DTAD: A Dynamic Taint Analysis Detector for Information Security

Information infection and information leakage in computer systems are mainly caused by insecure network access. Considering the particularity of network security, a tool DTAD (dynamic taint analysis detector) for information flow security detection is designed and implemented, aiming at the problem of data security in network access. This tool performs log recording and state controlling for malicious access and virus vulnerability using the state-control characteristic of virtual machines. Defense systems capture network data by executing applications to determine whether these accesses (i.e. target jumping, function address and instruction access) are legitimate or not. Once an attack is detected, the tool records states of the virtual machine at the process level as well as the kernel level. For attacks caused by malicious code, the tool injects its own diagnostic code into the process space of running programs to substitute the malicious code, as a result, related information for the attacked process is collected. The tool is able to generate precise signatures for network intrusion detection by associating and comparing network data recorded in log files with process information collected by the virtual machine, the whole process is finished automatically. The tool can also precisely identify attack types and provide effective protection measures through fast signature releasing. Experiments have validated the efficiency of the tool in attack recognition and information protection, and indicated that this detection and protection system is effective in recognizing, tracking and processing taint data.