TU Darmstadt / ULB / TUbiblio

FlowTwist: Efficient Context-sensitive Inside-out Taint Analysis for Large Codebases

Lerch, Johannes and Hermann, Ben and Bodden, Eric and Mezini, Mira :
FlowTwist: Efficient Context-sensitive Inside-out Taint Analysis for Large Codebases.
[Online-Edition: http://doi.acm.org/10.1145/2635868.2635878]
In: Proceedings of the 22Nd ACM SIGSOFT International Symposium on Foundations of Software Engineering. In: FSE 2014 . ACM , New York, NY, USA
[Conference or Workshop Item] , (2014)

Official URL: http://doi.acm.org/10.1145/2635868.2635878

Abstract

Over the past years, widely used platforms such as the Java Class Library have been under constant attack through vulnerabilities that involve a combination of two taint-analysis problems: an integrity problem allowing attackers to trigger sensitive operations within the platform, and a confidentiality problem allowing the attacker to retrieve sensitive information or pointers from the results of those operations. While existing static taint analyses are good at solving either of those problems, we show that they scale prohibitively badly when being applied to situations that require the exploitation of both an integrity and confidentiality problem in combination. The main problem is the huge attack surface of libraries such as the Java Class Library, which exposes thousands of methods potentially controllable by an attacker. In this work we thus present FlowTwist, a novel taint-analysis approach that works inside-out, i.e., tracks data flows from potentially vulnerable calls to the outer level of the API which the attacker might control. This inside-out analysis requires a careful, context-sensitive coordination of both a backward and a forward taint analysis. In this work, we expose a design of the analysis approach based on the IFDS algorithm, and explain several extensions to IFDS that enable not only this coordination but also a helpful reporting of error situations to security analysts. Experiments with the Java Class Library show that, while a simple forward taint-analysis approach does not scale even with much machine power, FlowTwist's algorithm is able to fully analyze the library within 10 minutes.

Item Type: Conference or Workshop Item
Erschienen: 2014
Creators: Lerch, Johannes and Hermann, Ben and Bodden, Eric and Mezini, Mira
Title: FlowTwist: Efficient Context-sensitive Inside-out Taint Analysis for Large Codebases
Language: English
Abstract:

Over the past years, widely used platforms such as the Java Class Library have been under constant attack through vulnerabilities that involve a combination of two taint-analysis problems: an integrity problem allowing attackers to trigger sensitive operations within the platform, and a confidentiality problem allowing the attacker to retrieve sensitive information or pointers from the results of those operations. While existing static taint analyses are good at solving either of those problems, we show that they scale prohibitively badly when being applied to situations that require the exploitation of both an integrity and confidentiality problem in combination. The main problem is the huge attack surface of libraries such as the Java Class Library, which exposes thousands of methods potentially controllable by an attacker. In this work we thus present FlowTwist, a novel taint-analysis approach that works inside-out, i.e., tracks data flows from potentially vulnerable calls to the outer level of the API which the attacker might control. This inside-out analysis requires a careful, context-sensitive coordination of both a backward and a forward taint analysis. In this work, we expose a design of the analysis approach based on the IFDS algorithm, and explain several extensions to IFDS that enable not only this coordination but also a helpful reporting of error situations to security analysts. Experiments with the Java Class Library show that, while a simple forward taint-analysis approach does not scale even with much machine power, FlowTwist's algorithm is able to fully analyze the library within 10 minutes.

Series Name: FSE 2014
Place of Publication: New York, NY, USA
Publisher: ACM
Uncontrolled Keywords: IFDS, Taint analysis, confused deputy
Divisions: Department of Computer Science > Software Technology
Department of Computer Science > EC SPRIDE
Department of Computer Science > EC SPRIDE > Secure Software Engineering
Department of Computer Science
Zentrale Einrichtungen
Event Title: Proceedings of the 22Nd ACM SIGSOFT International Symposium on Foundations of Software Engineering
Date Deposited: 08 Dec 2014 07:55
Official URL: http://doi.acm.org/10.1145/2635868.2635878
Export:

Optionen (nur für Redakteure)

View Item View Item