ABSTRACT
Current taint tracking systems suffer from high overhead and a lack of generality. In this paper, we solve both of these issues with an extensible system that is an order of magnitude more efficient than previous software taint tracking systems and is fully general to dynamic data flow tracking problems. Our system uses a compiler to transform untrusted programs into policy-enforcing programs, and our system can be easily reconfigured to support new analyses and policies without modifying the compiler or runtime system. Our system uses a sound and sophisticated static analysis that can dramatically reduce the amount of data that must be dynamically tracked. For server programs, our system's average overhead is 0.65% for taint tracking, which is comparable to the best hardware-based solutions. For a set of compute-bound benchmarks, our system produces no runtime overhead because our compiler can prove the absence of vulnerabilities, eliminating the need to dynamically track taint. After modifying these benchmarks to contain format string vulnerabilities, our system's overhead is less than 13%, which is over 6X lower than the previous best solutions. We demonstrate the flexibility and power of our system by applying it to file disclosure vulnerabilities, a problem that taint tracking cannot handle. To prevent such vulnerabilities, our system introduces an average runtime overhead of 0.25% for three open source server programs.
- M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. In Proceedings of the ACM Conference on Computer and Communication Security, pages 340--353, 2005. Google ScholarDigital Library
- K. Ashcraft and D. Engler. Using programmer-written compiler extensions to catch security holes. In Proceedings of the IEEE Symposium on Security and Privacy, pages 143--159, 2002. Google ScholarDigital Library
- D. Avots, M. Dalton, V. B. Livshits, and M. S. Lam. Improving software security with a C pointer analysis. In Proceedings of the 27th International Conference on Software Engineering, pages 332--341, 2005. Google ScholarDigital Library
- A. Baratloo, N. Singh, and T. Tsai. Transparent run-time defense against stack smashing attacks. In Proceedings of the USENIX Annual Technical Conference, pages 251--262, 2000. Google ScholarDigital Library
- D. E. Bell and L. J. LaPadula. Secure computer systems: Mathematical foundations. Technical Report 2547, MITRE, March 1973.Google Scholar
- E. D. Berger and B. G. Zorn. DieHard: Probabalistic memory safety for unsafe languages. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 158--168, 2006. Google ScholarDigital Library
- S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of the 14th USENIX Security Symposium, pages 271--286, 2005. Google ScholarDigital Library
- K. J. Biba. Integrity considerations for secure computer systems. Technical Report ES-TR-76-372, Electronic Systems Division, Hanscom Air Force Base, April 1977.Google Scholar
- M. Castro, M. Costa, and T. Harris. Securing software by enforcing data-flow integrity. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, pages 147--160, 2006. Google ScholarDigital Library
- S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and R. K. Iyer. Defeating memory corruption attacks via pointer taintedness detection. In Proceedings of the International Conference on Dependable Systems and Networks, pages 378--387, 2005. Google ScholarDigital Library
- J. Clause, W. Li, and A. Orso. Dytan: A generic dynamic taint analysis framework. In Proceedings of the 2007 International Symposium on Software Testing, pages 196--206, 2007. Google ScholarDigital Library
- M. Costa, J. Crowcroft, M. Castro, A. Rwostron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of Internet worms. In Proceedings of the 20th ACM Symposium on Operating System Principles, pages 133--147, 2005. Google ScholarDigital Library
- C. Cowan, M. Barringer, S. Beattie, G. Kroah-Hartman, M. Frantzen, and J. Lokier. FormatGuard: Automatic protection from printf format string vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, pages 15--23, 2001. Google ScholarDigital Library
- C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th USENIX Security Symposium, pages 91--104, 2003. Google ScholarDigital Library
- C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium, pages 63--78, 1998. Google ScholarDigital Library
- J. R. Crandall and F. T. Chong. Minos: Control data attack prevention orthogonal to memory model. In Proceedings of the 37th International Symposium on Microarchitecture, pages 221--232, 2004. Google ScholarDigital Library
- M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: A flexible information flow architecture for software security. In Proceedings of the 34th International Symposium on Computer Architecture, pages 482--493, 2007. Google ScholarDigital Library
- D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236--243, May 1976. Google ScholarDigital Library
- U. Erlingsson. The inlined reference monitor approach to security policy enforcement. PhD thesis, Cornell University, Ithaca, New York, 2003. Google ScholarDigital Library
- D. Evans and D. Larochelle. Improving security using extensible lightweight static analysis. IEEE Software, 19(1):42--51, January/February 2002. Google ScholarDigital Library
- S. Z. Guyer. Incorporating Domain-Specific Information into the Compilation Process. PhD thesis, The University of Texas at Austin, Austin, TX, 2003. Google ScholarDigital Library
- S. Z. Guyer and C. Lin. An annotation language for optimizing software libraries. In Proceedings of the 2nd Conference on Domain-Specific Languages, pages 39--52, 1999. Google ScholarDigital Library
- S. Z. Guyer and C. Lin. Client-driven pointer analysis. In Proceedings of the 10th Annual Static Analysis Symposium, pages 214--236, June 2003. Google ScholarDigital Library
- S. Z. Guyer and C. Lin. Broadway: A compiler for exploiting the domain-specific semantics of software libraries. Proceedings of the IEEE, Special issue on program generation, optimization and adaptation, 93(2):342--357, January-February 2005.Google ScholarCross Ref
- M. Hauswirth and T. M. Chilimbi. Low-overhead memory leak detection using adaptive statistical profiling. In Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 156--164, 2004. Google ScholarDigital Library
- J. C. Huang. Detection of data flow anomaly through program instrumentation. IEEE Transactions on Software Engineering, SE--5(3):226--236, May 1979. Google ScholarDigital Library
- T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In Proceedings of the USENIX Annual Technical Conference, pages 275--288, 2002. Google ScholarDigital Library
- R. W. M. Jones and P. H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Proceedings of the 4th International Workshop on Automated and Algorithmic Debugging, pages 13--26, 1997.Google Scholar
- J. B. Kam and J. D. Ullman. Global data flow analysis and iterative algorithms. Journal of the ACM, 23(1):158--176, January 1976. Google ScholarDigital Library
- V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In Proceedings of the 11th Annual USENIX Security Symposium, pages 191--206, 2002. Google ScholarDigital Library
- L. C. Lam and T.-C. Chiueh. A general dynamic information flow tracking framework for security applications. In Proceedings of the 22nd Annual Computer Security Applications Conference, pages 463--472, 2006. Google ScholarDigital Library
- M. Martin, B. Livshits, and M. S. Lam. Finding application errors and security flaws using PQL: A program query language. In Proceedings of the 20th Annual ACM SIGPLAN Conference on Object Oriented Programming, Systems, and Applications, pages 365--383, 2005. Google ScholarDigital Library
- A. C. Myers. JFlow: Practical mostly-static information flow control. In Proceedings of the 26th ACM SIGPLAN Symposium on Principles of Programming Languages, pages 228--241, 1999. Google ScholarDigital Library
- National Security Agency Information Systems Security Organization. Labeled security protection profile version 1b, October 1999.Google Scholar
- G. C. Necula, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy code. In Proceedings of the 29th ACM SIGPLAN Symposium on Principles of Programming Languages, pages 128--139, 2002. Google ScholarDigital Library
- J. Newsome, D. Brumley, and D. Song. Vulnerability-specific execution filtering for exploit prevention on commodity software. In Proceedings of the Network and Distributed Security Symposium, 2006.Google Scholar
- J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the Network and Distributed Security Symposium, 2005.Google Scholar
- A. Nguyen-Tong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Proceedings of the 20th IFIP International Information Security Conference, pages 295--308, 2005.Google ScholarCross Ref
- F. Qin, C. Wang, Z. Li, H. seop Kim, Y. Zhou, and Y. Wu. LIFT: A low-overhead information flow tracking system for detecting security attacks. In Proceedings of the 39th Annual IEEE/ACM Symposium on Microarchitecture, pages 135--148, 2006. Google ScholarDigital Library
- A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1):5--19, 2003. Google ScholarDigital Library
- F. B. Schneider. Enforceable security policies. ACM Transactions on Information and System Security, 3(1):30--50, February 2000. Google ScholarDigital Library
- U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 10th USENIX Security Symposium, pages 201--218, 2001. Google ScholarDigital Library
- R. Strom and S. Yemini. Typestate: A programming language concept for enhancing software reliability. IEEE Transactions on Software Engineering, 12(1):157--171, 1986. Google ScholarDigital Library
- G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 85--96, 2004. Google ScholarDigital Library
- K. Thompson. Reflections on trusting trust. Communications of the ACM, 27(8):761--763, August 1984. Google ScholarDigital Library
- L. Wall, T. Christiansen, and J. Orwant. Programming Perl. O'Reilly & Associates, Sebastopol, California, United States, third edition, 2000. Google ScholarDigital Library
- M. Weiser. Program slicing. In Proceedings of the 5th International Conference on Software Engineering, pages 439--449, 1981. Google ScholarDigital Library
- W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In Proceedings of the 15th USENIX Security Symposium, pages 121--136, 2006. Google ScholarDigital Library
Index Terms
- Efficient and extensible security enforcement using dynamic data flow analysis
Recommendations
Context-, flow-, and field-sensitive data-flow analysis using synchronized Pushdown systems
Precise static analyses are context-, field- and flow-sensitive. Context- and field-sensitivity are both expressible as context-free language (CFL) reachability problems. Solving both CFL problems along the same data-flow path is undecidable, which is ...
Precise flow-insensitive may-alias analysis is NP-hard
Determining aliases is one of the foundamental static analysis problems, in part because the precision with which this problem is solved can affect the precision of other analyses such as live variables, available expressions, and constant propagation. ...
Pushdown control-flow analysis for free
POPL '16Traditional control-flow analysis (CFA) for higher-order languages introduces spurious connections between callers and callees, and different invocations of a function may pollute each other's return flows. Recently, three distinct approaches have been ...
Comments