LazyTainter: Memory-Efficient Taint Tracking in Managed Runtimes

The leakage of private information is of great concern on mobile devices since they contain a great deal of sensitive information. This has spurred interest in the use of taint tracking systems to track and monitor the flow of private information on a mobile device. Taint tracking systems impose memory overhead, as taint information must be maintained for every piece of information an application stores in memory. This memory cost is at odds with the growing number of low-end, memory-constrained devices, which makes up the majority mobile device growth in emerging markets. To make taint tracking affordable and to benefit a broader range of mobile devices, we present LazyTainter, which is a memory-efficient taint tracking system designed for managed runtimes. To implement LazyTainter, we enhanced TaintDroid with hybrid taint tracking, which combines lazy and eager tainting, to reduce memory usage with only negligible performance loss. Our experimental results demonstrate that LazyTainter can reduce heap usage by as much as 26.5% when compared to TaintDroid while imposing a negligible 1% increase in performance overhead.

[1]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[2]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[3]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[4]  Mads Dam,et al.  TreeDroid: a tree automaton based approach to enforcing data processing policies , 2012, CCS '12.

[5]  Benjamin Livshits,et al.  Automatic Mediation of Privacy-Sensitive Resource Access in Smartphone Applications , 2013, USENIX Security Symposium.

[6]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[7]  Gerhard Saeltzer Little Brothers are watching you , 2010, Datenschutz und Datensicherheit - DuD.

[8]  Ashvin Goel,et al.  Securing Script-Based Extensibility in Web Browsers , 2010, USENIX Security Symposium.

[9]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[10]  Andrew Warfield,et al.  Practical taint-based protection using demand emulation , 2006, EuroSys.

[11]  Dawn Xiaodong Song,et al.  TaintEraser: protecting sensitive data leaks using application-level taint tracking , 2011, OPSR.

[12]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[13]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[14]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[15]  Wenke Lee,et al.  Jekyll on iOS: When Benign Apps Become Evil , 2013, USENIX Security Symposium.

[16]  Yang Tang,et al.  CleanOS: Limiting Mobile Data Exposure with Idle Eviction , 2012, OSDI.

[17]  Jacques Klein,et al.  Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis , 2013 .

[18]  Benjamin Livshits,et al.  Dynamic Taint Tracking in Managed Runtimes , 2012 .

[19]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[20]  Lorrie Faith Cranor,et al.  "Little brothers watching you": raising awareness of data leaks on smartphones , 2013, SOUPS.