D2Taint: Differentiated and dynamic information flow tracking on smartphones for numerous data sources

Gu, Boxuan; Li, Xinfeng; Li, Gang; Champion, Adam C.; Chen, Zhezhe; Qin, Feng; Xuan, Dong

doi:10.1109/infcom.2013.6566866

Cited by 11 publications

(10 citation statements)

References 16 publications

(17 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…RELATED WORK In response to the widespread popularity of smartphones, much attention has been paid in studying application security and user privacy related issues. Extensive security analysis on smartphone apps has been carried out and can be categorized into permission analysis, static analysis, and dynamic analysis [3], [5], [6], [10], [13], [15], [26]- [31].…”

Section: Discussionmentioning

confidence: 99%

“…TaintDroid [3] tracks the flow of privacy sensitive data and reports when sensitive data leaves the system via interfaces such as network connections. D2Taint [15] tracks detailed private leakage sources at runtime in multiple classes and detects leakages from any of these sources rapidly. Agarwal et al [11] proposes ProtectMyPrivacy (PMP) which utilizes a crowdsourcing based mechanism to help users decide proper privacy settings for iOS apps.…”

Section: Discussionmentioning

confidence: 99%

“…Existing study [4]- [6], [9], [12]- [14] is mostly on the static aspects of apps' permissions. TaintDroid [3] and D2Taint [15] can be used to log the leaking activities but the papers did not focus on a systematic study on the destinations, frequencies and types of apps' run-time privacy leakages. Second, the consequences of such leakage, especially when an advertiser gathers such private data from many users and across many apps, is not known either.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Towards Understanding the Advertiser's Perspective of Smartphone User Privacy

Wang

Chen

et al. 2015

2015 IEEE 35th International Conference on Distributed Computing Systems

View full text Add to dashboard Cite

Abstract-Many smartphone apps routinely gather various private user data and send them to advertisers. Despite recent study on protection mechanisms and analysis on apps' behavior, the understanding about the consequences of such privacy losses remains limited. In this paper we investigate how much an advertiser can infer about users' social and community relationships by combining data from multiple applications and across many users. After one month's user study involving about 200 most popular Android apps, we find that an advertiser can infer 90% of the social relationships. We further propose a privacy leakage inference framework and use real mobility traces and Foursquare data to quantify the consequences of privacy leakage. We find that achieving 90% inference accuracy of the social and community relationships requires merely 3 weeks' user data. The discoveries underscore the importance of early adoption of privacy protection mechanisms.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Discussionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Towards Understanding the Advertiser's Perspective of Smartphone User Privacy

Wang

Chen

et al. 2015

2015 IEEE 35th International Conference on Distributed Computing Systems

View full text Add to dashboard Cite

show abstract

“…DIFT has been shown to be effective in protecting systems against several softwarebased attacks, including leakage of information [23] and code injection [24]. DIFT is now implemented on different types of architectures [19], [25], including smartphones [23], [26]. Most of the approaches on hardware-based DIFT focused only on securing processor cores and the associated logic, i.e., tightly coupled accelerators, memories and communication channels.…”

Section: Introductionmentioning

confidence: 99%

PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely Coupled Accelerators

Piccolboni

Guglielmo

Carloni

2018

IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst.

View full text Add to dashboard Cite

Software-based attacks exploit bugs or vulnerabilities to get unauthorized access or leak confidential information. Dynamic information flow tracking (DIFT) is a security technique to track spurious information flows and provide strong security guarantees against such attacks. To secure heterogeneous systems, the spurious information flows must be tracked through all their components, including processors, accelerators (i.e., applicationspecific hardware components) and memories. We present PAGU-RUS, a flexible methodology to design a low-overhead shell circuit that adds DIFT support to accelerators. The shell uses a coarsegrain DIFT approach, thus not requiring to make modifications to the accelerator's implementation. We analyze the performance and area overhead of the DIFT shell on FPGAs and we propose a metric, called information leakage, to measure its security guarantees. We perform a design-space exploration to show that we can synthesize accelerators with different characteristics in terms of performance, cost and security guarantees. We also present a case study where we use the DIFT shell to secure an accelerator running on a embedded platform with a DIFT-enhanced RISC-V core.

show abstract

“…In [2] Enck et al presented TaintDroid and exposed the threat, proving by example, that more than a third of the most popular applications available on Google Play are responsible for sensitive information leakage. More recently Gu et al presented in [3] D2taint a system able to track system data flows for Java code at the variable level, similar to 1 what TaintDroid does. D2taint goes further than TaintDroid since its tagging strategy permits numerous information sources in multiple classes at runtime.…”

Section: Introductionmentioning

confidence: 99%

Information flow policies vs malware

Andriatsimandefitra

Saliou²

2013

2013 9th International Conference on Information Assurance and Security (IAS)

View full text Add to dashboard Cite

Application markets offer more than 700'000 applications: music, movies, games or small tools. It appears more and more difficult to propose an automatic and systematic method to analyse all of these applications. Google Bouncer [1] tries to keep malicious applications out of Google Play by analysing uploaded applications to find known malware and malicious behaviours. However, Google Bouncer suffers from the same drawbacks of usual scan methods: it is inefficient to detect unknown malicious behaviour and it may be costly. In this paper we propose another method to efficiently detect malicious actions of applications. Our proposal consists in a new scheme of submitting applications to market place and installing applications on the device. More precisely, applications are uploaded with a companion information flow policy. A companion policy exactly describes where data used by the application can flow. The policies are studied for acceptance by reviewers. Accepted policies are certified by the market and are made publicly available. When a user acquires an application, he has to retrieve the certified version of its companion flow policy. The companion policy of the application is composed with the current flow policy enforced in the system. The application is then monitored and each time the monitor detects an information flow not allowed in the composed flow policy it raises an alert or blocks the information flow. This way, only applications respecting an official policy accepted by the market can efficiently run.

show abstract

D2Taint: Differentiated and dynamic information flow tracking on smartphones for numerous data sources

Cited by 11 publications

References 16 publications

Towards Understanding the Advertiser's Perspective of Smartphone User Privacy

Towards Understanding the Advertiser's Perspective of Smartphone User Privacy

PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely Coupled Accelerators

Information flow policies vs malware

Contact Info

Product

Resources

About