have included three simple Pin tools inside the tools subdirectory to aid the development of DFT-powered Pintools:

DTA operates by tagging all data coming from the network as "tainted", tracking their propagation, and alerting the user when they are used in a way that could compromise his system. In this case, the network is the source of "interesting" data, while instructions that are used to control a program's flow are the sinks. For the x86 architecture, these are jumps and function calls with non-immediate operands, as well as function returns. Oftentimes, attackers are able to manipulate the operands of such instructions by abusing various types of software memory errors such as buffer overflows, format string vulnerabilities, dangling pointers, etc. They can then seize control of a program by redirecting execution to existing code (e.g., return-to-libc, ROP), or their own injected instructions. libdft-dta checks if tainted data are used in indirect control transfers, and if so, it halts execution with an informative message containing the offending instruction and the contents of the instruction pointer EIP.

Usage

After building both libdft and the accompanying tools (i.e., nullpin, libdft, and track), you can apply them directly in unmodified x86 Linux binaries as follows (assuming that you have added Pin's location to your PATH, and installed libdft in your home directory):

pin -t obj-intel64/track.so -- obj-intel64/mini_test.exe  cur_input

Arguments processed by Pin

Research

Following are some publications that rely on libdft: