微信服务号

微信订阅号

2025-5-16- 2
Home > Archive>Volume 22, Issue 9, 2011 >2036-2048. DOI:10.3724/SP.J.1001.2011.03874
PDF HTML XML Export Cite reminder
Taint Propagation Analysis and Dynamic Verification with Information Flow Policy
Author:
Affiliation:

  • Article
    • | |
  • Metrics
    • |
  • Reference [28]
    • |
  • Related [20]
    • | | |
  • Comments
    Abstract:

    In this paper, based on a flow and context-sensitive SSA (static single assignment) information-flow analysis, a fine-grained and scalable approach is proposed for taint propagation analysis, which can not only track tainted data and its propagation path with control and data-flow properties, but also detect the vulnerabilities such as buffer overflow and format string bugs successfully. During the analysis, pieces of code considered vulnerable are instrumented with dynamic verification routines, so that runtime security is guaranteed in the absence of user intervention. The analysis system is implemented as an extension of GCC compiler, and the experiments have proven that this approach is efficient, holding both optimized accuracy and time-space cost.

    Reference
    [1] CVE terminology page. 2009. http://www.cve.mitre.org/about/terminology.html#vulnerability
    [2] Sekar R. An efficient black-box technique for defeating Web application attacks. In: Vigna G, ed. Proc. of the Network and Distributed System Security Symp. (NDSS 2009). San Diego: National Security Agency Press, 2009. 23-39.
    [3] CVE and CCE statistics query page. 2009. http://web.nvd.nist.gov/view/vuln/statistics?execution=e1s1
    [4] Open Web Application Security Project (OWASP). The ten most critical Web application security vulnerabilities. 2007. http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf
    [5] Lam MS, Martin MC, Livshits VB, Whaley J. Securing Web applications with static and dynamic information flow tracking. In: Hatcliff J, ed. Proc. of the 2008 ACM SIGPLAN Symp. on Partial Evaluation and Semantics-based Program Manipulation. New York: ACM Press, 2008. 3-12. [doi: 10.1145/1328408.1328410]
    [6] Xie YC, Chou A, Engler D. ARCHER: Using symbolic, path-sensitive analysis to detect memory access errors. In: Paakki J, ed. Proc. of the 9th European Software Engineering Conf. Held Jointly with 11th ACM SIGSOFT Int’l Symp. on Foundations of Software Engineering. New York: ACM Press, 2003. 327-336. [doi: 10.1145/940071.940115]
    [7] Yin H, Song D, Egele M, Kruegel C, Kirda E. Panorama: Capturing system-wide information flow for malware detection and analysis. In: Ning P, ed. Proc. of the 14th ACM Conf. on Computer and Communications Security. New York: ACM Press, 2004. 116-127. [doi: 10.1145/1315245.1315261]
    [8] Sabelfeld A, Myers AC. Language-Based information-flow security. IEEE Journal on Selected Areas in Communications, 2003, 21(1):5-19. [doi: 10.1109/JSAC.2002.806121]
    [9] Denning DE, Denning PJ. Certification of programs for secure information flow. Communications of the ACM, 1977,20(7): 504-513. [doi: 10.1145/359636.359712]
    [10] Goguen JA, Meseguer J. Security policies and security models. In: Proc. of the IEEE Symp. on Security and Privacy. Washington: IEEE Computer Society Press, 1982. 11-20. [doi: 10.1109/SP.1982.10014]
    [11] Liu Y, Milanova A. Static analysis for inference of explicit information flow. In: Krishnamurthi S, ed. Proc. of the ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE). New York: ACM Press, 2008. 50-56. [doi: 10.1145/1512475.1512486]
    [12] Hsieh CS. A fine-grained data-flow analysis framework. Acta Informatica, 1997,34(9):653-665. [doi: 10.1007/s002360050101]
    [13] Huang YW, Yu F, Hang C, Tsai CH, Lee DT, Kuo SY. Securing Web application code by static analysis and runtime protection. In: Feldman S, ed. Proc. of the 13th Conf. on the World Wide Web. New York: ACM Press, 2004. 40-52. [doi: 10.1145/988672. 988679]
    [14] Chess B, West J. Secure Programming with Static Analysis. Boston: Addison-Wesley, 2007. 130-132.
    [15] Howard M, LeBlanc D. Writing Secure Code. 2nd ed., Redmond: Microsoft Press, 2002. 53-58.
    [16] Cytron R, Ferrante J, Rosen BK, Wegman MN, Zadeck FK. Efficiently computing static single assignment form and the control dependence graph. ACM Trans. on Programming Languages and Systems (TOPLAS), 1991,13(4):451-490. [doi: 10.1145/115372. 115320]
    [17] Scholz B, Zhang CY, Cifuentes C. User-Input dependence analysis via graph reachability. In: Antoniol G, ed. Proc. of the 8th IEEE Int’l Working Conf. on Source Code Analysis and Manipulation. New York: ACM Press, 2008. 25-34. [doi: 10.1109/SCAM. 2008.22]
    [18] Pearce DJ, Kelly PHJ, Hankin C. Efficient field-sensitive pointer analysis for C. ACM Trans. on Programming Languages and Systems (TOPLAS), 2007,30(1):105-146. [doi: 10.1145/1290520.1290524]
    [19] Heintze N, Tardieu O. Ultra-Fast aliasing analysis using CLA: A million lines of C code in a second. In: Burke M, ed. Proc. of the Conf. on Programming Language Design and Implementation (PLDI). New York: ACM Press, 2001. 254-264. [doi: 10.1145/ 378795.378855]
    [20] Stallman RM, the GCC Developer Community. Using the GNU Compiler Collection. Boston: GNU Press, 2008. 90-107.
    [21] Stallman RM, the GCC Developer Community. GNU compiler collection internals. 2009. http://gcc.gnu.org/onlinedocs/gccint/Type-Information.html#Type-Information
    [22] Shankar U, Talwar K, Foster JS, Wagner D. Detecting format string vulnerabilities with type qualifiers. In: Park Y, ed. Proc. of the 10th USENIX Security Symp. Berkeley: USENIX Press, 2001. 201-220.
    [23] Livshits VB, Lam MS. Finding security vulnerabilities in Java applications with static analysis. In: Pai V, ed. Proc. of the 14th USENIX Security Symp. Berkeley: USENIX Press, 2005. 271-286.
    [24] Martin MC, Livshits VB, Lam MS. Finding application errors and security flaws using PQL: A program query language. In: Johnson R, ed. Proc. of the ACM Conf. on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA). New York: ACM Press, 2005. 365-383. [doi: 10.1145/1094811.1094840]
    [25] Livshits VB, Lam MS. Tracking pointers with path and context sensitivity for bug detection in c programs. In: Paakki J, ed. Proc. of the 11th ACM SIGSOFT Int’l Symp. on Foundations of Software Engineering. New York: ACM Press, 2003. 317-326. [doi: 10. 1145/940071.940114]
    [26] Christiansen T. Perl security. 1997. http://www.perl.com/doc/manual/html/pod/perlsec.html
    [27] Venkataramani G, Doudalis I, Solihin Y, Prvulovic M. FlexiTaint: A programmable accelerator for dynamic taint propagation. In: Carter J, ed. Proc. of the 14th Int’l Symp. on High Performance Computer Architecture (HPCA). New York: ACM Press, 2008. 173-184. [doi: 10.1109/HPCA.2008.4658637]
    [28] Newsome J, Song D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Harder E, ed. Proc. of the Network and Distributed System Security Symp. (NDSS 2005). San Diego: National Security Agency Press, 2005. 187-204.
    Cited by
    Comments
    Comments
    分享到微博
    Submit
Get Citation

黄强,曾庆凯.基于信息流策略的污点传播分析及动态验证.软件学报,2011,22(9):2036-2048

Copy
Share
Article Metrics
  • Abstract:5517
  • PDF: 9162
  • HTML: 0
  • Cited by: 0
History
  • Received:January 04,2010
  • Revised:March 03,2010
Links:Institute of Software, CASChina Computer FederationCASNSFC
You are the first2044796Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063