Chengxu Yang,Yuanchun Li,Mengwei Xu,Zhenpeng Chen,Yunxin Liu,Gang Huang,Xuanzhe Liu

DOI: https://doi.org/10.1145/3468264.3468532

2021-01-01

Abstract:Big data has become valuable property for enterprises and enabled various intelligent applications. Today, it is common to host data in big data platforms (e.g., Spark), where developers can submit scripts to process the original and intermediate data tables. Meanwhile, it is highly desirable to manage the data to comply with various privacy requirements. To enable flexible and automated privacy policy enforcement, we propose TaintStream, a fine-grained taint tracking framework for Spark-like big data platforms. TaintStream works by automatically injecting taint tracking logic into the data processing scripts, and the injected scripts are dynamically translated to maintain a taint tag for each cell during execution. The dynamic translation rules are carefully designed to guarantee non-interference in the original data operation. By defining different semantics of taint tags, TaintStream can enable various data management applications such as access control, data retention, and user data erasure. Our experiments on a self-crafted benchmarksuite show that TaintStream is able to achieve accurate cell-level taint tracking with a precision of 93.0% and less than 15% overhead. We also demonstrate the usefulness of TaintStream through several real-world use cases of privacy policy enforcement.

Goran Piskachev,Johannes Späth,Ingo Budde,Eric Bodden

DOI: https://doi.org/10.48550/arXiv.2204.03089

2022-04-07

Abstract:Previous work has shown that taint analyses are only useful if correctly customized to the context in which they are used. Existing domain-specific languages (DSLs) allow such customization through the definition of deny-listing data-flow rules that describe potentially vulnerable taint-flows. These languages, however, are designed primarily for security experts who are knowledgeable in taint analysis. Software developers consider these languages to be complex. This paper presents fluentTQL, a query language particularly for taint-flow. fluentTQL is internal Java DSL and uses a fluent-interface design. fluentTQL queries can express various taint-style vulnerability types, e.g. injections, cross-site scripting or path traversal. This paper describes fluentTQL's abstract and concrete syntax and defines its runtime semantics. The semantics are independent of any underlying analysis and allows evaluation of fluentTQL queries by a variety of taint analyses. Instantiations of fluentTQL, on top of two taint analysis solvers, Boomerang and FlowDroid, show and validate fluentTQL expressiveness. Based on existing examples from the literature, we implemented queries for 11 popular security vulnerability types in Java. Using our SQL injection specification, the Boomerang-based taint analysis found all 17 known taint-flows in the OWASP WebGoat application, whereas with FlowDroid 13 taint-flows were found. Similarly, in a vulnerable version of the Java PetClinic application, the Boomerang-based taint analysis found all seven expected taint-flows. In seven real-world Android apps with 25 expected taint-flows, 18 were detected. In a user study with 26 software developers, fluentTQL reached a high usability score. In comparison to CodeQL, the state-of-the-art DSL by Semmle/GitHub, participants found fluentTQL more usable and with it they were able to specify taint analysis queries in shorter time.

Programming Languages

Jianyu Jiang,Shixiong Zhao,Danish Alsayed,Yuexuan Wang,Heming Cui,Feng Liang,Zhaoquan Gu

DOI: https://doi.org/10.1145/3134600.3134607

2017-01-01

Abstract:Big-data frameworks (e.g., Spark) enable computations on tremendous data records generated by third parties, causing various security and reliability problems such as information leakage and programming bugs. Existing systems for big-data security (e.g., Titian) track data transformations in a record level, so they are imprecise and too coarse-grained for these problems. For instance, when we ran Titian to drill down input records that produced a buggy output record, Titian reported 3 to 9 orders of magnitude more input records than the actual ones. Information Flow Tracking (IFT) is a conventional approach for precise information control. However, extant IFT systems are neither efficient nor complete for big-data frameworks, because theses frameworks are data-intensive, and data flowing across hosts is often ignored by IFT. This paper presents KAKUTE, the first precise, fine-grained in- formation flow analysis system for big-data. Our insight on mak- ing IFT efficient is that most fields in a data record often have the same IFT tags, and we present two new efficient techniques called Reference Propagation and Tag Sharing. In addition, we design an efficient, complete cross-host information flow propagation approach. Evaluation on seven diverse big-data programs (e.g., WordCount) shows that KAKUTE had merely 32.3% overhead on average even when fine-grained information control was en abled. Compared with Titian, KAKUTE precisely drilled down the actual bug inducing input records, a huge reduction of 3 to 9 or ders of magnitude. KAKUTE's performance overhead is comparable with Titian. Furthermore, KAKUTE effectively detected 13 real world security and reliability bugs in 4 diverse problems, including information leakage, data provenance, programming and performance bugs. KAKUTE'S source code and results are available on https://github.com/hku-systems/kakute.

Erzhou Zhu,Feng Liu,Zuo Wang,Alei Liang,Yiwen Zhang,Xuejian Li,Xuejun Li

DOI: https://doi.org/10.1016/j.cose.2015.03.008

IF: 5.105

2015-01-01

Computers & Security

Abstract:By analyzing information flow at runtime, dynamic taint analysis can precisely detect a wide range of vulnerabilities of software. However, it suffers from substantial runtime overhead and is incapable of discovering potential threats. Yet, realistically, the interested analyst doesn't have access to the source code of the malware. Therefore, the task of software flaw tracking becomes rather complicated. In order to cope with these issues, this paper proposes Dytaint, a novel lightweight 3-state dynamic taint analysis framework, for diagnosing more software vulnerabilities with lower runtime overhead. The framework works for the x86 binary executables and requires no special hardware assistance. Besides the tainted and the untainted states that are discussed by many popularly used taint analysis tools, the third state, controlled-taint state, is proposed to detect more types of software vulnerabilities. The new Chaining Hash Table which reduces the space for storing taint information without increasing the accessing time is also incorporated in the framework. Furthermore, two mechanisms, namely, the irrelevant API filtering based on the function recognition method and basic block handling, are introduced to optimize the runtime performance of our framework. The testing results by running SPEC CINT2006 benchmarks and various popular software have demonstrated that Dytaint is efficient which incurs only 3.1 times overhead to the native on average and practical which is able to discover not only all the real threats but also most of the potential ones.

Yaju Li,Chenyi Zhang,Qin Li

DOI: https://doi.org/10.18293/seke2022-161

2022-01-01

Abstract:Taint analysis is concerned about whether a value in a program can be influenced, or tainted, by user input.Existing works on taint analysis focus on tracking the propagation of taint flows between variables in a program, and a security risk is reported whenever a taint source (user input) flows to a taint sink (resource that requires protection).However, a reported bug may have its taint source and taint sink located in different software components, which complicates the bug tracking and bug confirmation for developers.In this paper, we propose Taint Trace Analysis (TTA), which extends P/Taint, a context-sensitive Java taint analysis project, by making the taint information flow explicit.Thanks to the underlying Datalog semantics, we describe a way to extract traces of taint flows across program contexts and field accesses in the Doop framework.Different from existing works that produce only source-sink pairs, the output of TTA can be visualized as a set of traces which illustrate the inter-procedural taint propagation from taint sources to their corresponding sinks.As a consequence, TTA provides more useful information for developers and users after a vulnerability is reported.Our implementation is also efficient, and as shown in our experiment, it adds only a small run-time overhead on top of P/Taint for a range of analyses with different types of context-sensitivities applied.

Binbin Li,Rui Ma,Xuefei Wang,Xiajing Wang,Jinyuan He

DOI: https://doi.org/10.1145/3380625.3380642

2020-01-01

Abstract:Since static taint analysis is performed prior to execution by considering all possible execution paths, it can discover potential security issues before the program running. Currently, many taint analysis tools pay more attention to data dependence in the program. Whereas implicit flow analysis based on control dependence is generally not considered owning to its complexity. Therefore, this paper presents a static taint analysis method named DepTaint, which expands the static checkers of LLVM, focuses on program dependence including data and control dependence in the program. DepTaint analyzes the taint variables propagated along explicit flows and implicit flows, especially commendably handles the under-taint in explicit flow analysis. Our evaluations demonstrate that, for 8 programs containing data and control dependence and 8 programs injected different common vulnerabilities (i.e., array bounds, double free, format string vulnerability, heap overflow, integer overflow, stack overflow, and UAF), DepTaint significantly outperforms LLVM's static checker both at marking taint variables and achieving more finegrained taint propagation paths. Specially, for the programs containing branch selection and loop structure, DepTaint on average marks 2X and 3.6X taint variables than LLVM's static checker.

Nicholas Allen,François Gauthier,Alexander Jordan

DOI: https://doi.org/10.48550/arXiv.2103.16240

2021-03-30

Abstract:Over the years, static taint analysis emerged as the analysis of choice to detect some of the most common web application vulnerabilities, such as SQL injection (SQLi) and cross-site scripting (XSS)~\cite{OWASP}. Furthermore, from an implementation perspective, the IFDS dataflow framework stood out as one of the most successful vehicles to implement static taint analysis for real-world Java applications. While existing approaches scale reasonably to medium-size applications (e.g. up to one hour analysis time for less than 100K lines of code), our experience suggests that no existing solution can scale to very large industrial code bases (e.g. more than 1M lines of code). In this paper, we present our novel IFDS-based solution to perform fast and precise static taint analysis of very large industrial Java web applications. Similar to state-of-the-art approaches to taint analysis, our IFDS-based taint analysis uses \textit{access paths} to abstract objects and fields in a program. However, contrary to existing approaches, our analysis is demand-driven, which restricts the amount of code to be analyzed, and does not rely on a computationally expensive alias analysis, thereby significantly improving scalability.

Programming Languages,Software Engineering

Jingling Zhao,Junxin Qi,Liang Zhou,Baojiang Cui

DOI: https://doi.org/10.1109/IMIS.2016.46

2016-01-01

Abstract:With the continuous development of J2EE technology, frequent attacks using security vulnerabilities in web applications have caused enormous economic loss to the users. Dynamic taint tracking is an important part to analyze the program dynamically. In this paper, we put forward a new dynamic solution in the Java virtual machine, warning external attacks and recording specific taint propagation path. This scheme combines static analysis techniques to collect reachable "source-derivation-sink" taint flow and reduce the runtime overhead. With the help of AOP (aspect-oriented programming) technology, we could only insert monitor codes to interested taint paths to improve the efficiency of instrumentation. Finally, we implemented this dynamic taint tracking approach to explore SQL injection and XSS vulnerabilities in web applications based on the Java Servlet Specification and proved practicality.

Jinkun Pan,Xiaoguang Mao,Weishi Li

DOI: https://doi.org/10.1109/icsess.2015.7339024

2015-01-01

Abstract:Taint analysis determines whether values from untrusted or private sources may flow into security-sensitive or public sinks, and can discover many common security vulnerabilities in both Web and mobile applications. Static taint analysis detects suspicious data flows without running the application and achieves a good coverage. However, most existing static taint analysis tools only focus on discovering taint paths from sources to sinks and do not concern about the requirements of analysts for sanitization check and exploration. The sanitization can make a taint path no more dangerous but should be checked or explored by analysts manually in many cases and the process is very costly. During our preliminary study, we found that many statements along taint paths are not relevant to the sanitization and there are a lot of redundancies among taint paths with the same source or sink. Based on these two observations, we have designed and implemented the taint path slicing and aggregation algorithms, aiming at mitigating the workload of the analysts and helping them get a better comprehension of the taint behaviors of target applications. Experimental evaluations on real-world applications show that our proposed algorithms can reduce the taint paths effectively and efficiently.

Erzhou Zhu,Xuejun Li,Feng Liu,Xuejian Li,Zhujuan Ma

DOI: https://doi.org/10.4304/jcp.9.3.566-575

2014-01-01

Journal of Computers

Abstract:For the purpose of discovering security flaws in software, many dynamic and static taint analyzing techniques have been proposed. By analyzing information flow at runtime, dynamic taint analysis can precisely find security flaws of software. However, on one hand, it suffers from substantial runtime overhead and is incapable of discovering the potential threats. On the other hand, static taint analysis analyzes program’s code without actually executing it which incurs no runtime overhead, and can cover all the code, but it is often not accurate enough. In addition, since the source code of most software is hard to acquire and intruders simply do not attach target program’s source code in practice, software flaw tracking becomes rather complicated. In order to cope with these issues, this paper proposes HYBit, a novel hybrid framework which integrates dynamic and static taint analysis to diagnose the flaws or vulnerabilities for binary programs. In the framework, the source binary is first analyzed by the dynamic taint analyzer. Then, with the runtime information provided by its dynamic counterpart, the static taint analyzer can process the unexecuted part of the target program easily. Furthermore, a taint behavior filtration mechanism is proposed to optimize the performance of the framework. We evaluate our framework from three perspectives: efficiency, coverage, and effectiveness. The results are encouraging.

Chenghua Tang,Xiaolong Guan,Mengmeng Yang,Baohua Qiang

DOI: https://doi.org/10.1109/icsess58500.2023.10293040

2023-01-01

Abstract:In order to solve the problem of under-tainting caused by insufficient coverage in dynamic taint analysis and the inability to perform fine-grained level analysis, a dynamic taint analysis method combining symbolic execution and constraint association is proposed. First, through code coverage to guide symbolic execution path exploration and test case generation, code coverage of dynamic taint analysis is improved. Next, perform constraint association based on the corresponding taint constraint transfer rules. Finally, the generation of taint summaries in dynamic taint analysis is completed based on constraint associations, reducing the time consumption in the analysis process. This paper designs and implements a dynamic taint analysis tool TaintSE based on the above methods. The experimental results show that TaintSE effectively improves the code coverage of dynamic taint analysis, and reduces the time required for analysis while ensuring the accuracy of analysis results. In the BugBench test set, TaintSE's analysis path coverage increased by 24% −35% compared to the dynamic taint analysis tool Libdft. In addition, based on the results of taint analysis, the accuracy and recall of taint markers calculated are better than those of Libdft, while reducing the analysis time consumption by about 20%.

Ruoyu Zhang,Shan Huang,Zhengwei Qi

DOI: https://doi.org/10.1109/CMC.2011.76

2011-01-01

Abstract:Software security has drawn much attention recently. As an effective approach to detect software vulnerabilities and improve software security, dynamic taint analysis has been frequently researched in the last few years. In this paper, we implement a dynamic taint tracking system LTTS. In order to address the efficiency problem which exists in many of the current taint tracking systems, we also propose a taint behavior summary mechanism to optimize the system. According to our experiments, LTTS has achieved relative high efficiency compared to the existing techniques.

Rulin Xu,Xiaoguang Mao,Luohui Chen

DOI: https://doi.org/10.1109/apsec60848.2023.00035

2023-01-01

Abstract:Taint analysis of value flows, as a static analysis technique, has gained widespread application in the fields of software security and vulnerability mining. However, when dealing with complex programs, it still faces challenges in terms of precision and performance. This research proposes P-DATA, a parallel framework implementing dependency-aware taint analysis. P-DATA employs modeling to capture data and control dependencies, reducing false positives over tools like Clang Static Analyzer and SVF. To accelerate the analysis, P-DATA leverages a task-level parallel framework introducing Preemption of Computational Resources (PCR) and Asynchronous Taint Source Registration, lead to impressive scalability and efficiency. Evaluations demonstrate P-DATA's ability to significantly expedite taint analysis for large programs using multi-core resources, achieving over 25X speedup on 32 cores. P-DATA makes notable contributions by boosting precision, efficiency and scalability of security-critical program analysis through advanced dependency modeling and paral-lelization techniques. It provides an extensible high-performance framework benefiting static analysis advancement.

Jie Wang,Yunguang Wu,Gang Zhou,Yiming Yu,Zhenyu Guo,Yingfei Xiong

DOI: https://doi.org/10.1145/3368089.3417059

2020-11-07

Abstract:In Alibaba, we have seen a growing demand for tracing data flow for scenarios such as data leak detection, change governance, and data consistency checking. Static taint analysis is a technique for such problems, and many approaches are proposed for high scalability and precision. This paper shares our experience in applying taint analysis in Alibaba. In particular, we find that the state-of-the-art taint analysis tool, FlowDroid, does not work well in our cases because our applications make heavy use of libraries, native methods and enterprise-specific frameworks, which impose two major challenges, scalability and implicit dependency, to FlowDroid. This paper presents ANTaint to address these problems. ANTaint improves scalability by expanding the call graph and applying taint propagation on demand for libraries, which account for majority of the program execution but only a small fraction propagates taints. To improve accuracy, we ensure to build a sound call graph with its core part having certain accuracy, and providing a more precise taint propagation model. The practice of applying ANTaint in the company workload validates the idea. According to an experiment on 60 production cases, ANTaint is correct for 95% of the cases (precision: 95%, recall: 98%) while FlowDroid is 13%. ANTaint takes 65% less time and none of the cases run out of memory with 32 GB limitation.

Xiao Kan,Cong Sun,Shen Liu,Yongzhe Huang,Gang Tan,Siqi Ma,Yumei Zhang

DOI: https://doi.org/10.1109/qrs54544.2021.00080

2021-01-01

Abstract:Dynamic taint analysis (DTA) has been widely used in various security-relevant scenarios that need to track the runtime information flow of programs. Dynamic binary instrumentation (DBI) is a prevalent technique in achieving effective dynamic taint tracking on commodity hardware and systems. However, the significant performance overhead incurred by dynamic taint analysis restricts its usage in production systems. Previous efforts on mitigating the performance penalty fall into two categories, parallelizing taint tracking from program execution and abstracting the tainting logic to a higher granularity. Both approaches have only met with limited success. In this work, we propose Sdft, an efficient approach that combines the precision of DBI-based instruction-level taint tracking and the efficiency of function-level abstract taint propagation. First, we build the library function summaries automatically with reachability analysis on the program dependency graph (PDG) to specify the control- and data dependencies between the input parameters, output parameters, and global variables of the target library. Then we derive the taint rules for the target library functions and develop taint tracking for library function that is tightly integrated into the state-of-the-art DTA framework Libdft. By applying our approach to the core C library functions of glibc, we report an average of 1.58x speed up of the tracking performance compared with Libdft64. We also validate the effectiveness of the hybrid taint tracking and the ability on detecting real-world vulnerabilities.

Chao Wang,Ronny Ko,Yue Zhang,Yuqing Yang,Zhiqiang Lin

DOI: https://doi.org/10.1109/icse48619.2023.00086

2023-01-01

Abstract:Mini-programs, which are programs running inside mobile super apps such as WeChat, often have access to privacy-sensitive information, such as location data and phone numbers, through APIs provided by the super apps. This access poses a risk of privacy sensitive data leaks, either accidentally from carelessly programmed mini-programs or intentionally from malicious ones. To address this concern, it is crucial to track the flow of sensitive data in mini-programs for either human analysis or automated tools. Although existing taint analysis techniques have been widely studied, they face unique challenges in tracking sensitive data flows in mini-programs, such as cross-language, cross-page, and cross-mini-program data flows. This paper presents a novel framework, TAINTMINI, which addresses these challenges by using a novel universal data flow graph approach that captures data flows within and across mini-programs. We have evaluated TAINTMINI with 238,866 mini-programs and detect 27,184 that contain sensitive data flows. We have also applied TAINTMINI to detect privacy leakage colluding mini-programs and identify 455 such programs from them that clearly violate privacy policy.

Wei You,Bin Liang,Wenchang Shi,Peng Wang,Xiangyu Zhang

DOI: https://doi.org/10.1109/tdsc.2017.2740169

2020-01-01

Abstract:Dynamic taint analysis (DTA), as a mainstream information flow tracking technique, has been widely used in mobile security. On the Android platform, the existing DTA approaches are typically implemented by instrumenting the Dalvik virtual machine (DVM) interpreter or the Android emulator with taint enforcement code. The most prominent problem of the interpreter-based approaches is that they cannot work in the new Android RunTime (ART) environment introduced since the 5.0 release. For the emulator-based approaches, the most prominent problem is that they cannot be deployed on real devices. In addition, almost all the existing Android DTA approaches only concern the explicit information flow caused by data dependence, while completely ignore the impact of implicit information flow caused by control dependence. These problems limit their adoption in the latest Android system and make them ineffective in detecting the state-of-the-art malware whose privacy-breaching behaviors are inactivated in the analyzed environment (e.g., the emulator) or conducted via implicit information flow. In this paper, we present TaintMan, an ART-compatible DTA framework that can be deployed on unmodified and non-rooted Android devices. In TaintMan, the taint enforcement code is statically instrumented into both the target application and the system class libraries to track data flow and common control flow. A specially designed execution environment reconstruction technique, named reference hijacking, is proposed to force the target application to reference the instrumented system class libraries. By enforcing on-demand instrumentation and on-demand tracking, the performance overhead is significantly reduced. We have developed TaintMan and deployed it on two popular stock smartphones (HTC One S equipped with Android-4.0 and Motorola MOTO G equipped with Android-5.0). The evaluation with malware samples and real-world applications shows that TaintMan can effectively detect privacy leakage behaviors with an acceptable performance overhead.

Jinfeng Yuan,Weizhong Qiang,Hai Jin,Deqing Zou

DOI: https://doi.org/10.1007/s11227-014-1235-5

IF: 3.3

2014-01-01

The Journal of Supercomputing

Abstract:Full-system, fine-grained taint tracking has been proven to be a novel approach for the detection of malwares, especially for privacy-breaching and kernel buffer overflow malwares. On-demand emulation achieves a taint tracking framework in the cloud through switching a running system between virtual and emulated execution dynamically. However, facing the complexity of the cloud environment, it still suffers a high performance overhead. In this paper, we propose an approach for practical malware detection using elastic taint tracking, which provides the granularity and strategy of taint tracking according to the cloud applications' security requirements, including providing a taint tracking configuration file based on script, automatic deployment and trigger mechanism of the sources for taint tracking based on data flow as well as control flow, and customizable security detection method. We present a prototype implementation named CloudTaint based on Xen virtualization environment. The experimental results indicate that CloudTaint is effective for malware detection in the cloud with acceptable performance overhead using elastic taint tracking.

Boxuan Gu,Xinfeng Li,Gang Li,Adam C. Champion,Zhezhe Chen,Feng Qin,Dong Xuan

DOI: https://doi.org/10.1109/infcom.2013.6566866

2013-01-01

Abstract:With smartphones' meteoric growth in recent years, leaking sensitive information from them has become an increasingly critical issue. Such sensitive information can originate from smartphones themselves (e.g., location information) or from many Internet sources (e.g., bank accounts, emails). While prior work has demonstrated information flow tracking's (IFT's) effectiveness at detecting information leakage from smartphones, it can only handle a limited number of sensitive information sources. This paper presents a novel IFT tagging strategy using differentiated and dynamic tagging. We partition information sources into differentiated classes and store them in fixed-length tags. We adjust tag structure based on time-varying received information sources. Our tagging strategy enables us to track at runtime numerous information sources in multiple classes and rapidly detect information leakage from any of these sources. We design and implement D2Taint, an IFT system using our tagging strategy on real-world smartphones. We experimentally evaluate D2Taint's effectiveness with 84 real-world applications downloaded from Google Play. D2Taint reports that over 80% of them leak data to third-party destinations; 14% leak highly sensitive data. Our experimental evaluation using a standard benchmark tool illustrates D2Taint's effectiveness at handling many information sources on smartphones with moderate runtime and space overhead.

Heping Tang,Shuguang Huang,Yongliang Li,Lei Bao

DOI: https://doi.org/10.1109/ICCET.2010.5485224

2010-01-01

Abstract:Untrusted Data originating from network input and configuration files, causes many software security problems. Keeping track of the propagation of untrusted data in program runtime is the main idea of dynamic taint analysis for vulnerability exploits detection. In this method data from network user input and configuration files were labeled as taint. In virtue of data flow analysis we design taint propagating algorithm, and define several taint detection policies for security-critical function which used taint data in dangerous ways that could cause vulnerability exploit. A vulnerability exploit detection prototype system was implemented. In contrast to other taint analysis systems, our prototype system has higher accuracy and vulnerability exploits coverage and low workloads.