Skip to content
adava edited this page Feb 22, 2019 · 18 revisions

DECAF is a whole-system analysis tool. Whole-system analysis term characterizes several key features such as providing a fresh complete view of the system and information flow throughout the system. Assume one is interested in analyzing a mobile application. A whole-system analysis allows the analyst to see the mobile operating system state, say Android. The state includes the activated processes and modules. Furthermore, the whole-system analysis allows the analyst to observe how a user input propagates into the system, going from one process or function to another.

Information flow analysis is a powerful method in many computer science areas including system security. In system security, information flow analysis has been used to detect vulnerabilities and malware malicious activity. The main idea behind information flow analysis is to track the user inputs, or taints, and watch where they sink. For instance, in a phone, a user password can be a taint value. Information flow analysis or more specifically taint analysis can help determine whether the user password is transferred to an attacker via Internet.

Taint analysis can be done in different ways. In general, a taint analysis can be either static or dynamic. Static analysis is done only on the code without analyzing the execution state. On the other hand, dynamic refers to the analysis of a program at execution time. Both approaches have advantages and disadvantages. For instance, static taint analysis is faster since the program execution is not required in comparison to dynamic analysis that includes program execution. In contrast, dynamic taint analysis doesn’t need source code and has a higher accuracy; mainly because in static analysis the user input is not known beforehand. Using taint analysis for system security is highly desired. Most of the time, an information flows throughout the whole system. In system security, we are concerned not only about the security of an application but the whole system. For instance, an application may be benign if we consider it in isolation however when it runs on the operating system it may act maliciously or be leveraged to exploit the system vulnerability. Henceforth, taint analysis at system level can offer a greater level of security.

One of the key features of DECAF is dynamic taint analysis at the system level. DECAF can track information flow throughout the whole operating system. This allows tracking the propagation of information in system calls. To perform taint analysis, DECAF emulates the execution of an application on an emulated operating system. In this emulation mode, it tracks the information propagation throughout the system and allows precise taint analysis. Emulation is done via QEMU, a well-known emulation tool. DECAF, in fact, changes QEMU code to include taint analysis capability.

In addition to the taint analysis, DECAF provides other functionalities. DECAF provides Virtual Machine Introspection (VMI) functionality. VMI provides fresh system information such as the active processes and kernel modules. Furthermore, DECAF provides a binary instrumentation platform with a great level flexibility. For instance, a user can direct DECAF to run a custom code at the beginning of a particular function. In addition, DECAF provides an instruction logging platform that allows a fine-grained tracing of the events in the system. In the rest of this document, we first talk about emulation. Afterwards we review QEMU architecture and design. Next, we explain how DECAF is integrated into QEMU.