research-article

Efficient and extensible security enforcement using dynamic data flow analysis

Authors:
Walter Chang

The University of Texas at Austin, Austin, TX, USA

The University of Texas at Austin, Austin, TX, USA
View Profile

,
Brandon Streiff

The University of Texas at Austin, Austin, TX, USA

The University of Texas at Austin, Austin, TX, USA
View Profile

,
Calvin Lin

The University of Texas at Austin, Austin, TX, USA

The University of Texas at Austin, Austin, TX, USA
View Profile

CCS '08: Proceedings of the 15th ACM conference on Computer and communications securityOctober 2008Pages 39–50https://doi.org/10.1145/1455770.1455778

Published:27 October 2008Publication History

CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

Pages 39–50

ABSTRACT

Current taint tracking systems suffer from high overhead and a lack of generality. In this paper, we solve both of these issues with an extensible system that is an order of magnitude more efficient than previous software taint tracking systems and is fully general to dynamic data flow tracking problems. Our system uses a compiler to transform untrusted programs into policy-enforcing programs, and our system can be easily reconfigured to support new analyses and policies without modifying the compiler or runtime system. Our system uses a sound and sophisticated static analysis that can dramatically reduce the amount of data that must be dynamically tracked. For server programs, our system's average overhead is 0.65% for taint tracking, which is comparable to the best hardware-based solutions. For a set of compute-bound benchmarks, our system produces no runtime overhead because our compiler can prove the absence of vulnerabilities, eliminating the need to dynamically track taint. After modifying these benchmarks to contain format string vulnerabilities, our system's overhead is less than 13%, which is over 6X lower than the previous best solutions. We demonstrate the flexibility and power of our system by applying it to file disclosure vulnerabilities, a problem that taint tracking cannot handle. To prevent such vulnerabilities, our system introduces an average runtime overhead of 0.25% for three open source server programs.

References

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. In Proceedings of the ACM Conference on Computer and Communication Security, pages 340--353, 2005. Google ScholarDigital Library
K. Ashcraft and D. Engler. Using programmer-written compiler extensions to catch security holes. In Proceedings of the IEEE Symposium on Security and Privacy, pages 143--159, 2002. Google ScholarDigital Library
D. Avots, M. Dalton, V. B. Livshits, and M. S. Lam. Improving software security with a C pointer analysis. In Proceedings of the 27th International Conference on Software Engineering, pages 332--341, 2005. Google ScholarDigital Library
A. Baratloo, N. Singh, and T. Tsai. Transparent run-time defense against stack smashing attacks. In Proceedings of the USENIX Annual Technical Conference, pages 251--262, 2000. Google ScholarDigital Library
D. E. Bell and L. J. LaPadula. Secure computer systems: Mathematical foundations. Technical Report 2547, MITRE, March 1973.Google Scholar
E. D. Berger and B. G. Zorn. DieHard: Probabalistic memory safety for unsafe languages. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 158--168, 2006. Google ScholarDigital Library
S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of the 14th USENIX Security Symposium, pages 271--286, 2005. Google ScholarDigital Library
K. J. Biba. Integrity considerations for secure computer systems. Technical Report ES-TR-76-372, Electronic Systems Division, Hanscom Air Force Base, April 1977.Google Scholar
M. Castro, M. Costa, and T. Harris. Securing software by enforcing data-flow integrity. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, pages 147--160, 2006. Google ScholarDigital Library
S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and R. K. Iyer. Defeating memory corruption attacks via pointer taintedness detection. In Proceedings of the International Conference on Dependable Systems and Networks, pages 378--387, 2005. Google ScholarDigital Library
J. Clause, W. Li, and A. Orso. Dytan: A generic dynamic taint analysis framework. In Proceedings of the 2007 International Symposium on Software Testing, pages 196--206, 2007. Google ScholarDigital Library
M. Costa, J. Crowcroft, M. Castro, A. Rwostron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of Internet worms. In Proceedings of the 20th ACM Symposium on Operating System Principles, pages 133--147, 2005. Google ScholarDigital Library
C. Cowan, M. Barringer, S. Beattie, G. Kroah-Hartman, M. Frantzen, and J. Lokier. FormatGuard: Automatic protection from printf format string vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, pages 15--23, 2001. Google ScholarDigital Library
C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th USENIX Security Symposium, pages 91--104, 2003. Google ScholarDigital Library
C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium, pages 63--78, 1998. Google ScholarDigital Library
J. R. Crandall and F. T. Chong. Minos: Control data attack prevention orthogonal to memory model. In Proceedings of the 37th International Symposium on Microarchitecture, pages 221--232, 2004. Google ScholarDigital Library
M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: A flexible information flow architecture for software security. In Proceedings of the 34th International Symposium on Computer Architecture, pages 482--493, 2007. Google ScholarDigital Library
D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236--243, May 1976. Google ScholarDigital Library
U. Erlingsson. The inlined reference monitor approach to security policy enforcement. PhD thesis, Cornell University, Ithaca, New York, 2003. Google ScholarDigital Library
D. Evans and D. Larochelle. Improving security using extensible lightweight static analysis. IEEE Software, 19(1):42--51, January/February 2002. Google ScholarDigital Library
S. Z. Guyer. Incorporating Domain-Specific Information into the Compilation Process. PhD thesis, The University of Texas at Austin, Austin, TX, 2003. Google ScholarDigital Library
S. Z. Guyer and C. Lin. An annotation language for optimizing software libraries. In Proceedings of the 2nd Conference on Domain-Specific Languages, pages 39--52, 1999. Google ScholarDigital Library
S. Z. Guyer and C. Lin. Client-driven pointer analysis. In Proceedings of the 10th Annual Static Analysis Symposium, pages 214--236, June 2003. Google ScholarDigital Library
S. Z. Guyer and C. Lin. Broadway: A compiler for exploiting the domain-specific semantics of software libraries. Proceedings of the IEEE, Special issue on program generation, optimization and adaptation, 93(2):342--357, January-February 2005.Google ScholarCross Ref
M. Hauswirth and T. M. Chilimbi. Low-overhead memory leak detection using adaptive statistical profiling. In Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 156--164, 2004. Google ScholarDigital Library
J. C. Huang. Detection of data flow anomaly through program instrumentation. IEEE Transactions on Software Engineering, SE--5(3):226--236, May 1979. Google ScholarDigital Library
T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In Proceedings of the USENIX Annual Technical Conference, pages 275--288, 2002. Google ScholarDigital Library
R. W. M. Jones and P. H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Proceedings of the 4th International Workshop on Automated and Algorithmic Debugging, pages 13--26, 1997.Google Scholar
J. B. Kam and J. D. Ullman. Global data flow analysis and iterative algorithms. Journal of the ACM, 23(1):158--176, January 1976. Google ScholarDigital Library
V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In Proceedings of the 11th Annual USENIX Security Symposium, pages 191--206, 2002. Google ScholarDigital Library
L. C. Lam and T.-C. Chiueh. A general dynamic information flow tracking framework for security applications. In Proceedings of the 22nd Annual Computer Security Applications Conference, pages 463--472, 2006. Google ScholarDigital Library
M. Martin, B. Livshits, and M. S. Lam. Finding application errors and security flaws using PQL: A program query language. In Proceedings of the 20th Annual ACM SIGPLAN Conference on Object Oriented Programming, Systems, and Applications, pages 365--383, 2005. Google ScholarDigital Library
A. C. Myers. JFlow: Practical mostly-static information flow control. In Proceedings of the 26th ACM SIGPLAN Symposium on Principles of Programming Languages, pages 228--241, 1999. Google ScholarDigital Library
National Security Agency Information Systems Security Organization. Labeled security protection profile version 1b, October 1999.Google Scholar
G. C. Necula, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy code. In Proceedings of the 29th ACM SIGPLAN Symposium on Principles of Programming Languages, pages 128--139, 2002. Google ScholarDigital Library
J. Newsome, D. Brumley, and D. Song. Vulnerability-specific execution filtering for exploit prevention on commodity software. In Proceedings of the Network and Distributed Security Symposium, 2006.Google Scholar
J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the Network and Distributed Security Symposium, 2005.Google Scholar
A. Nguyen-Tong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Proceedings of the 20th IFIP International Information Security Conference, pages 295--308, 2005.Google ScholarCross Ref
F. Qin, C. Wang, Z. Li, H. seop Kim, Y. Zhou, and Y. Wu. LIFT: A low-overhead information flow tracking system for detecting security attacks. In Proceedings of the 39th Annual IEEE/ACM Symposium on Microarchitecture, pages 135--148, 2006. Google ScholarDigital Library
A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1):5--19, 2003. Google ScholarDigital Library
F. B. Schneider. Enforceable security policies. ACM Transactions on Information and System Security, 3(1):30--50, February 2000. Google ScholarDigital Library
U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 10th USENIX Security Symposium, pages 201--218, 2001. Google ScholarDigital Library
R. Strom and S. Yemini. Typestate: A programming language concept for enhancing software reliability. IEEE Transactions on Software Engineering, 12(1):157--171, 1986. Google ScholarDigital Library
G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 85--96, 2004. Google ScholarDigital Library
K. Thompson. Reflections on trusting trust. Communications of the ACM, 27(8):761--763, August 1984. Google ScholarDigital Library
L. Wall, T. Christiansen, and J. Orwant. Programming Perl. O'Reilly & Associates, Sebastopol, California, United States, third edition, 2000. Google ScholarDigital Library
M. Weiser. Program slicing. In Proceedings of the 5th International Conference on Software Engineering, pages 439--449, 1981. Google ScholarDigital Library
W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In Proceedings of the 15th USENIX Security Symposium, pages 121--136, 2006. Google ScholarDigital Library

Index Terms

Efficient and extensible security enforcement using dynamic data flow analysis
1. Security and privacy
  1. Systems security
    1. Information flow control
    2. Operating systems security

Recommendations

Context-, flow-, and field-sensitive data-flow analysis using synchronized Pushdown systems

Precise static analyses are context-, field- and flow-sensitive. Context- and field-sensitivity are both expressible as context-free language (CFL) reachability problems. Solving both CFL problems along the same data-flow path is undecidable, which is ...
Read More
Precise flow-insensitive may-alias analysis is NP-hard

Determining aliases is one of the foundamental static analysis problems, in part because the precision with which this problem is solved can affect the precision of other analyses such as live variables, available expressions, and constant propagation. ...
Read More
Pushdown control-flow analysis for free
POPL '16

Traditional control-flow analysis (CFA) for higher-order languages introduces spurious connections between callers and callees, and different invocations of a function may pollute each other's return flows. Recently, three distinct approaches have been ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '08: Proceedings of the 15th ACM conference on Computer and communications security
October 2008
590 pages
ISBN:9781595938107
DOI:10.1145/1455770
General Chair:
Peng Ning
North Carolina State University, USA
,
Program Chairs:
Paul Syverson
Naval Research Laboratory, USA
,
Somesh Jha
University of Wisconsin, USA
Copyright © 2008 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 27 October 2008
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
dynamic data flow analysis
security enforcement
static analysis
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '08 Paper Acceptance Rate51of280submissions,18%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 90
  Total Citations
  View Citations
- 1,475
  Total Downloads
- Downloads (Last 12 months)38
- Downloads (Last 6 weeks)4
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Efficient and extensible security enforcement using dynamic data flow analysis

CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Context-, flow-, and field-sensitive data-flow analysis using synchronized Pushdown systems

Precise flow-insensitive may-alias analysis is NP-hard

Pushdown control-flow analysis for free