In the news...explicit data flows Propagation Associate taints with sensitive data Propagate taints...

Data Leaks In the news…

Sep‘17143M 👤

Mar‘19passwords stored in readable format 600M 👤

Nov’18500M 👤 1.8B US ~500 companies 2018

CostofaDataBreachStudywww.ibm.com/security/data-breach

Data Breaches

shutdownafterdataleaks0.5M 👤

Apr‘19exposeduserdata1B 👤

Mar‘18

Dynamic Taint Tacking tracksinformationflow

2TaintTracking isslow! OptimisticHybridAnalysis withSafeElisions improves!

scanf( );

send( );

explicitdataflows

Propagation

AssociatetaintswithsensitivedataPropagatetaintstoderivedvaluesChecktaintedvaluesdon’treachuntrustedchannels

programargumentskeyboard

filesnetwork

Sources

sendtonetwork

x = secret + y; if (secret) x = y;

implicitcontrolflows

printtoscreenwritetofile

TaintTracking 3

Dynamic Taint Tacking canpreventinformationleak

isslow! OptimisticHybridAnalysis withSafeElisions improves!

enablespowerfulanalyses

overwriteattackscommandinjectionattacks

XSSattackssecurity

semanticanalysistestinganddebuggingsoftware

engineering

informationleakageprivacy

TaintTracking 4

Dynamic Taint Tacking

isslow! OptimisticHybridAnalysis withSafeElisions improves!

P r o b l e m

Dynamic Taint Tracking is expensive !

TaintTracking isslow! OptimisticHybridAnalysis withSafeElisions improves!

~𝟓× slowdown[Newsomeetal.‘05]

main (…) { x = c + 3;

y = secret;

if (p < 0) {

z = c * y;

} out = z;

printf(out); }

is expensive !

secret

⋮ ⋮

MEMORY

}check}

Dynamic Taint Tacking

TaintTracking isslow! 5OptimisticHybridAnalysis withSafeElisions improves!

main (…) { x = c + 3;

y = secret;

if (p < 0) {

z = c * y;

} out = z;

printf(out); }

Staticanalyses—dataflowtaintanalysis+pointeranalysis

𝟓× → 𝟐.𝟕× ∴ not effective enough…

TaintTracking isslow!

Static Analysis can help ?

imprecise

notscalable

OptimisticHybridAnalysis withSafeElisions improves! 6

?undecidableimprecise

P: PossibleprogramstatesS: SoundStaticanalysis’statespace

TaintTracking isslow! 7

Static Analysis Limitation

OptimisticHybridAnalysis withSafeElisions improves!

sound notscalable

S o l u t i o n

Optimistic Hybrid Analysis

TaintTracking isslow! OptimisticHybridAnalysis 8

P: PossibleprogramstatesS: SoundStaticanalysis’statespace

T: Testedprogramstates

O: PredicatedStaticanalysis’state space

Predicated Static Analysis

withSafeElisions improves!

sound notscalableimpreciseprecise scalableunsound

p ≥𝟎(Assume)

Forwardoptimization

Backwardoptimization

Predicated Static Analysis main (…) { x = c + 3;

y = secret;

if (p < 0) {

z = c * y;

} out = z;

printf(out); }

Optimisticanalyses—dataflowtaintanalysis+pointeranalysis

+invariantassumption

preciseoptimizedforcommoncase

scalable

• likelyunreachablecode• likelycalleesets• likelyunrealizedcallcontexts

Profiling

OptimizedDynamicAnalysis

workflow

main () { unsigned c; c = secret; int x, y, z; if (c < 0) x = secret; if (c == 1) y = secret; z = x + y; ⋮ printf(z); }

likelyinvariants

inputs

[Devecseryetal.‘18]

main () { unsigned c; int x, y, z; c = secret;

if (c < 0) x = secret;

if (c == 1) y = secret; z = x + y; ⋮ printf(z); }

PredicatedStaticAnalysis

TaintTracking isslow! OptimisticHybridAnalysis 10withSafeElisions improves!

p ≥𝟎(Assume)

1.  likelyUnreachableCode

2.  likelyCalleeSets

3.  likelyUnrealizedCallContexts

Optimistic Assumptions

invariant violation detection + analysis recovery

detectionrecovery

unsoundsound

{secret}

Taintset

→ missed state ?

{secret,y}

main (…) { x = c + 3;

y = secret;

if (p < 0) {

z = c * y;

} out = z;

printf(out); }

Optimistic Hybrid Analysis Recovery in OHA is a serious issue

Profiling

OptimizedDynamicAnalysis

main () { unsigned c; c = secret; int x, y, z; if (c < 0) x = secret; if (c == 1) y = secret; z = x + y; ⋮ printf(z); }

likelyinvariants

inputs

main () { unsigned c; int x, y, z; c = secret;

if (c < 0) x = secret;

if (c == 1) y = secret; z = x + y; ⋮ printf(z); }

PredicatedStaticAnalysis

RecoveryMechanism

Conservativeapproach: Rollbacktothebeginning and re-executewithunoptimizedanalysis

SufficientforofflineanalysisProhibitiveforliveexecutions

UnboundedRollbacks Overheads!

check-pointing

logging rollback-replay

Rollback Recovery is Problematic !

TaintTracking isslow! OptimisticHybridAnalysis 13withSafeElisions improves!

• FullDynamicAnalysisisprohibitivelyexpensive.

• ConservativeHybridAnalysisisimpreciseandinefficient.

• OptimisticHybridAnalysiscanimprove.

•  ButRollbackRecoveryischallenging.TaintTracking isslow! OptimisticHybridAnalysis 14

R o l l b a c k - f r e e

metadata

Rollback Recovery

TaintTracking isslow! OptimisticHybridAnalysis withSafeElisions 15

Forward

Recovery

improves!

metadata?

Safe Elisions

ensures metadata equivalence !

Invariantfails

{metadata1}

{metadata2}

monitornoop

of noop monitors

TaintTracking isslow! OptimisticHybridAnalysis withSafeElisions 16improves!

exact semantics

y = public; {secret}

Taintset

{secret}

main (…) { x = c + 3;

y = secret;

if (p < 0) {

z = c * y;

} out = z;

printf(out); }

{secret,y}original

unsafe

Predicated forward optimizations are safe

ensure exact metadata state !

improves!

{secret}elided

Safe Elisions

of noop monitors

{secret,y}original

{secret,y}elided

•  Separatecontrolflowdomainsfast-pathandslow-path

•  Switchoninvariantfailure

•  Switchoncallreturnfromslow-path

Switching to conservative analysis

fast-path slow-path

Forward Recovery :

main()

parse()

parse_tag()

template() callgraph

improves!

E v a l u a t i o n

•  LLVM3.9compilerinfrastructure•  Cprograms

TaintTracking isslow! OptimisticHybridAnalysis withSafeElisions improves! 19

IODINE Implementation

ConservativeStatic:

•  Andersen’spointeranalysis(contextinsensitive)

•  data-flowtaintanalysis

ConservativeHybrid Rollback-freeOptimisticHybrid

Dynamic:

•  tainttrackinginstrumentation-LLVMDataFlowSanitizer

PredicatedStatic:

•  Andersen’spointeranalysis(contextsensitive)

•  taintanalysis:predicatedforward+ conservativebackward

OptimizedDynamic:

•  optimizedtainttracking•  invariantchecking+forwardrecovery

Profiling:3likelyinvarianttypes

Informationflowsecuritypolicies—

EmailintegrityandprivacyOverwriteattackdetection

smtpintegrity qmqpintegrity nginxsecurityDy

namicTaintTrackingOverhead

FullDynamic ConservativeHybrid Iodine

IODINE accelerates DIFT applications

POSTFIXMailserver

Webserver

4.𝟒× faster than conservative

improved by 𝟐× Static Analysis Precision

Mailserver Webserver Texteditor CompressiontoolDatabaseGzip POSTFIX

0.584 0.

0.602 0.684

0.427 0.507

0.364 0.422

0.388 0.447

0.293 0.

1.0Fractio

nofstaticm

Conservative +UnreachableCodes +CalleeSets +CallContexts

0 100 200 300 400 500 600 700 8001.0

0 20 40 60 80 100 120 140 160

Profiling Effort Normalized

lysistim

Profilingtime(s)

0 500 1000 1500 2000 2500

nginx redis vim

conservative

: regressiontestsuitesareadequate!

[CELLRANGE][CELLRANGE][CELLRANGE]

[CELLRANGE][CELLRANGE]

[CELLRANGE][CELLRANGE][CELLRANGE][CELLRANGE][CELLRANGE]

[CELLRANGE][CELLRANGE][CELLRANGE][CELLRANGE]

0 100 200 300 400 500 600 700 800

[CELLRANGE]

[CELLRANGE][CELLRANGE

][CELLRANGE][CELLRANGE

][CELLRANGE

[CELLRANGE]

][CELLRANGE

0 20 40 60 80 100 120 140 160

lysistim

Profilingtime(s)

[CELLRANGE][CELLRANGE][CELLRANGE][CELLRANGE][CELLRANGE][CELLRANGE]

0 500 1000 1500 2000 2500

nginx redis vim

conservative

0 100 200 300 400 500 600 700 800

[CELLRANGE]

][CELLRANGE

[CELLRANGE]

][CELLRANGE

0 20 40 60 80 100 120 140 160

lysistim

Profilingtime(s)

0 500 1000 1500 2000 2500

nginx redis vim

RegressionTests BetaTests

conservative

T a k e a w a y s

PracticalDynamicTaintTracking:

-  𝟐.𝟖×loweroverheadthanconservativehybridanalysis[ShadowReplica‘13,TaintPipe‘15,StraightTaint‘16]

fulldynamic ~𝟒×

~𝟏.𝟓×conservative

hybrid~𝟏.𝟐×IODINE

native

IODINE Summary

ImprovesOptimisticHybridAnalysis-  Rollback-freeusingonlysafeelisions-  Profilingusingtestsuitesisadequate

Safety Guarantee

ensures metadata equivalence !

Invariantfails

{metadata1}

{metadata2}

monitornoop

exact semantics

y = public; {secret}

Taintset

{secret}

UnboundedRollbacks Overheads!

check-pointing

logging rollback-replay

Rollbacks!

0 100 200 300 400 500 600 700 800

[CELLRANGE]

][CELLRANGE

[CELLRANGE]

][CELLRANGE

0 20 40 60 80 100 120 140 160

Sensitivity to Profiling Normalized

lysistim

Profilingtime(s)

0 500 1000 1500 2000 2500

nginx redis vim

RegressionTests BetaTests

conservative

NewAttackVector: violatelikelyinvariantsBoundedSlowdown:bestavailableconservativeanalysisAdaptingInvariants:re-analyzeexcludingfailedinvariantEarlyDetection: forcesattackertoinduceunusualbehavior

Attacks on Availability

In the news...explicit data flows Propagation Associate taints with sensitive data Propagate taints...

Documents

SC on Tainted Ministers

Prevention of muddy taints in farmed Barramundi

Organo Halogen Taints in Foods

Oxidative/Reductive Taints

TAINTED CARPETS

Tainted Drugs Put Focus on the FDA

Tainted Paradise: Caribbean Tourism

Canadian Red Cross Tainted Blood Scandal

Analysis of Food Taints and off-flavours - A review

True Blood: Tainted Love #5 (of 6)

From Farm Gate to Dinner Plate TAINTED

Tainted. From Farm Gate to Dinner Plate, Fifty Years of ...€¦ · TAINTED was born. Readers familiar with Old Habits will recognize much of the information presented in TAINTED

Tainted Yogurt: A Case Study

Tainted Tea

A Leatherhead Food Troubleshooting Taints and Finding Off ......©Leatherhead Food Research 2016 1 Troubleshooting Taints and Finding Off-Flavours In this white paper, Angela Calder

Anita Oberholster Musty Taints. Introduction: Musty Taints What off-odours are classified as musty taints? – Fungal, earthy, moldy, corky, mushroom or

The Avoidance of Taints and Contaminations During Winemaking1

Tainted Taskforce (1)

Ghostbusters Tainted Love

Cthulhu tales tainted (gibiscuits)