Let’s face it: Faceted values for taint tracking
Paper i proceeding, 2016

Taint tracking has been successfully deployed in a range of security applications to track data dependencies in hardware and machine-, binary-, and high-level code. Precision of taint tracking is key for its success in practice: being a vulnerability analysis, false positives must be low for the analysis to be practical. This paper presents an approach to taint tracking, which does not involve tracking taints throughout computation. Instead, we include shadow memories in the execution context, so that a single run of a program has the effect of computing on both tainted and untainted data. This mechanism is inspired by the technique of secure multi-execution, while in contrast to the latter it does not require running the entire program multiple times. We present a general framework and establish its soundness with respect to explicit secrecy, a policy for preventing insecure data leaks, and its precision showing that runs of secure programs are never modified. We show that the technique can be used for attack detection with no false positives. To evaluate the mechanism in practice, we implement DroidFace, a source-to-source transform for an intermediate Java-like language and benchmark its precision and performance with respect to representative static and dynamic taint trackers for Android. The results indicate that the performance penalty is tolerable while achieving both soundness and no false positives on the tested benchmarks.

Författare

Daniel Schoepe

Chalmers, Data- och informationsteknik, Programvaruteknik

Musard Balliu

Chalmers, Data- och informationsteknik, Programvaruteknik

Frank Piessens

KU Leuven

Andrei Sabelfeld

Chalmers, Data- och informationsteknik, Programvaruteknik

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

03029743 (ISSN) 16113349 (eISSN)

Vol. 9878 LNCS, 2016 561-580
978-3-319-45743-7 (ISBN)

Styrkeområden

Informations- och kommunikationsteknik

Ämneskategorier

Data- och informationsvetenskap

Fundament

Grundläggande vetenskaper

DOI

10.1007/978-3-319-45744-4_28

ISBN

978-3-319-45743-7

Mer information

Senast uppdaterat

2018-05-29