Proceedings of ISP RAS

On Some Limitations of Information Flow Tracking in Full-system Emulators

M.A. Klimushenkova (NovSU, Veliky Novgorod, Russia)
M.G. Bakulin (ISP RAS, Moscow, Russia)
V.A. Padaryan (ISP RAS, Moscow, Russia, MSU, Moscow, Russia)
P.M. Dovgalyuk (NovSU, Veliky Novgorod, Russia)
N.I. Fursova (NovSU, Veliky Novgorod, Russia)
I.A. Vasiliev (NovSU, Veliky Novgorod, Russia)


Tracking and verification of data flows includes set of techniques that can be applied to make applications more secure, to perform software analysis for debugging or reverse engineering, and so on. Taint analysis is one of the techniques used to control data flows. This paper presents an approach for system-wide lightweight platform-aware taint analysis. We implemented proof-of-concept tool based on our approach for i386 platform upon the multi-platform simulator QEMU. Our approach uses instrumentation of QEMU intermediate representation of binary code and processes up to 8 taints simultaneously. Most of the taint analysis code is target-independent and may be used with other target platforms. For some platforms (i386 with Windows XP and Windows 7) we present Virtual Machine Introspection plugins for automatic file tainting. We demonstrate how our taint analysis system may be used to detect exploitation of software vulnerabilities.


taint analysis, dynamic analysis, QEMU


Proceedings of the Institute for System Programming, vol. 28, issue 6, 2016, pp. 11-26.

ISSN 2220-6426 (Online), ISSN 2079-8156 (Print).

DOI: 10.15514/ISPRAS-2016-28(6)-1

Full text of the paper in pdf (in Russian) Back to the contents of the volume