Browse Prior Art Database

System, Method and Apparatus for Automatic Coarsening of Memory Locations for Efficient Dynamic Taint Tracking

IP.com Disclosure Number: IPCOM000240262D
Publication Date: 2015-Jan-19
Document File: 3 page(s) / 75K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a solution applied within software security analysis to identify instances in which different memory locations behave in a correlated way with respect to the taint property. The process can reduce the overhead associated with taint tracking.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 3

System, ,

Method and Apparatus for Automatic Coarsening of Memory Locations for

      Method and Apparatus for Automatic Coarsening of Memory Locations for Efficient Dynamic Taint Tracking

Software security analysis is often implemented as taint analysis [1]. The security specification consists of three sets of statements (i.e. sources, sinks, and sanitizers). Sources are statements reading user provided data, sinks are statements performing security sensitive operations, and sanitizers are statements that transform potentially malicious data values provided by the user into benign values. Security analysis thus reduces to a reachability problem, where the analysis determines whether flows exist from sources to sinks that do not go through a sanitizer .

Static taint analysis has three main limitations. Program constructs as well as program behaviors are present that are not amenable to accurate static modeling (e.g., accesses to backend databases, file system accesses, reflective behaviors, etc.). In addition, because static taint analysis must run on top of a finite abstraction of the program's memory (to converge), the analysis has to apply approximation when tracking data values. This is another source of imprecision. Finally, for large scale (and even medium scale) applications, the analysis often hits on scalability problems. Often, these are solved either at the expense of even more accuracy loss or by sacrificing the soundness of the analysis.

The alternative to static taint analysis is dynamic enforcement of security properties via taint tracking. The main advantage of the dynamic approach is that it obviates the accuracy problems faced by static taint analysis. At the same time, however, there is the significant penalty of slowing down the target application due to the runtime overhead of taint related instrumentation.

Specifically, because taint analysis requires tracking of every memory location - including every local variable, array element and object field - the overhead due to taint tracking easily becomes prohibitive.

This solution addresses the challenge of reducing instrumentation overhead due to taint analysis. The key idea is to identify instances in which different memory locations behave in a correlated way with respect to the taint property, as the following example (in Java* syntax) illustrates:

String username = request.getParameter("name"); // SOURCE
String[] userProperties =new String[4];

4

for (int i=0; i<userProperties.length; ++i) {

userProperties[i] = userProperties[i] + ":" + username;

}

For (int i=0; i<userProperties.length; ++i) { response.getWriter().write(userProperties[i]); // SINK }

In this example, all elements of array userProperties undergo tainting together within

1


Page 02 of 3

the first loop, which appends the untrusted value stored in variable username to each of the strings in userProperties. This correlated tainting behavior o...