Sepehr Amir-Mohammadian
ABSTRACT
Dynamic taint analysis can be used as a defense against low-integrity data in applications with untrusted user interfaces. An important example is defense against XSS and injection attacks in programs with web interfaces. Data sanitization is commonly used in this context, and can be treated as a precondition for endorsement in a dynamic integrity taint analysis. However, sanitization is often incomplete in practice. We develop a model of dynamic integrity taint analysis for Java that addresses imperfect sanitization with an in-depth approach. To avoid false positives, results of sanitization are endorsed for access control (aka prospective security), but are tracked and logged for auditing and accountability (aka retrospective security). We show how this heterogeneous prospective/retrospective mechanism can be specified as a uniform policy, separate from code. We then use this policy to establish correctness conditions for a program rewriting algorithm that instruments code for the analysis. The rewriting itself is a model of existing, efficient Java taint analysis tools.
- S. Amir-Mohammadian, S. Chong, and C. Skalka. Correct audit logging: Theory and practice. In POST, pages 139--162, 2016.Google Scholar
- A. Askarov and A. Sabelfeld. Gradual release: Unifying declassification, encryption and key release policies. In IEEE S&P, pages 207--221, 2007. Google ScholarDigital Library
- J. Bell and G. E. Kaiser. Phosphor: illuminating dynamic data flow in commodity jvms. In OOPSLA, pages 83--101, 2014. Google ScholarDigital Library
- J. Bell and G. E. Kaiser. Dynamic taint tracking for java with phosphor (demo). In ISSTA, pages 409--413, 2015. Google ScholarDigital Library
- E. Bosman, A. Slowinska, and H. Bos. Minemu: The world's fastest taint tracker. In RAID, pages 1--20, 2011. Google ScholarDigital Library
- S. Ceri, G. Gottlob, and L. Tanca. What you always wanted to know about Datalog (And never dared to ask). IEEE Transactions on Knowledge and Data Engineering, 1(1):146--166, 1989. Google ScholarDigital Library
- W. Cheng, Q. Zhao, B. Yu, and S. Hiroshige. Tainttrace: Efficient flow tracing with dynamic binary rewriting. In IEEE ISCC, pages 749--754, 2006. Google ScholarDigital Library
- E. Chin and D. Wagner. Efficient character-level taint tracking for java. In ACM SWS, pages 3--12, 2009. Google ScholarDigital Library
- W. Enck, P. Gilbert, B. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth. Taintdroid: an information flow tracking system for real-time privacy monitoring on smartphones. Commun. ACM, 57(3):99--106, 2014. Google ScholarDigital Library
- V. Ganapathy, T. Jaeger, C. Skalka, and G. Tan. Assurance for defense in depth via retrofitting. In LAW, 2014.Google Scholar
- V. Haldar, D. Chandra, and M. Franz. Dynamic taint propagation for java. In ACSAC, pages 303--311, 2005. Google ScholarDigital Library
- A. Igarashi, B. C. Pierce, and P. Wadler. Featherweight java: a minimal core calculus for java and GJ. ACM Trans. Program. Lang. Syst., 23(3):396--450, 2001. Google ScholarDigital Library
- J. Kohlas and J. Schmid. An algebraic theory of information: An introduction and survey. Information, 5(2):219--254, 2014.Google ScholarCross Ref
- B. Livshits. Dynamic taint tracking in managed runtimes. Technical report, Technical Report MSR-TR-2012--114, Microsoft Research, 2012.Google Scholar
- B. Livshits, M. Martin, and M. S. Lam. Securifly: Runtime protection and recovery from web application vulnerabilities. Technical report, Technical report, Stanford University, 2006.Google Scholar
- M. Martin, B. Livshits, and M. S. Lam. Finding application errors using PQL: A program query language. In OOPSLA, 2005. Google ScholarDigital Library
- U. Nilsson and J. Maluszyynski. Definite logic programs. In Logic, Programming and Prolog, chapter 2. 2000.Google Scholar
- OpenMRS. http://openmrs.org/, 2016. Accessed: 2016-07--28.Google Scholar
- P. Saxena, R. Sekar, and V. Puranik. Efficient fine-grained binary instrumentationwith applications to taint-tracking. In CGO, pages 74--83, 2008. Google ScholarDigital Library
- F. B. Schneider. Enforceable security policies. ACM Transactions on Information and System Security, 3(1):30--50, 2000. Google ScholarDigital Library
- D. Schoepe, M. Balliu, B. C. Pierce, and A. Sabelfeld. Explicit secrecy: A policy for taint tracking. In IEEE EuroS&P, pages 15--30, 2016.Google Scholar
- E. J. Schwartz, T. Avgerinos, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In IEEE S&P, pages 317--331, 2010. Google ScholarDigital Library
- R. Sekar. An efficient black-box technique for defeating web application attacks. In NDSS, 2009.Google Scholar
- D. M. Volpano. Safety versus secrecy. In SAS, pages 303--311, 1999. Google ScholarDigital Library
- G. Wassermann and Z. Su. Sound and precise analysis of web applications for injection vulnerabilities. In PLDI, pages 32--41, 2007. Google ScholarDigital Library
- Z. Wei and D. Lie. Lazytainter: Memory-efficient taint tracking in managed runtimes. In SPSM Workshop at CCS, pages 27--38, 2014. Google ScholarDigital Library
- D. Y. Zhu, J. Jung, D. Song, T. Kohno, and D. Wetherall. Tainteraser: protecting sensitive data leaks using application-level taint tracking. Operating Systems Review, 45(1):142--154, 2011. Google ScholarDigital Library
Index Terms
- In-Depth Enforcement of Dynamic Integrity Taint Analysis
Recommendations
P/Taint: unified points-to and taint analysis
Static information-flow analysis (especially taint-analysis) is a key technique in software security, computing where sensitive or untrusted data can propagate in a program. Points-to analysis is a fundamental static program analysis, computing what ...
Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks
USENIX-SS'06: Proceedings of the 15th conference on USENIX Security Symposium - Volume 15Policy-based confinement, employed in SELinux and specification-based intrusion detection systems, is a popular approach for defending against exploitation of vulnerabilities in benign software. Conventional access control policies employed in these ...
Compiler-based Attack Origin Tracking with Dynamic Taint Analysis
Information Security and Cryptology – ICISC 2021AbstractOver the last decade, many exploit mitigations based on Control Flow Integrity (CFI) have been developed to secure programs from being hijacked by attackers. However, most of them only abort the protected application after attack detection, ...
Comments