Abstract
Dynamic taint analysis is a well-known information flow analysis problem with many possible applications. Taint tracking allows for analysis of application data flow by assigning labels to data, and then propagating those labels through data flow. Taint tracking systems traditionally compromise among performance, precision, soundness, and portability. Performance can be critical, as these systems are often intended to be deployed to production environments, and hence must have low overhead. To be deployed in security-conscious settings, taint tracking must also be sound and precise. Dynamic taint tracking must be portable in order to be easily deployed and adopted for real world purposes, without requiring recompilation of the operating system or language interpreter, and without requiring access to application source code.
We present Phosphor, a dynamic taint tracking system for the Java Virtual Machine (JVM) that simultaneously achieves our goals of performance, soundness, precision, and portability. Moreover, to our knowledge, it is the first portable general purpose taint tracking system for the JVM. We evaluated Phosphor's performance on two commonly used JVM languages (Java and Scala), on two successive revisions of two commonly used JVMs (Oracle's HotSpot and OpenJDK's IcedTea) and on Android's Dalvik Virtual Machine, finding its performance to be impressive: as low as 3% (53% on average; 220% at worst) using the DaCapo macro benchmark suite. This paper describes our approach toward achieving portable taint tracking in the JVM.
Supplemental Material
Available for Download
- Apache Software Foundation. Apache harmony - open source java platform. http://harmony.apache.org.Google Scholar
- S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '14, pages 259--269, New York, NY, USA, 2014. ACM. Google Scholar
Digital Library
- M. R. Azadmanesh and M. Sharifi. Towards a system-wide and transparent security mechanism using language-level information flow control. In Proceedings of the 3rd International Conference on Security of Information and Networks, SIN '10, pages 19--26, New York, NY, USA, 2010. ACM. Google Scholar
Digital Library
- J. Bell and G. Kaiser. Phosphor: Dynamic taint tracking for the jvm. https://github.com/Programming-Systems-Lab/phosphor.Google Scholar
- S. M. Blackburn, R. Garner, C. Hoffmann, A. M. Khang, K. S. McKinley, R. Bentzur, A. Diwan, D. Feinberg, D. Frampton, S. Z. Guyer, M. Hirzel, A. Hosking, M. Jump, H. Lee, J. E. B. Moss, A. Phansalkar, D. Stefanović, T. VanDrunen, D. von Dincklage, and B. Wiedermann. The dacapo benchmarks: Java benchmarking development and analysis. In OOPSLA '06, pages 169--190, New York, NY, USA, 2006. ACM. Google Scholar
Digital Library
- E. Bruneton, R. Lenglet, and T. Coupaye. Asm: A code manipulation tool to implement adaptable systems. In In Adaptable and extensible component systems, 2002.Google Scholar
- J. M. Bull, L. A. Smith, M. D. Westhead, D. S. Henty, and R. A. Davey. A methodology for benchmarking java grande applications. In in Proceedings of ACM 1999 Java Grande Conference, pages 81--88. ACM Press, 1999. Google Scholar
Digital Library
- D. Chandra. Personal Communication (Email). July 10, 2014.Google Scholar
- D. Chandra and M. Franz. Fine-grained information flow analysis and enforcement in a java virtual machine. In Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, pages 463--475, Dec 2007.Google Scholar
Cross Ref
- W. Chang, B. Streiff, and C. Lin. Efficient and extensible security enforcement using dynamic data flow analysis. In CCS '08, pages 39--50, New York, NY, USA, 2008. ACM. Google Scholar
Digital Library
- W. Cheng, Q. Zhao, B. Yu, and S. Hiroshige. Tainttrace: Efficient flow tracing with dynamic binary rewriting. In Proceedings of the 11th IEEE Symposium on Computers and Communications, ISCC '06, Washington, DC, USA, 2006. IEEE. Google Scholar
Digital Library
- E. Chin and D.Wagner. Efficient character-level taint tracking for java. In Proceedings of the 2009 ACM Workshop on Secure Web Services, SWS '09. ACM, 2009. Google Scholar
Digital Library
- J. Clause,W. Li, and A. Orso. Dytan: A generic dynamic taint analysis framework. In ISSTA '07. ACM, 2007. Google Scholar
Digital Library
- CVE Details. Vulnerability distribution of cve security vulnerabilities by types. http://www.cvedetails.com/vulnerabilities-by-types.php.Google Scholar
- Dex2Jar Project. dex2jar - tools to work with android .dex and java .class files - google project hosting. https://code.google.com/p/dex2jar/.Google Scholar
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI'10, Berkeley, CA, USA, 2010. USENIX Association. Google Scholar
Digital Library
- M. Ganai, D. Lee, and A. Gupta. Dtam: Dynamic taint analysis of multi-threaded programs for relevancy. In FSE '12, pages 46:1--46:11, New York, NY, USA, 2012. ACM. Google Scholar
Digital Library
- A. Georges, D. Buytaert, and L. Eeckhout. Statistically rigorous java performance evaluation. In Proceedings of the 22Nd Annual ACM SIGPLAN Conference on Object-oriented Programming Systems and Applications, OOPSLA '07, pages 57--76, New York, NY, USA, 2007. ACM. Google Scholar
Digital Library
- E. Gluzberg, E. Gluzberg, S. Fink, and S. Fink. An evaluation of java system services with microbenchmarks. Technical report, 2000.Google Scholar
- S. Guarnieri, M. Pistoia, O. Tripp, J. Dolby, S. Teilhet, and R. Berg. Saving the world wide web from vulnerable javascript. In ISSTA '11, New York, NY, USA, 2011. ACM. Google Scholar
Digital Library
- V. Haldar, D. Chandra, and M. Franz. Dynamic taint propagation for java. In Proceedings of the 21st Annual Computer Security Applications Conference, ACSAC '05, pages 303--311, Washington, DC, USA, 2005. IEEE Computer Society. Google Scholar
Digital Library
- W. G. J. Halfond, A. Orso, and P. Manolios. Using positive tainting and syntax-aware evaluation to counter sql injection attacks. In SIGSOFT '06/FSE-14, pages 175--185, New York, NY, USA, 2006. ACM. Google Scholar
Digital Library
- V. P. Kemerlis, G. Portokalidis, K. Jee, and A. D. Keromytis. Libdft: Practical dynamic data flow tracking for commodity systems. In Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments, VEE '12, pages 121--132, New York, NY, USA, 2012. ACM. Google Scholar
Digital Library
- L. C. Lam and T.-c. Chiueh. A general dynamic information flow tracking framework for security applications. In Proceedings of the 22Nd Annual Computer Security Applications Conference, ACSAC '06,Washington, DC, USA, 2006. IEEE. Google Scholar
Digital Library
- T. R. Leek, G. Z. Baker, R. E. Brown, M. A. Zhivich, and R. P. Lippmann. Coverage maximization using dynamic taint tracing. Technical Report TR-1112, MIT Lincoln Lab, 2007.Google Scholar
- T. Lindholm, F. Yellin, G. Bracha, and A. Buckley. The Java Virtual Machine Specification, Java SE 7 edition, Feb 2013. Google Scholar
Digital Library
- M. Migliavacca, I. Papagiannis, D. M. Eyers, B. Shand, J. Bacon, and P. Pietzuch. Defcon: High-performance event processing with information security. In Proceedings of the 2010 USENIX ATC, pages 1--1, Berkeley, CA, USA, 2010. USENIX Association. Google Scholar
Digital Library
- S. K. Nair, P. N. D. Simpson, B. Crispo, and A. S. Tanenbaum. A virtual machine based information flow control system for policy enforcement. Electron. Notes Theor. Comput. Sci., 197(1):3--16, Feb. 2008. Google Scholar
Digital Library
- A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In R. Sasaki, S. Qing, E. Okamoto, and H. Yoshiura, editors, SEC, pages 295--308. Springer, 2005.Google Scholar
- Pendragon Software Corporation. Caffeinemark 3.0. http://www.benchmarkhq.ru/cm30/, 1997.Google Scholar
- I. Roy, D. E. Porter, M. D. Bond, K. S. McKinley, and E. Witchel. Laminar: Practical fine-grained decentralized information flow control. In PLDI '09, pages 63--74, New York, NY, USA, 2009. ACM. Google Scholar
Digital Library
- A. Sewe, M. Mezini, A. Sarimbekov, and W. Binder. Da capo con scala: Design and analysis of a scala benchmark suite for the java virtual machine. In OOPSLA '11, pages 657--676, New York, NY, USA, 2011. ACM. Google Scholar
Digital Library
- S. Son, K. S. McKinley, and V. Shmatikov. Diglossia: detecting code injection attacks with precision and efficiency. In CCS '13, New York, NY, USA, 2013. ACM. Google Scholar
Digital Library
- M. Sridharan, S. Artzi, M. Pistoia, S. Guarnieri, O. Tripp, and R. Berg. F4f: Taint analysis of framework-based web applications. In OOPSLA '11. ACM, 2011. Google Scholar
Digital Library
- G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In ASPLOS XI, pages 85--96, New York, NY, USA, 2004. ACM. Google Scholar
Digital Library
- The Jikes RVM Project. Jikes rvm - project status. http://jikesrvm.org/Project+Status.Google Scholar
- The Kaffe Team. Kaffe vm. https://github.com/kaffe/kaffe.Google Scholar
- O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. Taj: Effective taint analysis of web applications. In PLDI '09, pages 87--97, New York, NY, USA, 2009. ACM. Google Scholar
Digital Library
- S. Vandebogart, P. Efstathopoulos, E. Kohler, M. Krohn, C. Frey, D. Ziegler, F. Kaashoek, R. Morris, and D. Mazières. Labels and event processes in the asbestos operating system. ACM Trans. Comput. Syst., 25(4), Dec. 2007. Google Scholar
Digital Library
- M. Vitásek,W. Binder, and M. Hauswirth. Shadowdata: Shadowing heap objects in java. In Proceedings of the 11th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, PASTE '13, pages 17--24, New York, NY, USA, 2013. ACM. Google Scholar
Digital Library
- S. Wei and B. G. Ryder. Practical blended taint analysis for javascript. In ISSTA 2013. ACM, 2013. Google Scholar
Digital Library
- W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In Proceedings of the 15th Conference on USENIX Security Symposium - Volume 15, USENIX-SS'06, Berkeley, CA, USA, 2006. USENIX Association. Google Scholar
Digital Library
- A. Yip, X.Wang, N. Zeldovich, and M. F. Kaashoek. Improving application security with data flow assertions. In SOSP '09, pages 291--304, New York, NY, USA, 2009. ACM. Google Scholar
Digital Library
- N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making information flow explicit in histar. In OSDI '06, pages 263--278, Berkeley, CA, USA, 2006. USENIX Association Google Scholar
Digital Library
Index Terms
Phosphor: illuminating dynamic data flow in commodity jvms
Recommendations
Dynamic taint tracking for Java with phosphor (demo)
ISSTA 2015: Proceedings of the 2015 International Symposium on Software Testing and AnalysisDynamic taint tracking is an information flow analysis that can be applied to many areas of testing. Phosphor is the first portable, accurate and performant dynamic taint tracking system for Java. While previous systems for performing general-purpose ...
Phosphor: illuminating dynamic data flow in commodity jvms
OOPSLA '14: Proceedings of the 2014 ACM International Conference on Object Oriented Programming Systems Languages & ApplicationsDynamic taint analysis is a well-known information flow analysis problem with many possible applications. Taint tracking allows for analysis of application data flow by assigning labels to data, and then propagating those labels through data flow. Taint ...
Precise flow-insensitive may-alias analysis is NP-hard
Determining aliases is one of the foundamental static analysis problems, in part because the precision with which this problem is solved can affect the precision of other analyses such as live variables, available expressions, and constant propagation. ...







Comments