World Scientific
  • Search
  •   
Skip main navigation

Cookies Notification

We use cookies on this site to enhance your user experience. By continuing to browse the site, you consent to the use of our cookies. Learn More
×

System Upgrade on Tue, May 28th, 2024 at 2am (EDT)

Existing users will be able to log into the site and access content. However, E-commerce and registration of new users may not be available for up to 12 hours.
For online purchase, please visit us again. Contact us at [email protected] for any enquiries.
https://doi.org/10.1142/S0218194021500303Cited by:2 (Source: Crossref)

Software security vulnerabilities and leakages of private information are two of the main issues in modern software systems. Several different approaches, ranging from design techniques to run-time monitoring, have been applied to prevent, detect and isolate such vulnerabilities. Static taint analysis has been particularly successful in detecting injection vulnerabilities at compile time. However, its extension to detect leakages of sensitive data has been only partially investigated. In this paper, we introduce BackFlow, a backward flow reconstructor that, starting from the results of a generic taint analysis engine, reconstructs the flow of tainted data. If successful, BackFlow provides full information about the flow that such data (e.g. private information or user input) traversed inside the program before reaching a sensitive point (e.g. Internet communication or execution of an SQL query). Such information is needed to extend taint analysis to privacy analyses, since in such a scenario it is important to know which exact type of sensitive data flows to what type of communication channels. BackFlow has been implemented in Julia (an industrial static analyzer for Java, Android and .NET programs), and applied to WebGoat and different benchmarks to detect both injections and privacy issues. The experimental results prove that BackFlow is able to reconstruct the flow of tainted data for most of the true positives, it scales up to industrial applications, and it can be effectively applied to privacy analysis, such as the detection of sensitive data leaks or compliance with a data regulation.

References

  • 1. Absint. https://www.absint.com/. Google Scholar
  • 2. Grammatech. https://www.grammatech.com/. Google Scholar
  • 3. Taintbench — website, 2020. https://taintbench.github.io/. Google Scholar
  • 4. L. Andersen, Program analysis and specialization for the C programming language, Phd thesis, University of Copenhagen (1994). Google Scholar
  • 5. B. Arkin, S. Stender and G. McGraw, Software penetration testing, IEEE Secur. Privacy 3(1) (2005) 84–87. Crossref, Web of ScienceGoogle Scholar
  • 6. S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau and P. McDaniel, Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps, in Proceedings of Programming Language Design and Implementation, 2014. CrossrefGoogle Scholar
  • 7. B. Blanchet, P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, D. Monniaux and X. Rival, A static analyzer for large safety-critical software, in Proc. PLDI, 2003. CrossrefGoogle Scholar
  • 8. R. Bryant, Symbolic Boolean manipulation with ordered binary-decision diagrams, ACM Comput. Surv. 24(3) (1992) 293–318. Crossref, Web of ScienceGoogle Scholar
  • 9. E. Burato, P. Ferrara and F. Spoto, Security Analysis of the OWASP Benchmark with Julia, in Proc. 1st Italian Conf. on Cybersecurity, 2017. Google Scholar
  • 10. S. Buro and I. Mastroeni, Abstract code injection, Int. Conf. Verification, Model Checking, and Abstract Interpretation, 2018. CrossrefGoogle Scholar
  • 11. A. Cavoukian, Privacy by Design — The 7 Foundational Principles (2011). Google Scholar
  • 12. E. M. Clarke, Jr., O. Grumberg and D. A. Peled, Model Checking (MIT Press, Cambridge, MA, 1999). Google Scholar
  • 13. J. Clause, W. Li and A. Orso, Dytan: A generic dynamic taint analysis framework, in Proc. Int. Symp. Software Testing and Analysis, 2007. CrossrefGoogle Scholar
  • 14. P. Cousot and R. Cousot, Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints, in Proc. Principles of Programming Languages, 1977. CrossrefGoogle Scholar
  • 15. P. Cousot and R. Cousot, Systematic design of program analysis frameworks, in Proc. Principles of Programming Languages, 1979. CrossrefGoogle Scholar
  • 16. D. E. Denning and P. J. Denning, Certification of programs for secure information flow, Commun. ACM 20(7) (1977) 504–513. Crossref, Web of ScienceGoogle Scholar
  • 17. A. Deutsch, Interprocedural may-alias analysis for pointers: Beyond k-limiting, in Proc. Programming Language Design and Implementation, 1994. CrossrefGoogle Scholar
  • 18. L. N. Q. Do, S. Krger, P. Hill, K. Ali and E. Bodden, Debugging static analysis, IEEE Trans. Softw. Eng. 46(7) (2020) 697–709. Crossref, Web of ScienceGoogle Scholar
  • 19. M. Egele, C. Kruegel, E. Kirda and G. Vigna. PiOS: Detecting privacy leaks in iOS applications, in Proc. Network and Distributed Systems Security Symp., 2011. Google Scholar
  • 20. W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel and A. N. Sheth, TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones, ACM Trans. Comput. Syst. 32(2) (2014) 1–29. Crossref, Web of ScienceGoogle Scholar
  • 21. ENISA, Privacy and Data Protection by Design, 2014, https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design. Google Scholar
  • 22. ENISA, Readiness Analysis for the Adoption and Evolution of Privacy Enhancing Technologies, 2016, https://www.enisa.europa.eu/publications/pets. Google Scholar
  • 23. M. D. Ernst, A. Lovato, D. Macedonio, C. Spiridon and F. Spoto, Boolean formulas for the static identification of injection attacks in Java, in Proc. Int. Conf. Logic for Programming, Artificial Intelligence, 2015. CrossrefGoogle Scholar
  • 24. P. Ferrara, L. Olivieri and F. Spoto, Taint analysis for privacy experimental results (2020), https://github.com/pietroferrara/taintanalysisforprivacy_experimentalresults. Google Scholar
  • 25. P. Ferrara, O. Tripp and M. Pistoia, Morphdroid: Fine-grained privacy verification, in Proceedings of Annual Computer Security Applications Conference, 2015. CrossrefGoogle Scholar
  • 26. S. Fischer-Hübner, IT-Security and Privacy: Design and Use of Privacy-Enhancing Security Mechanisms (Springer-Verlag, Berlin, 2001). CrossrefGoogle Scholar
  • 27. C. Gibler, J. Crussell, J. Erickson and H. Chen, AndroidLeaks: Automatically detecting potential privacy leaks in android applications on a large scale, in Proc. Int. Conf. Trust and Trustworthy Computing, 2012. CrossrefGoogle Scholar
  • 28. M. I. Gordon, D. Kim, J. H. Perkins, L. Gilham, N. Nguyen and M. C. Rinard, Information flow analysis of android applications in DroidSafe, Conf. Network and Distributed System Security Symp., 2015. CrossrefGoogle Scholar
  • 29. D. Grove, G. DeFouw, J. Dean and C. Chambers, Call graph construction in object-oriented languages, in Proc. Object-Oriented Programming, Systems, Languages, and Applications, 1997. CrossrefGoogle Scholar
  • 30. D. Hatanian, Ticketmagpie — github project repository, 2020, https://github.com/dhatanian/ticketmagpie. Google Scholar
  • 31. M. Hind, Pointer analysis: Haven’t we solved this problem yet? in Proc. Program Analysis for Software Tools and Engineering, 2001. CrossrefGoogle Scholar
  • 32. W. Huang, Y. Dong and A. Milanova, Type-based taint analysis for Java web applications, in Proc. Fundamental Approaches to Software Engineering, 2014. CrossrefGoogle Scholar
  • 33. G. A. Kildall, A unified approach to global program optimization, in Proc. 1st Annual ACM SIGACT-SIGPLAN Symp. Principles of Programming Languages, 1973. CrossrefGoogle Scholar
  • 34. J. Kim, Y. Yoon, K. Yi, J. Shin and S. Center, ScanDal: Static analyzer for detecting privacy leaks in android applications, in Proc. Mobile Security Technologies, 2012. Google Scholar
  • 35. D. King, B. Hicks, M. Hicks and T. Jaeger, Implicit Flows: Can’T Live with ‘Em, Can’T Live Without ‘Em, in Proc. Int. Conf. Information Systems Security, 2008. CrossrefGoogle Scholar
  • 36. B. Köpf and D. Basin, An information-theoretic model for adaptive side-channel attacks, in Proc. Computer and Communications Security, 2007. CrossrefGoogle Scholar
  • 37. J. Lerch, B. Hermann, E. Bodden and M. Mezini, FlowTwist: Efficient context-sensitive inside-out taint analysis for large codebases, in Proc. 22nd ACM SIGSOFT Int. Symp. on Foundations of Software Engineering, 2014, pp. 98–108. CrossrefGoogle Scholar
  • 38. L. Li, A. Bartel, T. F. Bissyand, J. Klein, Y. L. Traon, S. Arzt, S. Rasthofer, E. Bodden, D. Octeau and P. McDaniel, IccTA: Detecting inter-component privacy leaks in android apps, IEEE/ACM 37th Int. Conf. on Software Engineering, Vol. 1, 2015, pp. 280–291. CrossrefGoogle Scholar
  • 39. L. Qiu and J. Zhang (Thomas), Ubcbench repository, 2020, https://github.com/LinaQiu/UBCBench/blob/master/UBCBench%20Results%20-%20DroidIccSourceSinks.xlsx. Google Scholar
  • 40. V. B. Livshits and M. S. Lam, Finding security vulnerabilities in Java applications with static analysis, in Proceedings of USENIX Security, 2005. Google Scholar
  • 41. C. Mann and A. Starostin, A framework for static detection of privacy leaks in android applications, in Proc. Symp. Applied Computing, 2012. CrossrefGoogle Scholar
  • 42. Mathworks. Polyspace. https://www.mathworks.com/products/polyspace.html. Google Scholar
  • 43. J. Mitra, V. Ranganath and A. Narkar, BenchPress: Analyzing android app vulnerability benchmark suites, in 34th IEEE/ACM Int. Conf. on Automated Software Engineering Workshop, 2019, pp. 13–18. CrossrefGoogle Scholar
  • 44. A. C. Myers, JFlow: Practical mostly-static information flow control, in Proc. Principles of Programming Languages, 1999. CrossrefGoogle Scholar
  • 45. J. Newsome and D. Song, Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software, in Proc. Network and Distributed Systems Security, 2005. Google Scholar
  • 46. L. Nguyen Quang Do and E. Bodden, Explaining static analysis with rule graphs, IEEE Trans. Softw. Eng. (2020), https://ieeexplore.ieee.org/abstract/document/9106860. Crossref, Web of ScienceGoogle Scholar
  • 47. F. Nielson, H. R. Nielson and C. Hankin, Principles of Program Analysis (Springer, New York, 1999). CrossrefGoogle Scholar
  • 48. D. Nikolic and F. Spoto, Definite expression aliasing analysis for Java bytecode, in Proc. Int. Colloquium on Theoretical Aspects of Computing, 2012. CrossrefGoogle Scholar
  • 49. D. Nikolic and F. Spoto, Reachability analysis of program variables, ACM Trans. Program. Lang. Syst. 35(4) (2014) 14:1–14:68. Web of ScienceGoogle Scholar
  • 50. OWASP. Owasp zap project, https://owasp.org/www-project-zap. Google Scholar
  • 51. OWASP. Top 10 Project 2017, March 2018, https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/. Google Scholar
  • 52. OWASP. Owasp vulnerable web applications directory, 2020, https://owasp.org/www-project-vulnerable-web-applications-directory/#div-offline. Google Scholar
  • 53. J. Palsberg and M. I. Schwartzbach, Object-oriented type inference, in Proceedings of Object-oriented Programming, Systems, Languages, and Applications, 1991. CrossrefGoogle Scholar
  • 54. B. C. Pierce, Types and Programming Languages, 1st edn. (MIT Press, 2002). Google Scholar
  • 55. L. Qiu, Y. Wang and J. Rubin, Analyzing the analyzers: FlowDroid/IccTA, AmanDroid, and DroidSafe, in Proc. 27th ACM SIGSOFT Int. Symp. Software Testing and Analysis, 2018, pp. 176–186. CrossrefGoogle Scholar
  • 56. L. Qiu, Y. Wang and J. Rubin, UBCBench, 2018. https://github.com/LinaQiu/UBCBench. Google Scholar
  • 57. A. Sabelfeld and A. C. Myers, Language-based information-flow security, IEEE J. Sel. A. Commun. 21(1) (2006) 5–19. Crossref, Web of ScienceGoogle Scholar
  • 58. S. Secci and F. Spoto, Pair-sharing analysis of object-oriented programs, in Proc. Int. Static Analysis Symp., 2005. CrossrefGoogle Scholar
  • 59. G. Smith, On the foundations of quantitative information flow, in Proc. Int. Conf. Foundations of Software Science and Computational Structures, 2009. CrossrefGoogle Scholar
  • 60. F. Spoto, The Julia static analyzer for Java, in Proc. Static Analysis Symp., 2016. CrossrefGoogle Scholar
  • 61. F. Spoto, E. Burato, M. D. Ernst, P. Ferrara, A. Lovato, D. Macedonio and C. Spiridon, Static identification of injection attacks in Java, ACM Trans. Programming Languages and Systems, 2019. CrossrefGoogle Scholar
  • 62. M. Sridharan, S. Artzi, M. Pistoia, S. Guarnieri, O. Tripp and R. Berg, F4F: Taint analysis of framework-based web applications, in Proceedings of Object-oriented Programming, Systems, Languages, and Applications, 2011. CrossrefGoogle Scholar
  • 63. F. Tip and J. Palsberg, Scalable propagation-based call graph construction algorithms, in Proceedings of Object-oriented Programming, Systems, Languages, and Applications, 2000. CrossrefGoogle Scholar
  • 64. O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan and O. Weisman, TAJ: Effective taint analysis of web applications, in Proc. Programming Language Design and Implementation, 2009. CrossrefGoogle Scholar
  • 65. F. Wei, S. Roy, X. Ou and Robby, Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps, ACM Trans. Priv. Secur. 21(3) (2018) 1–32. Crossref, Web of ScienceGoogle Scholar
  • 66. Wikipedia. Man-in-the-middle attack, https://en.wikipedia.org/wiki/Man-in-the-middle_attack. Google Scholar
  • 67. Wikipedia. Static program analysis, https://en.wikipedia.org/wiki/Static_program_analysis. Google Scholar
  • 68. Z. Yang and M. Yang, LeakMiner: Detect information leakage on android with static taint analysis, in Proc. World Cong. Software Engineering, 2012. CrossrefGoogle Scholar
Remember to check out the Most Cited Articles!

Check out our titles in C++ Programming!