The ability to monitor code as it is executed and measure against predefined sources of input, known as dynamic taint analysis (DTA), is a very common method in information security. However, it can lead to serious performance degradation as mentioned by the authors of Dynamic Taint Analysis for Automatic Detection, Analysis and Signature Generation of Exploits on Commodity Software
Using TaintCheck to monitor a process’s execution exacts a 1.5X to 40X performance penalty
A new paper uses a virtual machine with software DTA, called Minemu, to speed performance and detect memory exploits.
The research question we address in this paper is whether the slow-down is a fundamental performance barrier, or an artifact of bolting information flow tracking on emulators not designed for it? To answer this question, we designed a new emulator architecture for the x86 architecture from scratch—with the sole purpose of minimizing the instructions needed to propagate taint. The emulator, Minemu, reduces the slowdown of DTA in most real applications to a factor of 1.5 to 3. It is significantly faster than existing solutions, even though we have not applied some of their most significant optimizations yet. We believe that the new design may be suitable for certain classes of applications in production systems.