Taint Analysis Research Articles

Quantifying Information Leakage for Security Verification of Compiler Optimizations

Compiler optimizations can be functionally correct but not secure. In this work, we attempt to quantify the information leakage in a program for the security verification of compiler optimizations. Our work has the following contributions. We demonstrate that static taint analysis is applicable for security verification of compile optimizations. We develop a completely automated approach for quantifying the information leak in a program in the context of compiler optimizations. Our method avoids many false-positives scenarios due to implicit flow. It can handle leaks in a loop and propagates leaks over paths using the leak propagation vector. With our quantification parameters, we verify the relative security of source and transformed programs considering the optimizations phase of a compiler as a black box. Our experimental evaluations on benchmarks for various compiler optimizations in SPARK show that the SPARK compiler is actually leaky.

Context matters: Methods for Bitcoin tracking

Bitcoin and other cryptocurrencies are well-known for their privacy properties that allow for the “anonymous” exchange of money. Bitcoin tracking with taint analysis remains challenging as it does not account for the change in Bitcoins' ownership or the usage of Privacy-Enhancing Technologies (PETs) to obscure Bitcoins' movement, and often produces unessential incidents with transactions unlikely to be related to the targeted activity. In this paper, we propose to improve the Bitcoin taint analysis tracking process that adapts to the context of address ownership and avoid following unrelated transactions. First, we introduce an approach in which we incorporate Bitcoin taint analysis with address profiling. Second, we propose two context-based taint analysis strategies. Third, we introduce a set of metrics using hypothesised behaviours related to illegal Bitcoins and recognisable patterns within the blockchain. We conducted an experiment using sample data from known Bitcoin theft cases to illustrate and evaluate the approach. The results on address profile integration reveal distinct transaction behaviours in tracking theft cases following all the metrics, such as address reuse, address size and transaction fee payment. One of the context-based tracking strategies, Dirty-First, shows positive potential for illustrating illegal Bitcoins’ spending and obscuring strategies. The majority of the six metrics we defined give distinct results in transaction behaviours between the theft cases and the control groups. Our context-based tracking methodology provides a solution for one of the shortcomings in the current Bitcoin tracking methodology and the next step for future cryptocurrency and cybercrime forensic research.

Analyzing Android Taint Analysis Tools: FlowDroid, Amandroid, and DroidSafe

Numerous static taint analysis techniques have recently been proposed for identifying information flows in mobile applications. These techniques are often optimized and evaluated on a set of synthetic benchmarks, which makes the comparison results difficult to generalize. Moreover, the techniques are commonly compared under different configuration setups, rendering the comparisons inaccurate. In this paper, we provide a large, controlled, and independent comparison of the three most prominent static taint analysis tools: <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">FlowDroid</small> , <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Amandroid</small> , and <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">DroidSafe</small> . We align the configuration setup for the tools and evaluate them on both a set of common benchmarks and on real applications from the Google Play app store. We further evaluate the effectiveness of additional reflection handling mechanism implemented by <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">DroidRA</small> , applying it to each of the evaluated tools. We compare the results of our analysis to the results reported in previous studies, identify main reasons for inaccuracy in existing tools, and provide suggestions for future research.

Smart Mobile Information Systems on the Key Systems of Blockchain Privacy Protection

In the process of data collaboration, the data source copyright, equity boundaries, and other issues must be ensured to ensure the data owner’s income rights. The data on the blockchain are transaction data. After the data are verified, they are added to the block by the node that has the right to keep accounts. Once the data are added to the blockchain, they cannot be deleted or changed, and only authorized query operations can be performed. The transaction records on the blockchain are completely public, and the fund transactions between accounts can reflect a lot of valuable information, especially some special accounts track the IP of transaction users through methods such as address reuse, taint analysis, and cluster analysis. At the same time, a credit contribution certification mechanism is established to ensure that the contributions are directly proportional to the rewards, and finally, a credit mechanism for data fraud is established. This paper mainly analyzes the key systems of privacy protection through research data and blockchain. The research results show that different companies conduct the Pailler homomorphic encryption of data and use the secure multiparty calculation to obtain the results. The execution of the whole process is controlled by a specific intelligent contract, and the records of the execution process are stored in the blockchain. It can be seen that the blockchain-based data distribution system changes the traditional data distribution mode so that the data source and the data user can interact directly, which promotes the maintenance of the system’s security and stability.

Fluently specifying taint-flow queries with fluentTQL

Previous work has shown that taint analyses are only useful if correctly customized to the context in which they are used. Existing domain-specific languages (DSLs) allow such customization through the definition of deny-listing data-flow rules that describe potentially vulnerable or malicious taint-flows. These languages, however, are designed primarily for security experts who are expected to be knowledgeable in taint analysis. Software developers, however, consider these languages to be complex. This paper thus presents fluent TQL, a query specification language particularly for taint-flows. fluentTQL is internal Java DSL and uses a fluent-interface design. fluentTQL queries can express various taint-style vulnerability types, e.g. injections, cross-site scripting or path traversal. This paper describes fluentTQL’s abstract and concrete syntax and defines its runtime semantics. The semantics are independent of any underlying analysis and allows evaluation of fluent TQL queries by a variety of taint analyses. Instantiations of fluentTQL, on top of two taint analysis solvers, Boomerang and FlowDroid, show and validate fluent TQL expressiveness. Based on existing examples from the literature, we have used fluentTQL to implement queries for 11 popular security vulnerability types in Java. Using our SQL injection specification, the Boomerang-based taint analysis found all 17 known taint-flows in the OWASP WebGoat application, whereas with FlowDroid 13 taint-flows were found. Similarly, in a vulnerable version of the Java Spring PetClinic application, the Boomerang-based taint analysis found all seven expected taint-flows. In seven real-world Android apps with 25 expected malicious taint-flows, 18 taint-flows were detected. In a user study with 26 software developers, fluentTQL reached a high usability score. In comparison to CodeQL, the state-of-the-art DSL by Semmle/GitHub, participants found fluentTQL more usable and with it they were able to specify taint analysis queries in shorter time.

Fast Graph Simplification for Interleaved-Dyck Reachability

Many program-analysis problems can be formulated as graph-reachability problems. Interleaved Dyck language reachability ( InterDyck -reachability) is a fundamental framework to express a wide variety of program-analysis problems over edge-labeled graphs. The InterDyck language represents an intersection of multiple matched-parenthesis languages (i.e., Dyck languages). In practice, program analyses typically leverage one Dyck language to achieve context-sensitivity, and other Dyck languages to model data dependencies, such as field-sensitivity and pointer references/dereferences. In the ideal case, an InterDyck -reachability framework should model multiple Dyck languages simultaneously . Unfortunately, precise InterDyck -reachability is undecidable. Any practical solution must over-approximate the exact answer. In the literature, a lot of work has been proposed to over-approximate the InterDyck -reachability formulation. This article offers a new perspective on improving both the precision and the scalability of InterDyck -reachability: we aim at simplifying the underlying input graph G . Our key insight is based on the observation that if an edge is not contributing to any InterDyck -paths, we can safely eliminate it from G . Our technique is orthogonal to the InterDyck -reachability formulation and can serve as a pre-processing step with any over-approximating approach for InterDyck -reachability. We have applied our graph simplification algorithm to pre-processing the graphs from a recent InterDyck -reachability-based taint analysis for Android. Our evaluation of three popular InterDyck -reachability algorithms yields promising results. In particular, our graph-simplification method improves both the scalability and precision of all three InterDyck -reachability algorithms, sometimes dramatically.

CSChecker : A binary taint-based vulnerability detection method based on static taint analysis

Abstract Embedded devices such as routers not only bring convenience to people’s daily life, but also increase the attack surface and security risks of devices. Embedded device applications tend to be closed source and therefore cannot be searched for vulnerabilities through source code audits. Even open source applications can be insecure because they reference third-party libraries. Binary file vulnerability mining is an important means to solve this kind of problem, but it has the problems of path explosion and low efficiency. This article uses the static stain analysis with the method of combining the vulnerability characteristics, in the type of stain into classes and class assignment holes for testing. Based on function call graph, this paper uses atomic combinational optimization to detect the vulnerability of router firmware. The prototype tool -- CSChecker is implemented in D-Link, Tenda, the test was carried out on 267 firmware files of Netgear and other well-known brands, and the experimental results showed that the accuracy of CSChecker in the data set reached 92.51%, indicating that CSChecker could effectively search the injection vulnerabilities and assignment vulnerabilities of binary files.

Cefuzz: An Directed Fuzzing Framework for PHP RCE Vulnerability

Current static detection technology for web application vulnerabilities relies highly on specific vulnerability patterns, while dynamic analysis technology has the problem of low vulnerability coverage. In order to improve the ability to detect unknown web application vulnerabilities, this paper proposes a PHP Remote Command/Code Execution (RCE) vulnerability directed fuzzing method. Our method is a combination of static and dynamic methods. First, we obtained the potential RCE vulnerability information of the web application through fine-grained static taint analysis. Then we performed instrumentation for the source code of the web application based on the potential RCE vulnerability information to provide feedback information for fuzzing. Finally, a loop feedback web application vulnerability automatic verification mechanism was established in which the vulnerability verification component provides feedback information, and the seed mutation component improves the vulnerability test seed based on the feedback information. On the basis of this method, the prototype system Cefuzz (Command/Code Execution Fuzzer) is implemented. Thorough experiments show that, compared with the existing web application vulnerability detection methods, Cefuzz significantly improves the verification effect of RCE vulnerabilities, discovering 13 unknown vulnerabilities in 10 popular web CMSes.

Automatic protocol reverse engineering for industrial control systems with dynamic taint analysis

Automatic protocol reverse engineering for industrial control systems with dynamic taint analysis

Only pay for what you need: Detecting and removing unnecessary TEE-based code

A Trusted Execution Environment (TEE) provides an isolated hardware environment for sensitive code and data to protect a system’s integrity and confidentiality. As we discovered, programmers tend to overuse TEE protection. When they place non-sensitive code in TEE, the trusted computing base (TCB) grows unnecessarily, leading to long execution latencies and large attack surfaces. To address this problem, we first study a representative sample of open-source projects to uncover how TEE is utilized in real-world software. To facilitate the process of removing non-sensitive code from TEE, we introduce TEE Insourcing, a new type of software refactoring that identifies and removes the unnecessary program parts out of TEE. We implemented TEE Insourcing as the TEE-DRUP framework, which operates in three phases: (1) a variable sensitivity analysis designates each variable as sensitive or non-sensitive; (2) a TEE-aware taint analysis identifies non-sensitive TEE-based functions; (3) a fully-declarative program transformation automatically moves these functions out of TEE. Our evaluation demonstrates that our approach is correct, effective, and usable. By deploying TEE-DRUP to discover and remove the unnecessary TEE code, programmers can both reduce the TCB’s size and improve system performance.

Explaining Static Analysis With Rule Graphs

As static data-flow analysis becomes able to report increasingly complex bugs, using an evergrowing set of complex internal rules encoded into flow functions, the analysis tools themselves grow more and more complex. In result, for users to be able to effectively use those tools on specific codebases, they require special configurations—a task which in industry is typically performed by individual developers or dedicated teams. To efficiently use and configure static analysis tools, developers need to build a certain understanding of the analysis’ rules, i.e., how the underlying analyses interpret the analyzed code and their reasoning for reporting certain warnings. In this article, we explore how to assist developers in understanding the analysis’ warnings, and finding weaknesses in the analysis’ rules. To this end, we introduce the concept of <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">rule graphs</i> that expose to the developer selected information about the internal rules of data-flow analyses. We have implemented rule graphs on top of a taint analysis, and show how the graphs can support the abovementioned tasks. Our user study and empirical evaluation show that using rule graphs helps developers understand analysis warnings more accurately than using simple warning traces, and that rule graphs can help developers identify causes for false positives in analysis rules.

Ethereum Smart Contract Analysis Tools: A Systematic Review

Blockchain technology and its applications are gaining popularity day by day. It is a ground-breaking technology that allows users to communicate without the need of a trusted middleman. A smart contract (self-executable code) is deployed on the blockchain and auto executes due to a triggering condition. In a no-trust contracting environment, smart contracts can establish trust among parties. Terms and conditions embedded in smart contracts will be imposed immediately when specified criteria have been fulfilled. Due to this, the malicious assailants have a special interest in smart contracts. Blockchains are immutable means if some transaction is deployed or recorded on the blockchain, it becomes unalterable. Thus, smart contracts must be analyzed to ensure zero security vulnerabilities or flaws before deploying the same on the blockchain because a single vulnerability can lead to the loss of millions. For analyzing the security vulnerabilities of smart contracts, various analysis tools have been developed to create safe and secure smart contracts. This paper presents a systematic review on Ethereum smart contracts analysis tools. Initially, these tools are categorized into static and dynamic analysis tools. Thereafter, different sources code analysis techniques are studied such as taint analysis, symbolic execution, and fuzzing techniques. In total, 86 security analysis tools developed for Ethereum blockchain smart contract are analyzed regardless of tool type and analysis approach. Finally, the paper highlights some challenges and future recommendations in the field of Ethereum smart contracts.

Hybrid Static-Dynamic Analysis of Data Races Caused by Inconsistent Locking Discipline in Device Drivers

Data races are often hard to detect in device drivers. According to our study of Linux driver patches that fix data races, about 39% of patches involve a pattern that we call <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">inconsistent locking discipline</i> . Specifically, if a variable is accessed within two concurrently executed functions, the sets of locks held around each access are disjoint, at least one of the locksets is non-empty, and at least one of the involved accesses is a write, then a data race may occur. In this paper, we present a hybrid static-dynamic analysis approach, named SDILP, to detect data races caused by inconsistent locking discipline in device drivers. SDILP has a dynamic lockset analysis to detect data races at runtime, and a static lockset analysis to detect more data races based on the dynamic-analysis results. It also performs a static taint analysis to reduce the number of variable accesses monitored by the dynamic analysis. Compared to our previous dynamic approach DILP (Chen et al., 2019), introducing static analysis allows SDILP to achieve better performance and find more data races. We evaluate SDILP on 12 drivers in Linux 5.4, and find 117 real data races, 50 of which have been confirmed by driver developers.

ISmart: Protecting Smart Contract Against Integer Bugs

Blockchain technology is known as a decentralized, distributed ledger that records digital asset. It has been applied in numbers of aspects of society, including finance, judiciary and commerce. Ethereum is referred to as the next generation decentralized application platform. It is one of the most popular blockchain platforms that supports smart contracts. Smart contract is a set of codes that sored on blockchain and can be called and created as turing-complete programs running on the blockchain. Developers use smart contracts to build decentralized applications (Dapp) which has widely used cryptocurrency related project. As smart contracts become more popular and more valuable, they are faced with more risk of being hacked. As a result that smart contracts cannot be modified once deployed on the blockchain, it is a great challenge to fix and update deployed vulnerable contract which can lead to a huge loss of cryptocurrency and financial disorder. In this paper, we focus on Integer Bugs in Ethereum Smart Contracts and present ISmart, which protects deployed smart contracts against attacks caused by Integer Bugs. We implemented ISmart based on go-ethereum, a Ethereum client written in Go, by adding a simplified taint analysis component. In our preliminary, ISmart can prevent attacks accurately with little runtime overhead.

Irbis: статический анализатор помеченных данных для поиска уязвимостей в программах на C/C++

Static taint analysis can be used to find various security weaknesses and vulnerabilities in programs by discovering dataflow paths from taint sources to taint sinks. In most cases the data is called ”tainted” if it was obtained from an untrusted source without proper sanitization. In this paper we present a static taint analyzer Irbis. It implements analysis based on IFDS (Interprocedural Finite Distributive Subset) dataflow problem, as well as various extensions aimed at improving accuracy and completeness of the analysis. It supports different definitions of tainted data, which enables it to find such weaknesses as out of buffer access, use of freed memory, hardcoded passwords, data leaks and discover dataflow paths between user-defined sources and sinks. All sources, sinks and propagators definitions are stored in JSON format and can be adjusted to meet the users’ needs. We compare analysis results on Juliet Test Suite for C/C++ with several other analyzers, such as Infer, Clang Static Analyzer and Svace. Irbis manages to demonstrate 100% coverage on taint-related subset of tests for implemented CWEs, while suppressing all the false positives using heuristics. We also show performance and false positive rate on real projects, with examples of real vulnerabilities, which can be detected by Irbis.

A mutation framework for evaluating security analysis tools in IoT applications

SummaryWith the growing and widespread use of Internet of Things (IoT) in our daily life, its security is becoming more crucial. To ensure information security, we require better security analysis tools for IoT applications. Hence, this paper presents an automated framework to evaluate taint‐flow analysis tools in the domain of IoT applications. First, we propose a set of mutational operators tailored to evaluate three types of sensitivity analysis, flow, path and context sensitivity. Then we developed mutators to automatically generate mutants for those types. We demonstrated the framework on a subset of mutational operators to evaluate three taint‐flow analysers, SaINT, Taint‐Things and FlowsMiner. Our framework and experiments ranked the taint analysis tools according to precision and recall as follows: Taint‐Things (99% recall, 100% precision), FlowsMiner (100% recall, 87.6% precision) and SaINT (100% recall, 56.8% precision). To the best of our knowledge, our framework is the first framework to address the need for evaluating taint‐flow analysis tools and specifically those developed for IoT SmartThings applications.

SAMLDroid: A Static Taint Analysis and Machine Learning Combined High-Accuracy Method for Identifying Android Apps with Location Privacy Leakage Risks.

Insecure applications (apps) are increasingly used to steal users’ location information for illegal purposes, which has aroused great concern in recent years. Although the existing methods, i.e., static and dynamic taint analysis, have shown great merit for identifying such apps, which mainly rely on statically analyzing source code or dynamically monitoring the location data flow, identification accuracy is still under research, since the analysis results contain a certain false positive or true negative rate. In order to improve the accuracy and reduce the misjudging rate in the process of vetting suspicious apps, this paper proposes SAMLDroid, a combined method of static code analysis and machine learning for identifying Android apps with location privacy leakage, which can effectively improve the identification rate compared with existing methods. SAMLDroid first uses static analysis to scrutinize source code to investigate apps with location acquiring intentions. Then it exploits a well-trained classifier and integrates an app’s multiple features to dynamically analyze the pattern and deliver the final verdict about the app’s property. Finally, it is proved by conducting experiments, that the accuracy rate of SAMLDroid is up to 98.4%, which is nearly 20% higher than Apparecium.

TaintBench: Automatic real-world malware benchmarking of Android taint analyses

Due to the lack of established real-world benchmark suites for static taint analyses of Android applications, evaluations of these analyses are often restricted and hard to compare. Even in evaluations that do use real-world apps, details about the ground truth in those apps are rarely documented, which makes it difficult to compare and reproduce the results. To push Android taint analysis research forward, this paper thus recommends criteria for constructing real-world benchmark suites for this specific domain, and presents TaintBench, the first real-world malware benchmark suite with documented taint flows. TaintBench benchmark apps include taint flows with complex structures, and addresses static challenges that are commonly agreed on by the community. Together with the TaintBench suite, we introduce the TaintBench framework, whose goal is to simplify real-world benchmarking of Android taint analyses. First, a usability test shows that the framework improves experts’ performance and perceived usability when documenting and inspecting taint flows. Second, experiments using TaintBench reveal new insights for the taint analysis tools Amandroid and FlowDroid: (i) They are less effective on real-world malware apps than on synthetic benchmark apps. (ii) Predefined lists of sources and sinks heavily impact the tools’ accuracy. (iii) Surprisingly, up-to-date versions of both tools are less accurate than their predecessors.

Towards Automatic Detection of Nonfunctional Sensitive Transmissions in Mobile Applications

While mobile apps often need to transmit sensitive information out to support various functionalities, they may also abuse the privilege by leaking the data to unauthorized third parties. This makes us question: Is the given transmission required to fulfill the app functionality? In this paper, we make the first attempt to automatically identify suspicious transmissions from app visual interfaces, including app names, descriptions, and user interfaces. We design and implement a novel framework called FlowIntent to detect nonfunctional transmissions at both software and network levels. During the exercising of the given apps, FlowIntent automatically detects privacy-sharing transmissions and determines their purposes by utilizing the fact that mobile users rely on visible app interface to perceive the functionality of the app at certain context. The characterizations of nonfunctional network traffic are then summarized to provide network level protection. FlowIntent not only reduces the false alarms caused by traditional taint analysis, but also captures the sensitive transmissions missed by widely-used taint analysis system TaintDroid. Evaluation using 2125 sharing flows collected from more than a thousand running instances shows that our approach achieves about 94 percent accuracy in detecting nonfunctional transmissions.

Exploring the use of static and dynamic analysis to improve the performance of the mining sandbox approach for android malware identification

The popularization of the Android platform and the growing number of Android applications (apps) that manage sensitive data turned the Android ecosystem into an attractive target for malicious software. For this reason, researchers and practitioners have investigated new approaches to address Android’s security issues, including techniques that leverage dynamic analysis to mine Android sandboxes. The mining sandbox approach consists in running dynamic analysis tools on a benign version of an Android app. This exploratory phase records all calls to sensitive APIs. Later, we can use this information to (a) prevent calls to other sensitive APIs (those not recorded in the exploratory phase) or (b) run the dynamic analysis tools again in a different version of the app. During this second execution of the fuzzing tools, a warning of possible malicious behavior is raised whenever the new version of the app calls a sensitive API not recorded in the exploratory phase.The use of a mining sandbox approach is an effective technique for Android malware analysis, as previous research works revealed. Particularly, existing reports present an accuracy of almost 70% in the identification of malicious behavior using dynamic analysis tools to mine android sandboxes. However, although the use of dynamic analysis for mining Android sandboxes has been investigated before, little is known about the potential benefits of combining static analysis with a mining sandbox approach for identifying malicious behavior. Accordingly, in this paper we present the results of two studies that investigate the impact of using static analysis to complement the performance of existing dynamic analysis tools tailored for mining Android sandboxes, in the task of identifying malicious behavior.In the first study we conduct a non-exact replication of a previous study (hereafter BLL-Study) that compares the performance of test case generation tools for mining Android sandboxes. Differently from the original work, here we isolate the effect of an independent static analysis component (DroidFax) they used to instrument the Android apps in their experiments. This decision was motivated by the fact that DroidFax could have influenced the efficacy of the dynamic analyses tools positively—through the execution of specific static analysis algorithms DroidFax also implements. In our second study, we carried out a new experiment to investigate the efficacy of taint analysis algorithms to complement the mining sandbox approach previously used to identify malicious behavior. To this end, we executed the FlowDroid tool to mine the source–sink flows from benign/malign pairs of Android apps used in a previous research work.Our study brings several findings. For instance, the first study reveals that DroidFax alone (static analysis) can detect 43.75% of the malwares in the BLL-Study dataset, contributing substantially in the performance of the dynamic analysis tools in the BLL-Study. The results of the second study show that taint analysis is also practical to complement the mining sandboxes approach, with a performance similar to that reached by dynamic analysis tools.