FlowTwist: efficient context-sensitive inside-out taint analysis for large codebases

Over the past years, widely used platforms such as the Java Class Library have been under constant attack through vulnerabilities that involve a combination of two taint-analysis problems: an integrity problem allowing attackers to trigger sensitive operations within the platform, and a confidentiality problem allowing the attacker to retrieve sensitive information or pointers from the results of those operations. While existing static taint analyses are good at solving either of those problems, we show that they scale prohibitively badly when being applied to situations that require the exploitation of both an integrity and confidentiality problem in combination. The main problem is the huge attack surface of libraries such as the Java Class Library, which exposes thousands of methods potentially controllable by an attacker. In this work we thus present FlowTwist, a novel taint-analysis approach that works inside-out, i.e., tracks data flows from potentially vulnerable calls to the outer level of the API which the attacker might control. This inside-out analysis requires a careful, context-sensitive coordination of both a backward and a forward taint analysis. In this work, we expose a design of the analysis approach based on the IFDS algorithm, and explain several extensions to IFDS that enable not only this coordination but also a helpful reporting of error situations to security analysts. Experiments with the Java Class Library show that, while a simple forward taint-analysis approach does not scale even with much machine power, FlowTwist's algorithm is able to fully analyze the library within 10 minutes.

[1]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[2]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[3]  Fausto Spoto,et al.  Information Flow Analysis for Java Bytecode , 2005, VMCAI.

[4]  Jacques Klein,et al.  Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis , 2013 .

[5]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.

[6]  Gregor Snelting,et al.  Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs , 2009, International Journal of Information Security.

[7]  Ondrej Lhoták,et al.  The Soot framework for Java program analysis: a retrospective , 2011 .

[8]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[9]  Shay Artzi,et al.  F4F: taint analysis of framework-based web applications , 2011, OOPSLA '11.

[10]  Jürgen Graf,et al.  Using JOANA for Information Flow Control in Java Programs - A Practical Guide , 2013, Software Engineering.

[11]  Thorsten Holz,et al.  Slicing droids: program slicing for smali code , 2013, SAC '13.

[12]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[13]  Eric Bodden,et al.  Inter-procedural data-flow analysis with IFDS/IDE and Soot , 2012, SOAP '12.

[14]  Srdjan Capkun,et al.  Application Collusion Attack on the Permission-Based Security Model and its Implications for Modern Smartphone Systems , 2010 .

[15]  Ondrej Lhoták,et al.  Practical Extensions to the IFDS Algorithm , 2010, CC.

[16]  Patrick Cousot,et al.  Andromeda: Accurate and Scalable Security Analysis of Web Applications , 2013, FASE.

[17]  Jacques Klein,et al.  Effective Inter-Component Communication Mapping in Android: An Essential Step Towards Holistic Security Analysis , 2013, USENIX Security Symposium.

[18]  Gregor Snelting,et al.  A new algorithm for low-deterministic security , 2014, International Journal of Information Security.

[19]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[20]  David Grove,et al.  Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis , 1995, ECOOP.

[21]  Yajin Zhou,et al.  Detecting Passive Content Leaks and Pollution in Android Applications , 2013, NDSS.

[22]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[23]  Jacques Klein,et al.  Highly precise taint analysis for Android applications , 2013 .