DECAF++: Elastic Whole-System Dynamic Taint Analysis


Ali Davanian, Zhenxiao Qi, Yu Qu, and Heng Yin, University of California, Riverside


Whole-system dynamic taint analysis has many unique applications such as malware analysis and fuzz testing. Compared with process-level taint analysis, it offers a wider analysis scope, better transparency and tamper resistance. The main barrier of applying whole-system dynamic taint analysis in practice is the large slowdown that can be sometimes up to 30 times. Existing optimization schemes either have considerable baseline overheads (when there is no tainted data) or rely on specific hardware features. In this paper, we propose an elastic whole-system dynamic taint approach and implement a prototype called DECAF++. Elastic whole-system dynamic taint analysis strives to perform taint analysis as least frequent as possible while maintaining the precision and accuracy. Although similar ideas are explored before for process-level taint analysis, we are the first to successfully achieve true elasticity for whole-system taint analysis via pure software approaches. We evaluated our prototype DECAF++ on nbench, apache bench, and SPEC CPU2006. Under taint analysis load, DECAF++ achieves 202% speedup on nbench and 66% speedup on apache bench. Under no taint analysis load with SPEC CPU2006, DECAF++ imposes only 4% overhead.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {241990,
author = {Ali Davanian and Zhenxiao Qi and Yu Qu and Heng Yin},
title = {{DECAF++}: Elastic {Whole-System} Dynamic Taint Analysis},
booktitle = {22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019)},
year = {2019},
isbn = {978-1-939133-07-6},
address = {Chaoyang District, Beijing},
pages = {31--45},
url = {},
publisher = {USENIX Association},
month = sep