A Comparative Analysis Between Information Flow Control Tools for Java-written systems

Information Flow Control (IFC) tools are a common way to analyze source code with the goal to find confidentiality or integrity violations for sensitive information. Therefore, to correctly protect such information (e.g., passwords), it is important to choose the most suitable tool for each target software system. In this context, we evaluate precision, recall, and accuracy for three open-source IFC tools for Java-written systems. We also check whether these tools are useful to protect sensitive information of real systems. First, we execute these tools against test cases of the SecuriBench Micro benchmark built for this purpose. Then, we run three selected IFC tools (JOANA, PIDGIN, and Flowdroid) to assess whether they are able to detect violations for rules we define considering each real system. Our results show that JOANA and PIDGIN overcome FlowDroid regarding precision, recall, and accuracy. Furthermore, the execution of JOANA and PIDGIN allow us to find eight confidentiality and integrity violations for the target systems. We registered these violations as issues on those projects. Our results also demonstrate that JOANA is faster than PIDGIN. At last, we provide some discussion for developers on which IFC tool fits better when dealing with sensitive information in software systems.

[1]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[2]  Byung-Gon Chun,et al.  TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones , 2014, Commun. ACM.

[3]  H. D. Rombach,et al.  The Goal Question Metric Approach , 1994 .

[4]  Gregor Snelting,et al.  Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs , 2009, International Journal of Information Security.

[5]  Ondrej Lhoták,et al.  Averroes: Whole-Program Analysis without the Whole Program , 2013, ECOOP.

[6]  Julia Rubin,et al.  A Bayesian Approach to Privacy Enforcement in Smartphones , 2014, USENIX Security Symposium.

[7]  Stephen J. Fink,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[8]  Agostino Cortesi,et al.  SAILS: static analysis of information leakage with sample , 2012, SAC '12.

[9]  Heiko Mantel,et al.  A Uniform Information-Flow Security Benchmark Suite for Source Code and Bytecode , 2018, NordSec.

[10]  Andrew C. Myers,et al.  Security policies for downgrading , 2004, CCS '04.

[11]  Patrick Cousot,et al.  Andromeda: Accurate and Scalable Security Analysis of Web Applications , 2013, FASE.

[12]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[13]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[14]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[15]  David W. Binkley,et al.  Interprocedural slicing using dependence graphs , 1990, TOPL.

[16]  Rodrigo Andrade,et al.  Privacy and security constraints for code contributions , 2015, SPLASH.

[17]  David A. Wagner,et al.  Joe-E: A Security-Oriented Subset of Java , 2010, NDSS.

[18]  Jürgen Graf,et al.  Using JOANA for Information Flow Control in Java Programs - A Practical Guide , 2013, Software Engineering.

[19]  Marco Pistoia,et al.  Saving the world wide web from vulnerable JavaScript , 2011, ISSTA '11.

[20]  Mark Harman,et al.  Empirical study of optimization techniques for massive slicing , 2007, ACM Trans. Program. Lang. Syst..

[21]  Andrei Sabelfeld,et al.  A Perspective on Information-Flow Control , 2012, Software Safety and Security.

[22]  Armando Solar-Lezama,et al.  A language for automatically enforcing privacy policies , 2012, POPL '12.

[23]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[24]  Magnus C. Ohlsson,et al.  Experimentation in Software Engineering , 2000, The Kluwer International Series in Software Engineering.

[25]  Scott Moore,et al.  Exploring and enforcing security guarantees via program dependence graphs , 2015, PLDI.

[26]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[27]  Ondrej Lhoták,et al.  Application-Only Call Graph Construction , 2012, ECOOP.

[28]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[29]  Christopher Krügel,et al.  Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis , 2017, NDSS.

[30]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[31]  Armando Solar-Lezama,et al.  A language for automatically enforcing privacy policies , 2012, POPL.