V-DIFT: Vector-Based Dynamic Information Flow Tracking with Application to Locating Cryptographic Keys for Reverse Engineering

Dynamic Information Flow Tracking (DIFT) is a technique for tracking information as it flows through a program's execution. DIFT systems track information by tainting data and propagating the taint marks throughout execution. These systems are designed to have minimal overhead and thus often miss indirect flows. If indirect flows were propagated naively overtainting would result, whereas propagating them effectively causes overhead. We describe the design and evaluation of a system intended for offline analysis, such as reverse engineering, that can track information through indirect flows. Our system, V-DIFT, uses a vector of floating point values for each taint mark. The use of vectors enables us to track a taint's provenance and handle indirect flows, trading off some performance for these abilities. These indirect flows via control and address dependencies are thought to be critical to tracking information flow of cryptographic programs. Therefore we tested V-DIFT's effectiveness by automatically locating keys in simple programs that use a variety of symmetric cryptographic algorithms found in three common libraries. This application does not require that the program run in real time, just that it be much faster than a manual approach. Our V-DIFT implementation tests average 3.6 seconds, and with the right parameters can identify memory locations that contain keys for 24 out of 27 algorithms tested. Our results show that many cryptographic algorithm implementations' address and/or control dependencies must be tracked for DIFT to be effective.