SandTrap: Tracking Information Flows On Demand with Parallel Permissions

The most promising way to improve the performance of dynamic information-flow tracking (DIFT) for machine code is to only track instructions when they process tainted data. Unfortunately, prior approaches to on-demand DIFT are a poor match for modern mobile platforms that rely heavily on parallelism to provide good interactivity in the face of computationally intensive tasks like image processing. The main shortcoming of these prior efforts is that they cannot support an arbitrary mix of parallel threads due to the limitations of page protections. In this paper, we identify parallel permissions as a key requirement for multithreaded, on-demand native DIFT, and we describe the design and implementation of a system called SandTrap that embodies this approach. Using our prototype implementation, we demonstrate that SandTrap's native DIFT overhead is proportional to the amount of tainted data that native code processes. For example, in the photo-sharing app Instagram, SandTrap's performance is close to baseline (1x) when the app does not access tainted data. When it does, SandTrap imposes a slowdown comparable to prior DIFT systems (~8x).

[1]  Alan L. Cox,et al.  Shared address translation revisited , 2016, EuroSys.

[2]  Ratul Mahajan,et al.  AppInsight: Mobile App Performance Monitoring in the Wild , 2022 .

[3]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[4]  Landon P. Cox,et al.  Better Performance Through Thread-local Emulation , 2016, HotMobile.

[5]  Andrew W. Appel,et al.  Virtual memory primitives for user programs , 1991, ASPLOS IV.

[6]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.

[7]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[8]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[9]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[10]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[11]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[12]  Satish Narayanasamy,et al.  Optimistic Hybrid Analysis: Accelerating Dynamic Analysis through Predicated Static Analysis , 2018, ASPLOS.

[13]  Xiapu Luo,et al.  On Tracking Information Flows through JNI in Android Applications , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[14]  Alessandro Orso,et al.  Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.

[15]  Andrew Warfield,et al.  Practical taint-based protection using demand emulation , 2006, EuroSys.

[16]  Haichen Shen,et al.  Enhancing mobile apps to use sensor hubs without programmer effort , 2015, UbiComp.

[17]  Christoforos E. Kozyrakis,et al.  Usenix Association 10th Usenix Symposium on Operating Systems Design and Implementation (osdi '12) 335 Dune: Safe User-level Access to Privileged Cpu Features , 2022 .

[18]  Todd M. Austin,et al.  A case for unlimited watchpoints , 2012, ASPLOS XVII.

[19]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[20]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[21]  John C. S. Lui,et al.  TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime , 2016, CCS.

[22]  Cheng Wang,et al.  LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[23]  Jason Flinn,et al.  JetStream: Cluster-Scale Parallelization of Information Flow Queries , 2016, OSDI.

[24]  Peter Druschel,et al.  Light-Weight Contexts: An OS Abstraction for Safety and Performance , 2016, OSDI.

[25]  Landon P. Cox,et al.  YouProve: authenticity and fidelity in mobile sensing , 2011, SenSys.

[26]  Yue Chen,et al.  ARMlock: Hardware-based Fault Isolation for ARM , 2014, CCS.

[27]  Patrick Th. Eugster,et al.  Enforcing Least Privilege Memory Views for Multithreaded Applications , 2016, CCS.

[28]  Herbert Bos,et al.  Minemu: The World's Fastest Taint Tracker , 2011, RAID.

[29]  Thomas Ristenpart,et al.  Security Analysis of Smartphone Point-of-Sale Systems , 2012, WOOT.

[30]  Gail E. Kaiser,et al.  Pebbles: Fine-Grained Data Management Abstractions for Modern Operating Systems , 2014, OSDI.

[31]  Yang Tang,et al.  CleanOS: Limiting Mobile Data Exposure with Idle Eviction , 2012, OSDI.

[32]  Long Lu,et al.  Shreds: Fine-Grained Execution Units with Private Memory , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[33]  Bi Wu,et al.  SpanDex: Secure Password Tracking for Android , 2014, USENIX Security Symposium.

[34]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[35]  Mikel Luján,et al.  MAMBO: A Low-Overhead Dynamic Binary Modification Tool for ARM , 2016, ACM Trans. Archit. Code Optim..

[36]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[37]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.