SWIFT: Decoupled system-wide information flow tracking and its optimizations

Information flow analysis is a widely-adopted technique in software testing and malware analysis. For information flow analysis, a system-level emulator equipped with dynamic information flow tracking capability, DIFT, is needed. However, its effectiveness comes at a price of severe performance degradation due to interleaved system emulation and DIFT analysis. In this paper, a decoupled system-wide information flow tracking scheme, SWIFT, is proposed. Through decoupling system-wide information flow tracking from emulation, SWIFT regains the memory locality and code optimization. The proposed methods are able to aggressively eliminate dependency between the systemlevel emulator and the analysis thread. Our performance evaluation indicates that, under the same hardware specifications, SWIFT runs 2.74∼7.48 times faster than the conventional interleaved design while being benchmarked by PassMark Performance Test 6.0. The performance improvement consequently makes the online analysis feasible in practice.