Explicit Secrecy: A Policy for Taint Tracking

Schoepe, Daniel; Balliu, Musard; Pierce, Benjamin C.; Sabelfeld, Andrei

doi:10.1109/eurosp.2016.14

Cited by 31 publications

(27 citation statements)

References 51 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Motivated by the root cause of OIVs, our abstraction overapproximates operations over primitive types and focuses on tracking the propagation of object locations from sensitive sinks to attack triggers. Our symbolic analysis combines aliases' computation with taint tracking [37], [38] using a store-based abstraction of the heap [26]. We present the key features of the analysis implemented in SerialDetector via examples and principled rules underpinning our algorithms.…”

Section: B Intra-procedural Dataflow Analysismentioning

confidence: 99%

SerialDetector: Principled and Practical Exploration of Object Injection Vulnerabilities for the Web

Shcherbakov

Balliu

2021

Proceedings 2021 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

The last decade has seen a proliferation of codereuse attacks in the context of web applications. These attacks stem from Object Injection Vulnerabilities (OIV) enabling attacker-controlled data to abuse legitimate code fragments within a web application's codebase to execute a code chain (gadget) that performs malicious computations, like remote code execution, on attacker's behalf. OIVs occur when untrusted data is used to instantiate an object of attacker-controlled type with attacker-chosen properties, thus triggering the execution of code available but not necessarily used by the application. In the web application domain, OIVs may arise during the process of deserialization of client-side data, e.g., HTTP requests, when reconstructing the object graph that is subsequently processed by the backend applications on the server side. This paper presents the first systematic approach for detecting and exploiting OIVs in .NET applications including the framework and libraries. Our key insight is: The root cause of OIVs is the untrusted information flow from an application's public entry points (e.g., HTTP request handlers) to sensitive methods that create objects of arbitrary types (e.g., reflection APIs) to invoke methods (e.g., native/virtual methods) that trigger the execution of a gadget. Drawing on this insight, we develop and implement SerialDetector, a taint-based dataflow analysis that discovers OIV patterns in .NET assemblies automatically. We then use these patterns to match publicly available gadgets and to automatically validate the feasibility of OIV attacks. We demonstrate the effectiveness of our approach by an indepth evaluation of a complex production software such as the Azure DevOps Server. We describe the key threat models and report on several remote code execution vulnerabilities found by SerialDetector, including three CVEs on Azure DevOps Server. We also perform an in-breadth security analysis of recent publicly available CVEs. Our results show that SerialDetector can detect OIVs effectively and efficiently. We release our tool publicly to support open science and encourage researchers and practitioners explore the topic further.

show abstract

Section: B Intra-procedural Dataflow Analysismentioning

confidence: 99%

SerialDetector: Principled and Practical Exploration of Object Injection Vulnerabilities for the Web

Shcherbakov

Balliu

2021

Proceedings 2021 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

show abstract

“…Soundness of Taint. While a large body of work has been concerned with relating security properties to information-flow control policies [16], [25], [41], only recently a soundness criterion has been proposed specifically for taint tracking [45]. This and other traditional soundness reasoning frameworks on information flow are defined with respect to some operational semantics [47].…”

Section: Related Workmentioning

confidence: 99%

One Engine To Serve 'em All: Inferring Taint Rules Without Architectural Semantics

Chua¹,

Wang²,

Baluta³

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Dynamic binary taint analysis has wide applications in the security analysis of commercial-off-the-shelf (COTS) binaries. One of the key challenges in dynamic binary analysis is to specify the taint rules that capture how taint information propagates for each instruction on an architecture. Most of the existing solutions specify taint rules using a deductive approach by summarizing the rules manually after analyzing the instruction semantics. Intuitively, taint propagation reflects on how an instruction input affects its output, and thus can be observed from instruction executions. In this work, we propose an inductive method for taint propagation and develop a universal taint tracking engine that is architecture-agnostic. Our taint engine, TAINTINDUCE, can learn taint rules with minimal architectural knowledge by observing the execution behavior of instructions. To measure its correctness and guide taint rule generation, we define the precise notion of soundness for bit-level taint tracking in this novel setup. In our evaluation, we show that TAINTINDUCE automatically learns rules for 4 widely used architectures: x86, x64, AArch64, and MIPS-I. It can detect vulnerabilities for 24 CVEs in 15 applications on both Linux and Windows over millions of instructions and is comparable with other mature existing tools (TEMU [51], libdft [32], Triton [42]). TAINTINDUCE can be used as a stand-alone taint engine or be used to complement existing taint engines for unhandled instructions. Further, it can be used as a cross-referencing tool to uncover bugs in taint engines, emulation implementations and ISA documentations.

show abstract

“…Region-based memory partitioning has been explored before in the context of safe and efficient memory management [30,59], but not for information flow. In ConfLLVM, regions obviate the need for dynamic taint tracking [39,51,55]. TaintCheck [44] first proposed the idea of dynamic taint tracking, and forms the basis of Valgrind [43].…”

Section: Related Workmentioning

confidence: 99%

ConfLLVM

Brahmakshatriya

Kedia

McKee

et al. 2019

Proceedings of the Fourteenth EuroSys Conference 2019

View full text Add to dashboard Cite

We present a compiler-based scheme to protect the confidentiality of sensitive data in low-level applications (e.g. those written in C) in the presence of an active adversary. In our scheme, the programmer marks sensitive data by lightweight annotations on the top-level definitions in the source code. The compiler then uses a combination of static dataflow analysis, runtime instrumentation, and a novel taint-aware form of control-flow integrity to prevent data leaks even in the presence of low-level attacks. To reduce runtime overheads, the compiler uses a novel memory layout.We implement our scheme within the LLVM framework and evaluate it on the standard SPEC-CPU benchmarks, and on larger, real-world applications, including the NGINX webserver and the OpenLDAP directory server. We find that the performance overheads introduced by our instrumentation are moderate (average 12% on SPEC), and the programmer effort to port the applications is minimal.

show abstract

Explicit Secrecy: A Policy for Taint Tracking

Cited by 31 publications

References 51 publications

SerialDetector: Principled and Practical Exploration of Object Injection Vulnerabilities for the Web

SerialDetector: Principled and Practical Exploration of Object Injection Vulnerabilities for the Web

One Engine To Serve 'em All: Inferring Taint Rules Without Architectural Semantics

ConfLLVM

Contact Info

Product

Resources

About