A low-overhead, value-tracking approach to information flow security

Abstract

Context:Sensitive information such as passwords often leaks inadvertently because of implementation defects.Objective:Our objective is to use dynamic techniques to prevent information leakage before it occurs. We also aim to develop techniques that incur low overheads, and are safe in the presence of aliasing.Method:We use a dynamic approach to track secret values and safe locations. We assume that programs have annotations which identify values and locations that need to be protected against disclosure. We instrument a program with statements that record relevant values and locations and assertions to relevant assignments to determine if they leak information. At run-time the values being assigned to unsafe locations are analysed. If a particular assignment leads to information leakage an assertion violation is triggered. We evaluate our approach by experimentation which uses our prototype implementation for C programs to analyse security-oriented UNIX utilities and programs chosen from the SPEC CPU datasets.Results:Our experiments show that the overhead to detect problems such as password disclosure in real software does not exceed 1%. The overheads associated with detection of CWE security vulnerabilities in real applications are still acceptable; however, tracking a large number of values incurs higher overheads (over 10 times in certain cases).Conclusion:Our dynamic approach to detecting information leaks can be used in various contexts. For a program that tracks only a limited number of values the overhead is marginal. Thus, our instrumentation can be used in release versions. However, if an application has a large number of secret values, our technique is useful in a testing phase. The overheads in this case are too high for a real use, but still within an acceptable range to be used for detection of potential leaks during testing.