TU Darmstadt / ULB / TUbiblio

FlowTwist: Efficient Context-sensitive Inside-out Taint Analysis for Large Codebases

Lerch, Johannes ; Hermann, Ben ; Bodden, Eric ; Mezini, Mira :
FlowTwist: Efficient Context-sensitive Inside-out Taint Analysis for Large Codebases.
[Online-Edition: http://doi.acm.org/10.1145/2635868.2635878]
In: Proceedings of the 22Nd ACM SIGSOFT International Symposium on Foundations of Software Engineering. In: FSE 2014 . ACM , New York, NY, USA
[Konferenz- oder Workshop-Beitrag], (2014)

Offizielle URL: http://doi.acm.org/10.1145/2635868.2635878

Kurzbeschreibung (Abstract)

Over the past years, widely used platforms such as the Java Class Library have been under constant attack through vulnerabilities that involve a combination of two taint-analysis problems: an integrity problem allowing attackers to trigger sensitive operations within the platform, and a confidentiality problem allowing the attacker to retrieve sensitive information or pointers from the results of those operations. While existing static taint analyses are good at solving either of those problems, we show that they scale prohibitively badly when being applied to situations that require the exploitation of both an integrity and confidentiality problem in combination. The main problem is the huge attack surface of libraries such as the Java Class Library, which exposes thousands of methods potentially controllable by an attacker. In this work we thus present FlowTwist, a novel taint-analysis approach that works inside-out, i.e., tracks data flows from potentially vulnerable calls to the outer level of the API which the attacker might control. This inside-out analysis requires a careful, context-sensitive coordination of both a backward and a forward taint analysis. In this work, we expose a design of the analysis approach based on the IFDS algorithm, and explain several extensions to IFDS that enable not only this coordination but also a helpful reporting of error situations to security analysts. Experiments with the Java Class Library show that, while a simple forward taint-analysis approach does not scale even with much machine power, FlowTwist's algorithm is able to fully analyze the library within 10 minutes.

Typ des Eintrags: Konferenz- oder Workshop-Beitrag (Keine Angabe)
Erschienen: 2014
Autor(en): Lerch, Johannes ; Hermann, Ben ; Bodden, Eric ; Mezini, Mira
Titel: FlowTwist: Efficient Context-sensitive Inside-out Taint Analysis for Large Codebases
Sprache: Englisch
Kurzbeschreibung (Abstract):

Over the past years, widely used platforms such as the Java Class Library have been under constant attack through vulnerabilities that involve a combination of two taint-analysis problems: an integrity problem allowing attackers to trigger sensitive operations within the platform, and a confidentiality problem allowing the attacker to retrieve sensitive information or pointers from the results of those operations. While existing static taint analyses are good at solving either of those problems, we show that they scale prohibitively badly when being applied to situations that require the exploitation of both an integrity and confidentiality problem in combination. The main problem is the huge attack surface of libraries such as the Java Class Library, which exposes thousands of methods potentially controllable by an attacker. In this work we thus present FlowTwist, a novel taint-analysis approach that works inside-out, i.e., tracks data flows from potentially vulnerable calls to the outer level of the API which the attacker might control. This inside-out analysis requires a careful, context-sensitive coordination of both a backward and a forward taint analysis. In this work, we expose a design of the analysis approach based on the IFDS algorithm, and explain several extensions to IFDS that enable not only this coordination but also a helpful reporting of error situations to security analysts. Experiments with the Java Class Library show that, while a simple forward taint-analysis approach does not scale even with much machine power, FlowTwist's algorithm is able to fully analyze the library within 10 minutes.

Reihe: FSE 2014
Ort: New York, NY, USA
Verlag: ACM
Freie Schlagworte: IFDS, Taint analysis, confused deputy
Fachbereich(e)/-gebiet(e): Fachbereich Informatik > Softwaretechnik
Zentrale Einrichtungen > EC SPRIDE
Zentrale Einrichtungen > EC SPRIDE > Secure Software Engineering
Fachbereich Informatik
Zentrale Einrichtungen
Veranstaltungstitel: Proceedings of the 22Nd ACM SIGSOFT International Symposium on Foundations of Software Engineering
Hinterlegungsdatum: 08 Dez 2014 07:55
Offizielle URL: http://doi.acm.org/10.1145/2635868.2635878
Export:

Optionen (nur für Redakteure)

Eintrag anzeigen Eintrag anzeigen