Combining static and dynamic data flow analysis: a hybrid approach for detecting data leaks in java applications

Protecting sensitive data requires controlling the behavior of third part software. Static and dynamic data flow analysis can aid, however both of them have limits. Static analysis often detects false data leaks, whereas the more precise dynamic analysis introduces a significant overhead. This paper proposes a novel hybrid approach that combines static and dynamic data flow analysis for detecting data leaks in Java applications. Our approach minimizes the overhead by computing a minimal set of "application points" that need to be monitored and injects control code on the target application. Our method has no loss in quality with respect to dynamic analysis. We show the feasibility of our approach by providing a tool and presenting a case study on a sample application.

[1]  Mona Attariyan,et al.  Automating Configuration Troubleshooting with Dynamic Information Flow Analysis , 2010, OSDI.

[2]  Guilherme Ottoni,et al.  RIFLE: An Architectural Framework for User-Centric Information-Flow Security , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[3]  Michael Backes,et al.  AppGuard - Fine-Grained Policy Enforcement for Untrusted Android Applications , 2013, DPM/SETOP.

[4]  Marco Pistoia,et al.  Saving the world wide web from vulnerable JavaScript , 2011, ISSTA '11.

[5]  Hao Chen,et al.  AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale , 2012, TRUST.

[6]  Yajin Zhou,et al.  Taming Information-Stealing Smartphone Applications (on Android) , 2011, TRUST.

[7]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[8]  Christian Napoli,et al.  Using Modularity Metrics to Assist Move Method Refactoring of Large Systems , 2013, 2013 Seventh International Conference on Complex, Intelligent, and Software Intensive Systems.

[9]  Haibing Guan,et al.  Static program analysis assisted dynamic taint tracking for software vulnerability discovery , 2012, Comput. Math. Appl..

[10]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[11]  Patrick Cousot,et al.  Andromeda: Accurate and Scalable Security Analysis of Web Applications , 2013, FASE.

[12]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[13]  Lukasz Ziarek,et al.  Flow Permissions for Android , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[14]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[15]  Guru Venkataramani,et al.  FlexiTaint: A programmable accelerator for dynamic taint propagation , 2008, 2008 IEEE 14th International Symposium on High Performance Computer Architecture.

[16]  Tal Garfinkel,et al.  Understanding data lifetime via whole system simulation , 2004 .

[17]  Herbert Bos,et al.  Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation , 2006, EuroSys.

[18]  James B. Orlin,et al.  Max flows in O(nm) time, or better , 2013, STOC '13.

[19]  Giuseppe Pappalardo,et al.  Superimposing roles for design patterns into application classes by means of aspects , 2012, SAC '12.

[20]  Andrew Warfield,et al.  Practical taint-based protection using demand emulation , 2006, EuroSys.

[21]  Ross J. Anderson,et al.  Aurasium: Practical Policy Enforcement for Android Applications , 2012, USENIX Security Symposium.

[22]  Frederic T. Chong,et al.  Minos: Control Data Attack Prevention Orthogonal to Memory Model , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[23]  Dawn Xiaodong Song,et al.  TaintEraser: protecting sensitive data leaks using application-level taint tracking , 2011, OPSR.

[24]  Giuseppe Pappalardo,et al.  Aspects and Annotations for Controlling the Roles Application Classes Play for Design Patterns , 2011, 2011 18th Asia-Pacific Software Engineering Conference.

[25]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[26]  Herbert Bos,et al.  Minemu: The World's Fastest Taint Tracker , 2011, RAID.

[27]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[28]  Emiliano Tramontana Automatically Characterising Components with Concerns and Reducing Tangling , 2013, 2013 IEEE 37th Annual Computer Software and Applications Conference Workshops.

[29]  Angelos D. Keromytis,et al.  A General Approach for Efficiently Accelerating Software-based Dynamic Data Flow Tracking on Commodity Hardware , 2012, NDSS.

[30]  Giuseppe Pappalardo,et al.  Suggesting Extract Class Refactoring Opportunities by Measuring Strength of Method Interactions , 2013, 2013 20th Asia-Pacific Software Engineering Conference (APSEC).

[31]  Andy Podgurski,et al.  JavaPDG: A New Platform for Program Dependence Analysis , 2013, 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation.

[32]  Giuseppe Pappalardo,et al.  Tackling consistency issues for runtime updating distributed systems , 2010, 2010 IEEE International Symposium on Parallel & Distributed Processing, Workshops and Phd Forum (IPDPSW).

[33]  Calvin Lin,et al.  Efficient and extensible security enforcement using dynamic data flow analysis , 2008, CCS.

[34]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[35]  David A. Wagner,et al.  Efficient character-level taint tracking for Java , 2009, SWS '09.

[36]  Cheng Wang,et al.  LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[37]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[38]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[39]  Angelos D. Keromytis,et al.  libdft: practical dynamic data flow tracking for commodity systems , 2012, VEE '12.

[40]  Todd C. Mowry,et al.  Butterfly analysis: adapting dataflow analysis to dynamic parallel monitoring , 2010, ASPLOS XV.