Static Privacy Analysis by Flow Reconstruction of Tainted Data
Abstract
Software security vulnerabilities and leakages of private information are two of the main issues in modern software systems. Several different approaches, ranging from design techniques to run-time monitoring, have been applied to prevent, detect and isolate such vulnerabilities. Static taint analysis has been particularly successful in detecting injection vulnerabilities at compile time. However, its extension to detect leakages of sensitive data has been only partially investigated. In this paper, we introduce BackFlow, a backward flow reconstructor that, starting from the results of a generic taint analysis engine, reconstructs the flow of tainted data. If successful, BackFlow provides full information about the flow that such data (e.g. private information or user input) traversed inside the program before reaching a sensitive point (e.g. Internet communication or execution of an SQL query). Such information is needed to extend taint analysis to privacy analyses, since in such a scenario it is important to know which exact type of sensitive data flows to what type of communication channels. BackFlow has been implemented in Julia (an industrial static analyzer for Java, Android and .NET programs), and applied to WebGoat and different benchmarks to detect both injections and privacy issues. The experimental results prove that BackFlow is able to reconstruct the flow of tainted data for most of the true positives, it scales up to industrial applications, and it can be effectively applied to privacy analysis, such as the detection of sensitive data leaks or compliance with a data regulation.
References
- 1. Absint. https://www.absint.com/. Google Scholar
- 2. Grammatech. https://www.grammatech.com/. Google Scholar
- 3. Taintbench — website, 2020. https://taintbench.github.io/. Google Scholar
- 4. L. Andersen, Program analysis and specialization for the C programming language, Phd thesis, University of Copenhagen (1994). Google Scholar
- 5. , Software penetration testing, IEEE Secur. Privacy 3(1) (2005) 84–87. Crossref, Web of Science, Google Scholar
- 6. , Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps, in Proceedings of Programming Language Design and Implementation, 2014. Crossref, Google Scholar
- 7. , A static analyzer for large safety-critical software, in Proc. PLDI, 2003. Crossref, Google Scholar
- 8. , Symbolic Boolean manipulation with ordered binary-decision diagrams, ACM Comput. Surv. 24(3) (1992) 293–318. Crossref, Web of Science, Google Scholar
- 9. , Security Analysis of the OWASP Benchmark with Julia, in Proc. 1st Italian Conf. on Cybersecurity, 2017. Google Scholar
- 10. , Abstract code injection, Int. Conf. Verification, Model Checking, and Abstract Interpretation, 2018. Crossref, Google Scholar
- 11. A. Cavoukian, Privacy by Design — The 7 Foundational Principles (2011). Google Scholar
- 12. , Model Checking (MIT Press, Cambridge, MA, 1999). Google Scholar
- 13. , Dytan: A generic dynamic taint analysis framework, in Proc. Int. Symp. Software Testing and Analysis, 2007. Crossref, Google Scholar
- 14. , Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints, in Proc. Principles of Programming Languages, 1977. Crossref, Google Scholar
- 15. , Systematic design of program analysis frameworks, in Proc. Principles of Programming Languages, 1979. Crossref, Google Scholar
- 16. , Certification of programs for secure information flow, Commun. ACM 20(7) (1977) 504–513. Crossref, Web of Science, Google Scholar
- 17. , Interprocedural may-alias analysis for pointers: Beyond k-limiting, in Proc. Programming Language Design and Implementation, 1994. Crossref, Google Scholar
- 18. , Debugging static analysis, IEEE Trans. Softw. Eng. 46(7) (2020) 697–709. Crossref, Web of Science, Google Scholar
- 19. . PiOS: Detecting privacy leaks in iOS applications, in Proc. Network and Distributed Systems Security Symp., 2011. Google Scholar
- 20. , TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones, ACM Trans. Comput. Syst. 32(2) (2014) 1–29. Crossref, Web of Science, Google Scholar
- 21. ENISA, Privacy and Data Protection by Design, 2014, https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design. Google Scholar
- 22. ENISA, Readiness Analysis for the Adoption and Evolution of Privacy Enhancing Technologies, 2016, https://www.enisa.europa.eu/publications/pets. Google Scholar
- 23. , Boolean formulas for the static identification of injection attacks in Java, in Proc. Int. Conf. Logic for Programming, Artificial Intelligence, 2015. Crossref, Google Scholar
- 24. P. Ferrara, L. Olivieri and F. Spoto, Taint analysis for privacy experimental results (2020), https://github.com/pietroferrara/taintanalysisforprivacy_experimentalresults. Google Scholar
- 25. , Morphdroid: Fine-grained privacy verification, in Proceedings of Annual Computer Security Applications Conference, 2015. Crossref, Google Scholar
- 26. , IT-Security and Privacy: Design and Use of Privacy-Enhancing Security Mechanisms (Springer-Verlag, Berlin, 2001). Crossref, Google Scholar
- 27. , AndroidLeaks: Automatically detecting potential privacy leaks in android applications on a large scale, in Proc. Int. Conf. Trust and Trustworthy Computing, 2012. Crossref, Google Scholar
- 28. , Information flow analysis of android applications in DroidSafe, Conf. Network and Distributed System Security Symp., 2015. Crossref, Google Scholar
- 29. , Call graph construction in object-oriented languages, in Proc. Object-Oriented Programming, Systems, Languages, and Applications, 1997. Crossref, Google Scholar
- 30. D. Hatanian, Ticketmagpie — github project repository, 2020, https://github.com/dhatanian/ticketmagpie. Google Scholar
- 31. , Pointer analysis: Haven’t we solved this problem yet? in Proc. Program Analysis for Software Tools and Engineering, 2001. Crossref, Google Scholar
- 32. , Type-based taint analysis for Java web applications, in Proc. Fundamental Approaches to Software Engineering, 2014. Crossref, Google Scholar
- 33. , A unified approach to global program optimization, in Proc. 1st Annual ACM SIGACT-SIGPLAN Symp. Principles of Programming Languages, 1973. Crossref, Google Scholar
- 34. , ScanDal: Static analyzer for detecting privacy leaks in android applications, in Proc. Mobile Security Technologies, 2012. Google Scholar
- 35. , Implicit Flows: Can’T Live with ‘Em, Can’T Live Without ‘Em, in Proc. Int. Conf. Information Systems Security, 2008. Crossref, Google Scholar
- 36. , An information-theoretic model for adaptive side-channel attacks, in Proc. Computer and Communications Security, 2007. Crossref, Google Scholar
- 37. , FlowTwist: Efficient context-sensitive inside-out taint analysis for large codebases, in Proc. 22nd ACM SIGSOFT Int. Symp. on Foundations of Software Engineering, 2014, pp. 98–108. Crossref, Google Scholar
- 38. , IccTA: Detecting inter-component privacy leaks in android apps, IEEE/ACM 37th Int. Conf. on Software Engineering, Vol. 1, 2015, pp. 280–291. Crossref, Google Scholar
- 39. L. Qiu and J. Zhang (Thomas), Ubcbench repository, 2020, https://github.com/LinaQiu/UBCBench/blob/master/UBCBench%20Results%20-%20DroidIccSourceSinks.xlsx. Google Scholar
- 40. , Finding security vulnerabilities in Java applications with static analysis, in Proceedings of USENIX Security, 2005. Google Scholar
- 41. , A framework for static detection of privacy leaks in android applications, in Proc. Symp. Applied Computing, 2012. Crossref, Google Scholar
- 42. Mathworks. Polyspace. https://www.mathworks.com/products/polyspace.html. Google Scholar
- 43. , BenchPress: Analyzing android app vulnerability benchmark suites, in 34th IEEE/ACM Int. Conf. on Automated Software Engineering Workshop, 2019, pp. 13–18. Crossref, Google Scholar
- 44. , JFlow: Practical mostly-static information flow control, in Proc. Principles of Programming Languages, 1999. Crossref, Google Scholar
- 45. , Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software, in Proc. Network and Distributed Systems Security, 2005. Google Scholar
- 46. , Explaining static analysis with rule graphs, IEEE Trans. Softw. Eng. (2020), https://ieeexplore.ieee.org/abstract/document/9106860. Crossref, Web of Science, Google Scholar
- 47. , Principles of Program Analysis (Springer, New York, 1999). Crossref, Google Scholar
- 48. , Definite expression aliasing analysis for Java bytecode, in Proc. Int. Colloquium on Theoretical Aspects of Computing, 2012. Crossref, Google Scholar
- 49. , Reachability analysis of program variables, ACM Trans. Program. Lang. Syst. 35(4) (2014) 14:1–14:68. Web of Science, Google Scholar
- 50. OWASP. Owasp zap project, https://owasp.org/www-project-zap. Google Scholar
- 51. OWASP. Top 10 Project 2017, March 2018, https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/. Google Scholar
- 52. OWASP. Owasp vulnerable web applications directory, 2020, https://owasp.org/www-project-vulnerable-web-applications-directory/#div-offline. Google Scholar
- 53. , Object-oriented type inference, in Proceedings of Object-oriented Programming, Systems, Languages, and Applications, 1991. Crossref, Google Scholar
- 54. , Types and Programming Languages, 1st edn. (MIT Press, 2002). Google Scholar
- 55. , Analyzing the analyzers: FlowDroid/IccTA, AmanDroid, and DroidSafe, in Proc. 27th ACM SIGSOFT Int. Symp. Software Testing and Analysis, 2018, pp. 176–186. Crossref, Google Scholar
- 56. L. Qiu, Y. Wang and J. Rubin, UBCBench, 2018. https://github.com/LinaQiu/UBCBench. Google Scholar
- 57. , Language-based information-flow security, IEEE J. Sel. A. Commun. 21(1) (2006) 5–19. Crossref, Web of Science, Google Scholar
- 58. , Pair-sharing analysis of object-oriented programs, in Proc. Int. Static Analysis Symp., 2005. Crossref, Google Scholar
- 59. , On the foundations of quantitative information flow, in Proc. Int. Conf. Foundations of Software Science and Computational Structures, 2009. Crossref, Google Scholar
- 60. , The Julia static analyzer for Java, in Proc. Static Analysis Symp., 2016. Crossref, Google Scholar
- 61. , Static identification of injection attacks in Java, ACM Trans. Programming Languages and Systems, 2019. Crossref, Google Scholar
- 62. , F4F: Taint analysis of framework-based web applications, in Proceedings of Object-oriented Programming, Systems, Languages, and Applications, 2011. Crossref, Google Scholar
- 63. , Scalable propagation-based call graph construction algorithms, in Proceedings of Object-oriented Programming, Systems, Languages, and Applications, 2000. Crossref, Google Scholar
- 64. , TAJ: Effective taint analysis of web applications, in Proc. Programming Language Design and Implementation, 2009. Crossref, Google Scholar
- 65. , Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps, ACM Trans. Priv. Secur. 21(3) (2018) 1–32. Crossref, Web of Science, Google Scholar
- 66. Wikipedia. Man-in-the-middle attack, https://en.wikipedia.org/wiki/Man-in-the-middle_attack. Google Scholar
- 67. Wikipedia. Static program analysis, https://en.wikipedia.org/wiki/Static_program_analysis. Google Scholar
- 68. , LeakMiner: Detect information leakage on android with static taint analysis, in Proc. World Cong. Software Engineering, 2012. Crossref, Google Scholar
Remember to check out the Most Cited Articles! |
---|
Check out our titles in C++ Programming! |