Practical and effcient runtime taint tracking

Runtime taint tracking is a technique for controlling data propagation in applications. It is typically used to prevent disclosure of confidential information or to avoid application vulnerabilities. Taint tracking systems intercept application operations at runtime, associate meta-data with the data being processed and inspect the meta-data to detect unauthorised data propagation. To keep metadata up-to-date, every attempt of the application to access and process data is intercepted. To ensure that all data propagation is monitored, different categories of data (e.g. confidential and public data) are kept isolated. In practice, the interception of application operations and the isolation of different categories of data are hard to achieve. Existing applications, language interpreters and operating systems need to be re-engineered while keeping metadata up-to-date incurs significant overhead at runtime. In this thesis we show that runtime taint tracking can be implemented with minimal changes to existing infrastructure and with reduced overhead compared to previous approaches. In other words, we suggest methods to achieve both practical and efficient runtime taint tracking. Our key observation is that applications in specific domains are typically implemented in high-level languages and use a subset of the available language features. This facilitates the implementation of a taint tracking system because it needs to support only parts of a programming language and it may leverage features of the execution platform. This thesis explores three different applications domains. We start with event processing applications in Java, for which we introduce a novel solution to achieve isolation and a practical method to declare restrictions about data propagation. We then focus on securing PHP web applications. We show that if taint tracking is restricted to a small part of an application, the runtime overhead is significantly reduced without sacrificing effectiveness. Finally, we target accidental data disclosure in Ruby web applications. Ruby emerges as an ideal choice for a practical taint tracking system because it supports meta-programming facilities that simplify interception and isolation.

[1]  Calvin Lin,et al.  Efficient and extensible security enforcement using dynamic data flow analysis , 2008, CCS.

[2]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[3]  Catriel Beeri,et al.  Monitoring Business Processes with Queries , 2007, VLDB.

[4]  David A. Wagner,et al.  Efficient character-level taint tracking for Java , 2009, SWS '09.

[5]  Geoffrey Smith,et al.  A Type-Based Approach to Program Security , 1997, TAPSOFT.

[6]  Hans-Arno Jacobsen,et al.  Event Exposure for Web Services: A Grey-Box Approach to Compose and Evolve Web Services , 2010, The Smart Internet.

[7]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[8]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[9]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[10]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[11]  Jan Vitek,et al.  Incommunicado: efficient communication for isolates , 2002, OOPSLA '02.

[12]  Michael Golm,et al.  The JX Operating System , 2002, USENIX Annual Technical Conference, General Track.

[13]  G. Vidyamurthy Pairs Trading: Quantitative Methods and Analysis , 2004 .

[14]  Peter Pietzuch Hermes: A scalable event-based middleware , 2004 .

[15]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[16]  Marianne Winslett,et al.  VEX: Vetting Browser Extensions for Security Vulnerabilities , 2010, USENIX Security Symposium.

[17]  Dieter Gawlick,et al.  Event processing with an oracle database , 2005, SIGMOD '05.

[18]  R. Sekar,et al.  On the Limits of Information Flow Techniques for Malware Analysis and Containment , 2008, DIMVA.

[19]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[20]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[21]  Dawn Xiaodong Song,et al.  TaintEraser: protecting sensitive data leaks using application-level taint tracking , 2011, OPSR.

[22]  Matthew Finifter Exploring the Relationship Between Web Application Development Tools and Security , 2011, WebApps.

[23]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[24]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[25]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[26]  Carl M. Ellison,et al.  Establishing identity without certification authorities , 1996 .

[27]  Cristina V. Lopes,et al.  Aspect-oriented programming , 1999, ECOOP Workshops.

[28]  Ben Hardekopf,et al.  Timing- and Termination-Sensitive Secure Information Flow: Exploring a New Approach , 2011, 2011 IEEE Symposium on Security and Privacy.

[29]  Sorin Lerner,et al.  An empirical study of privacy-violating information flows in JavaScript web applications , 2010, CCS '10.

[30]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[31]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[32]  Silas Boyd-Wickizer,et al.  Securing Distributed Systems with Information Flow Control , 2008, NSDI.

[33]  Frank Tip,et al.  Finding bugs in dynamic web applications , 2008, ISSTA '08.

[34]  Walter Binder,et al.  Aspect weaving in standard Java class libraries , 2008, PPPJ '08.

[35]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[36]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[37]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[38]  R V Prasad Reddy,et al.  CLOUD DATA PROTECTION FOR THE MASSES , 2013 .

[39]  Steve Vandebogart,et al.  Make Least Privilege a Right (Not a Privilege) , 2005, HotOS.

[40]  Grzegorz Czajkowski,et al.  Multitasking without compromise: a virtual machine evolution , 2001, SIGP.

[41]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[42]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[43]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[44]  Peter R. Pietzuch,et al.  PHP Aspis: Using Partial Taint Tracking to Protect Against Injection Attacks , 2011, WebApps.

[45]  David Luckham,et al.  The power of events - an introduction to complex event processing in distributed enterprise systems , 2002, RuleML.

[46]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[47]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[48]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[49]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[50]  Wilson C. Hsieh,et al.  Processes in KaffeOS: isolation, resource management, and sharing in java , 2000, OSDI.

[51]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[52]  Herbert Bos,et al.  Pointless tainting?: evaluating the practicality of pointer tainting , 2009, EuroSys '09.

[53]  Ravishankar K. Iyer,et al.  Defeating memory corruption attacks via pointer taintedness detection , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[54]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[55]  Andrew S. Tanenbaum,et al.  A Virtual Machine Based Information Flow Control System for Policy Enforcement , 2008, Electron. Notes Theor. Comput. Sci..

[56]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[57]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[58]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[59]  Hao Chen,et al.  DBTaint: Cross-Application Information Flow Tracking via Databases , 2010, WebApps.

[60]  Jean Bacon,et al.  Enforcing User Privacy in Web Applications using Erlang , 2010 .

[61]  Robert Tappan Morris,et al.  Privacy-preserving browser-side scripting with BFlow , 2009, EuroSys '09.

[62]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[63]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[64]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[65]  Angelos D. Keromytis,et al.  libdft: practical dynamic data flow tracking for commodity systems , 2012, VEE '12.

[66]  Alessandro Orso,et al.  WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation , 2008, IEEE Transactions on Software Engineering.

[67]  Christoforos E. Kozyrakis,et al.  Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications , 2009, USENIX Security Symposium.

[68]  Andrew S. Tanenbaum,et al.  Trishul : A Policy Enforcement Architecture for Java Virtual Machines , 2008 .

[69]  Avik Chaudhuri,et al.  Symbolic security analysis of ruby-on-rails web applications , 2010, CCS '10.

[70]  Patrick Mutchler,et al.  GuardRails: A Data-Centric Web Application Security Framework , 2011, WebApps.

[71]  Adam Barth,et al.  Protecting Browsers from Extension Vulnerabilities , 2010, NDSS.

[72]  Boniface Hicks,et al.  From Languages to Systems: Understanding Practical Application Development in Security-typed Languages , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[73]  Vincent Simonet Flow Caml in a Nutshell , 2003 .

[74]  Herbert Bos,et al.  Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation , 2006, EuroSys.

[75]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[76]  David Flanagan,et al.  The Ruby Programming Language , 2007 .

[77]  Herbert Bos,et al.  Minemu: The World's Fastest Taint Tracker , 2011, RAID.

[78]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[79]  David Evans,et al.  SafeWeb: A Middleware for Securing Ruby-Based Web Applications , 2011, Middleware.

[80]  Wenke Lee,et al.  xBook: Redesigning Privacy Control in Social Networking Platforms , 2009, USENIX Security Symposium.

[81]  Dennis Shasha,et al.  Filtering algorithms and implementation for very fast publish/subscribe systems , 2001, SIGMOD '01.

[82]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[83]  Anne-Marie Kermarrec,et al.  The many faces of publish/subscribe , 2003, CSUR.

[84]  Bruno Crispo,et al.  YAASE: Yet Another Android Security Extension , 2011, 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing.

[85]  Nicolas Georay I-JVM: a Java Virtual Machine for Component Isolation in OSGi , 2009 .

[86]  Deian Stefan,et al.  Hails: Protecting Data Privacy in Untrusted Web Applications , 2012, OSDI.

[87]  Ashvin Goel,et al.  Securing Script-Based Extensibility in Web Browsers , 2010, USENIX Security Symposium.

[88]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[89]  Xi Wang,et al.  Improving application security with data flow assertions , 2009, SOSP '09.

[90]  Eran Tromer,et al.  Noninterference for a Practical DIFC-Based Operating System , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[91]  David M. Eyers,et al.  Distributed Middleware Enforcement of Event Flow Security Policy , 2010, Middleware.

[92]  David A. Wagner,et al.  Joe-E: A Security-Oriented Subset of Java , 2010, NDSS.

[93]  Prateek Saxena,et al.  An Empirical Analysis of XSS Sanitization in Web Application Frameworks , 2011 .

[94]  Deyu Hu,et al.  Implementing Multiple Protection Domains in Java , 1998, USENIX Annual Technical Conference.

[95]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[96]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[97]  Yasuhiko Minamide,et al.  Static approximation of dynamically generated Web pages , 2005, WWW '05.

[98]  David M. Eyers,et al.  DEFCON: High-Performance Event Processing with Information Security , 2010, USENIX Annual Technical Conference.

[99]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[100]  Eddie Kohler,et al.  Manageable fine-grained information flow , 2008, Eurosys '08.

[101]  Hiroshi Inamura,et al.  Dynamic test input generation for web applications , 2008, ISSTA '08.