https://homeostasis.scs.carleton.ca/wiki/api.php?action=feedcontributions&feedformat=atom&user=SliskeSoma-notes - User contributions [en]2026-05-03T10:28:37ZUser contributionsMediaWiki 1.42.1https://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=6384COMP 3000 Essay 2 2010 Question 82010-12-02T16:21:33Z<p>Sliske: /* Additional questions */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung, Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow the ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper:<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since the application can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf [2<nowiki>]</nowiki>][http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>]<br><br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec [4<nowiki>]</nowiki>] <br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information. However, in this case the "taint" variables are infact important private data. ''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm [6<nowiki>]</nowiki>]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf [7<nowiki>]</nowiki>] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [8<nowiki>]</nowiki>]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf [10<nowiki>]</nowiki>]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head figure is obtained by using a CPU-bound benchmark, and while highly accurate for the scope it is tested in, the performance loss is not necessarily noticed by the end user.<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process communications. This also allows them to modify variable taint tags when a method call returns, so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which allows persistant content to keep its taint marks between sessions. <br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ [4<nowiki>]</nowiki>], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>], rely on instruction-level dynamic taint analysis using whole system emulation. One analyzer, Panorama Taint System, is able to perform OS-aware whole system taint analysis to detect and analyze malicious code's information processing behavior. As Panorama Taint System was one of the first dynamic taint analysis programs, a core feature in Panorama is the real-time abilities. However, Panorama used instruction-level analysis, and so had a high overhead. Most taint analyzing systems using instruction-level methods will result in the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of real-time analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html [4<nowiki>]</nowiki>][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, pre-compiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone. This implementation choice was reasonable for the research project TaintDroid is, but taint analysis is (hopefully) of high importance to the everyday user; TaintDroid could have aimed to go further than research. <br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated environment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of malicious applications. This would allow TaintDroid to be used as a black box.<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. ''Communications of the ACM 19, 5'' (May 1976), 236–243<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. ''Twenty-First Annual Computer Security Applications Confrence (ACSAC),'' (2005)<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] ''Proceedings of the Network and Distributed System Security Symposium'' (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. [http://www.usenix.org/events/sec04/tech/chow/chow_html/ Understanding Data Lifetime via Whole System Simulation]. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] ''GINP ENSIMAG GoogleCode'' (2009)<br />
<br />
[6] FITZPATRICK, M. [http://news.bbc.co.uk/2/hi/technology/8559683.stm Mobile that allows bosses to snoop on staff developed]. ''BBC News, Technology'' (March 2010) <br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] ''http://pskl.us''<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] ''International Workshop on Run Time Enforcement for Mobile and Distributed Systems'' (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145, University of California, Berkeley'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006)<br />
<br />
[11] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security'' (2007)<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Provide a brief description of information flow and taint analysis.<br />
** Information flow is the transfer of information between variables, methods, processes, and files. There are two types of information flow: implicit and explicit. Explicit flow is the direct transfer of data that results in it being more accessible than originally intended. Implicit flow refers to the ability to derive information that is supposed to be kept private. Taint analysis attempts to track information flow in order to better understand possible security issues. There are two types of taint analysis: static, which maps all possible paths of a program; and dynamic, which attempts to follow information as it's transferred in real time. Both can follow both implicit and explicit information flow, however there is a significant run-time disadvantage in tracking implicit flow in dynamic environments, so dynamic taint analysis is often done through emulation. (Background Concepts)<br />
* How is TaintDroid different from previous taint analysis programs? What are some problems specific to the TaintDroid implementation?<br />
** While dynamic analysis has been done before in many contexts, TaintDroid is one of the first to attempt to do dynamic analysis on a live embedded system with resource constraints, and so has some unique concerns. The most specific is surely the fact that smart phones are resource constrained. Preforming taint analysis without using emulation requires an efficient, low-overhead implementation, or the experiment will grind to a halt. The next largest issue is working with the existing software. TaintDroid needs to go low-level enough in the Android system to see everything the applications may possibly do, and also needs to interpret what the applications on the device are doing with the data, without being able to see the application's source. Since applications are "black-boxes", data may not look the same coming out as going in, and to get around this you must work at a level lower than the applications.(Research Problem)<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis, or an alternate dynamic analysis implementation [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf [11<nowiki>]</nowiki>].</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=6228COMP 3000 Essay 2 2010 Question 82010-12-02T06:24:02Z<p>Sliske: /* Additional questions */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung, Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow the ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper:<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since the application can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf [2<nowiki>]</nowiki>][http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>]<br><br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec [4<nowiki>]</nowiki>] <br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information. However, in this case the "taint" variables are infact important private data. ''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm [6<nowiki>]</nowiki>]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf [7<nowiki>]</nowiki>] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [8<nowiki>]</nowiki>]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf [10<nowiki>]</nowiki>]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head figure is obtained by using a CPU-bound benchmark, and while highly accurate for the scope it is tested in, the performance loss is not necessarily noticed by the end user.<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process communications. This also allows them to modify variable taint tags when a method call returns, so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which allows persistant content to keep its taint marks between sessions. <br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ [4<nowiki>]</nowiki>], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>], rely on instruction-level dynamic taint analysis using whole system emulation. One analyzer, Panorama Taint System, is able to perform OS-aware whole system taint analysis to detect and analyze malicious code's information processing behavior. As Panorama Taint System was one of the first dynamic taint analysis programs, a core feature in Panorama is the real-time abilities. However, Panorama used instruction-level analysis, and so had a high overhead. Most taint analyzing systems using instruction-level methods will result in the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of real-time analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html [4<nowiki>]</nowiki>][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, pre-compiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone. This implementation choice was reasonable for the research project TaintDroid is, but taint analysis is (hopefully) of high importance to the everyday user; TaintDroid could have aimed to go further than research. <br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated environment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of malicious applications. This would allow TaintDroid to be used as a black box.<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. ''Communications of the ACM 19, 5'' (May 1976), 236–243<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. ''Twenty-First Annual Computer Security Applications Confrence (ACSAC),'' (2005)<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] ''Proceedings of the Network and Distributed System Security Symposium'' (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. [http://www.usenix.org/events/sec04/tech/chow/chow_html/ Understanding Data Lifetime via Whole System Simulation]. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] ''GINP ENSIMAG GoogleCode'' (2009)<br />
<br />
[6] FITZPATRICK, M. [http://news.bbc.co.uk/2/hi/technology/8559683.stm Mobile that allows bosses to snoop on staff developed]. ''BBC News, Technology'' (March 2010) <br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] ''http://pskl.us''<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] ''International Workshop on Run Time Enforcement for Mobile and Distributed Systems'' (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145, University of California, Berkeley'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006)<br />
<br />
[11] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security'' (2007)<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Provide a brief description of information flow and taint analysis.<br />
** Information flow is the transfer of information between variables, methods, processes, and files. There are two types of information flow: implicit and explicit. Explicit flow is the direct transfer of data that results in it being more accessible than originally intended. Implicit flow refers to the ability to derive information that is supposed to be kept private. Taint analysis attempts to track information flow in order to better understand possible security issues. There are two types of taint analysis: static, which maps all possible paths of a program ; and dynamic, which attempts to follow information as it's transferred in real time. Both can follow both implicit and explicit information flow, however there is a significant run-time disadvantage in tracking implicit flow in dynamic environments, so dynamic taint analysis is often done through emulation. (Background Concepts)<br />
* How is TaintDroid different from previous taint analysis programs? What are some problems specific to the TaintDroid implementation?<br />
** While dynamic analysis has been done before in many contexts, TaintDroid is one of the first to attempt to do dynamic analysis on a live embedded system with resource constraints, and so has some unique concerns. The most specific is surely the fact that smart phones are resource constrained. Preforming taint analysis without using emulation requires an efficient, low-overhead implementation, or the experiment will grind to a halt. The next largest issue is working with the existing software. TaintDroid needs to go low-level enough in the Android system to see everything the applications may possibly do, and also needs to interpret what the applications on the device are doing with the data, without being able to see the application's source. Since applications are "black-boxes", data may not look the same coming out as going in, and to get around this you must work at a level lower than the applications.(Research Problem)<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf [11<nowiki>]</nowiki>].</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=Talk:COMP_3000_Essay_2_2010_Question_8&diff=6222Talk:COMP 3000 Essay 2 2010 Question 82010-12-02T06:09:59Z<p>Sliske: /* Work Plan */</p>
<hr />
<div>Group Members<br />
<br />
Trevor Bonesaw Malone - tmalone@connect.carleton.ca //FIRST POST!<br />
<br />
Qi Zhang - qzhang13@connect.carleton.ca<br />
<br />
Gregory Bint - gbint@connect.carleton.ca<br />
<br />
Gautam Akiwate - gakiwate@connect.carleton.ca<br />
<br />
Corey Ling - cling@connect.carleton.ca<br />
<br />
Sarah Liske<br />
<br />
<br />
<br />
== Work Plan ==<br />
<br />
As Trevor intimated, we should have clear division of work going forward. This is sort of the break down as I see it. Please edit as you think of new ideas!<br />
<br />
* Background Concepts<br />
** Information Flow Theory. (Implicit and Explicit Flows.) --Done[--[[User:Gautam|Gautam]] 03:54, 28 November 2010 (UTC)]<br />
** What is dynamic taint analysis --Done[--[[User:Gautam|Gautam]] 05:07, 28 November 2010 (UTC)]<br />
** What is the difference between dynamic and static analysis --Done[--[[User:Gautam|Gautam]] 03:54, 30 November 2010 (UTC)]]<br />
* Research Problem<br />
** How do we build a DTA engine for a phone? - done, but by who?<br />
** Why do we want to? (information misuse) - done, but by who?<br />
* Contribution<br />
** How did they implement their DTA engine (Done: --[[User:Cling|Cling]] 04:50, 26 November 2010 (UTC))<br />
** What did they find about information misuse (Done: --[[User:Cling|Cling]] 04:50, 26 November 2010 (UTC))<br />
** Compared to the existing taint tracking approaches. [[User:Zhangqi|Zhangqi]] 07:11, 27 November 2010 (UTC)<br />
** (What else should be in the contributions? Anything need fleshing out?) (Working on that now :) ) sliske<br />
* Critique<br />
**Added two paragraphs at the end of the present critique. Please incorporate it into your content as you deem fit.--[[User:Gautam|Gautam]] 09:07, 30 November 2010 (UTC) <br />
**^ done. fleshed out critique, and added a bit about how taintdroid doesn't track implicit flow. Also reworded (the entire essay) for clarity where necessary/checked spelling. It would be a good idea for everyone to read it over once for spelling/clarity before thursday, just in case something doesn't make sense - sliske<br />
* References<br />
** The article has 61 references! We can probably use some of them<br />
**whee! reading papers and sticking in information as need be. <br />
**references added and citations -taken care of- were removed/reworked, as it says in the assignment guidelines they're not allowed. will go over fill in a few places where information may be lacking after class sliske<br />
**Referencing is a little askew. The numbers don't match the papers as listed in the referencing. Also the papers are usually cited with a number and enclosed in "[]"<br />
**thanks for giving the paper a read over/noticing that :)<br />
<br />
List of information we need to find external sources for:<br />
* History of taint analysis<br />
* History of privacy research relating to smart phones<br />
<br />
== Work In Progress ==<br />
<br />
Log what you are working on *right now* so that other people don't try to do the same thing. Make sure to clear your name from here when you are done.<br />
<br />
* Gregory Bint: Research Problem<br />
<br />
* Gautam Akiwate: Background Concepts<br />
** Any resources on Dynamic taint Analysis would be appreciated!<br />
<br />
* Qi Zhang, Corey Ling: Contributions<br />
<br />
* Trevor Malone: Critique<br />
<br />
* Sarah Liske: References and Questions, Clarity/Spelling.<br />
<br />
== Some Notes from the Video ==<br />
<br />
Tracking of privacy sensitive data through Dynamic Taint Analysis (aka. Taint Tracking). The trick is to mark private data as it sourced, and then follow those marks until (unless) they leave the phone.<br />
<br />
Android phones run Java apps, which are compiled into DEX, and then run on top of the Dalvik VM. It is this VM that we modify so that we can support the storage and tracking of taint tags.<br />
<br />
Taint sources<br />
* low -bandwidth sensors<br />
** Location<br />
** Accelerometer<br />
* High-bandwidth sensors<br />
** Mic<br />
** Camera<br />
* Information DB<br />
** Address book<br />
** SMS storage<br />
* Device ID<br />
** IMEI<br />
** IMSI (don't actually track this one because of false positives)<br />
** ICC_ID<br />
** Phone Number<br />
<br />
Taint sink (where marked data can leave the phone)<br />
* Network Taint Sink<br />
<br />
Taint propagation<br />
* ???<br />
<br />
Taint tags are stored in memory interleaved with the variables they are tracking<br />
<br />
Some standard Data Flow technique is used to propagate these tags, especially as one variable that is marked may be assigned to another, so now that variable needs to be tracked as well.<br />
<br />
Tracks explicit flows of data, not implicit<br />
To fully capture implicit flows, you need to do static analysis, which is hard with closed-source apps, and cannot be done real-time<br />
<br />
Implicit flows are not tracked<br />
* Implicit flows can involve "taint-scope", tracking based on conditionals in code<br />
<br />
<br />
=== Performance ===<br />
<br />
The goal is to create a real time tracking system, so the TaintDroid's performance impact is of some importance<br />
<br />
14% CPU overhead<br />
4.4% memory overhead<br />
<br />
Macro benchmarks (to get a feel for what the phone's usability is like with TD running)<br />
* App load: 3% (2ms) <br />
<br />
<br />
=== Findings ===<br />
<br />
20 out of 30 tested applications share data in a way that is not expected.<br />
<br />
67 of 105 flagged pieces of data leaving the device had no obviously legitimate purpose (verified by the authors).<br />
<br />
Many apps sent location data and other unique identifiers to advertising servers.<br />
<br />
Most apps do not mention anything to the user.<br />
<br />
<br />
=== Limitations ===<br />
<br />
Tracks only explicit data flows.<br />
<br />
An application *could* launder the tags off of the data, if they really wanted to hide this sort of thing from TaintDroid.<br />
<br />
There are methods that could be used to protect against this, but they go against the goal of a light-weight, real-time tracking system. TD is not necessarily about catching truly malicious programs, but rather just those that leak information.<br />
<br />
<br />
Why do apps take this information?<br />
* Lazy; in the demo video, the wallpaper app seems to use the IMEI just as a ready made unique ID<br />
* Overzealous; the developer might thing they *need* the data for something, but actually <br />
* Ads; advertises do seem a little presumptuous in their data collection<br />
* Spying; bosses or spouses<br />
* Malicious; <br />
<br />
<br />
=== QA Period ===<br />
<br />
Q: how do we prevent a malicious app from removing a taint attribute on a file<br />
<br />
A: TD operates a too low a level for this to be a problem; TD assumes that the native code is trusted<br />
<br />
<br />
Q: It seems like you had a lot of false positives<br />
<br />
A: The point of this tool was to identify privacy sensitive information as having left the phone, not whether or not a privacy violation has taken place.<br />
<br />
<br />
Q: Now that TD is released; couldn't malicious apps use some of the methods described in the paper to get around it? <br />
<br />
A: Well, yes, but it is not just about maliciousness, it could just laziness or over-zealous ad stuff.<br />
<br />
==Other Information==<br />
<br />
Hey guys, thought I would just post a generalized paragraph about our essay.<br />
<br />
In today’s society, Smartphones are the new big thing. To me that’s what makes this paper so interesting. This paper focuses on private information in android phones and the misuse of this information. The misuse of information includes the SIM card, the ID of the device, or the phone number. TaintDroid is used on smart phones with an efficient taint tracking and analysis system. It has the ability to track sensitive data from multiple sources and examines the misuse of such data. In their study, out of 80 popular third-party applications, TaintDroid monitored that 68 applications had potential misuse of user’s private data. This tool is great for knowing with applications are safe and which are not, so your private data can remained private.<br />
<br />
Also, we should really think of splitting up the work in some way. If some people have specific sections they would like to do lets figure that out now so we can divide the workload and get it done over the next couple of days. I don't personally care what part I'm going to have to do, so lets get this going. Any other information people wanna post feel free the more the better, even if we don't end up using it.<br />
<br />
[[user:Tmalone|Trevor Malone]]<br />
<br />
Hey guys! Anything else we need to get done? Let me know and I can help in anyway possible.<br />
<br />
[[user:Tmalone|Trevor Malone]]<br />
<br />
==Relevant Sources==<br />
*NEWSOME,J.,AND SONG,D.Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection]<br />
<u>Seems to be THE Dynamic Taint Analysis Paper.Talks about implementation on TaintCheck. Could be also useful for critique section</u> -[Gautam]</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=6221COMP 3000 Essay 2 2010 Question 82010-12-02T06:09:04Z<p>Sliske: /* Contribution */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung, Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow the ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper:<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since the application can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf [2<nowiki>]</nowiki>][http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>]<br><br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec [4<nowiki>]</nowiki>] <br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information. However, in this case the "taint" variables are infact important private data. ''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm [6<nowiki>]</nowiki>]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf [7<nowiki>]</nowiki>] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [8<nowiki>]</nowiki>]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf [10<nowiki>]</nowiki>]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head figure is obtained by using a CPU-bound benchmark, and while highly accurate for the scope it is tested in, the performance loss is not necessarily noticed by the end user.<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process communications. This also allows them to modify variable taint tags when a method call returns, so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which allows persistant content to keep its taint marks between sessions. <br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ [4<nowiki>]</nowiki>], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>], rely on instruction-level dynamic taint analysis using whole system emulation. One analyzer, Panorama Taint System, is able to perform OS-aware whole system taint analysis to detect and analyze malicious code's information processing behavior. As Panorama Taint System was one of the first dynamic taint analysis programs, a core feature in Panorama is the real-time abilities. However, Panorama used instruction-level analysis, and so had a high overhead. Most taint analyzing systems using instruction-level methods will result in the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of real-time analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html [4<nowiki>]</nowiki>][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, pre-compiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone. This implementation choice was reasonable for the research project TaintDroid is, but taint analysis is (hopefully) of high importance to the everyday user; TaintDroid could have aimed to go further than research. <br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated environment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of malicious applications. This would allow TaintDroid to be used as a black box.<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. ''Communications of the ACM 19, 5'' (May 1976), 236–243<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. ''Twenty-First Annual Computer Security Applications Confrence (ACSAC),'' (2005)<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] ''Proceedings of the Network and Distributed System Security Symposium'' (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. [http://www.usenix.org/events/sec04/tech/chow/chow_html/ Understanding Data Lifetime via Whole System Simulation]. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] ''GINP ENSIMAG GoogleCode'' (2009)<br />
<br />
[6] FITZPATRICK, M. [http://news.bbc.co.uk/2/hi/technology/8559683.stm Mobile that allows bosses to snoop on staff developed]. ''BBC News, Technology'' (March 2010) <br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] ''http://pskl.us''<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] ''International Workshop on Run Time Enforcement for Mobile and Distributed Systems'' (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145, University of California, Berkeley'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006)<br />
<br />
[11] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security'' (2007)<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Provide a brief description of information flow and taint analysis.<br />
** Information flow is the transfer of information between variables, methods, processes, and files. There are two types of information flow: implicit and explicit. Explicit flow is the direct transfer of data that results in it being more accessible than originally intended. Implicit flow refers to the ability to derive information that is supposed to be kept private. Taint analysis attempts to track information flow in order to better understand possible security issues. There are two types of taint analysis: static, which maps all possible paths of a program ; and dynamic, which attempts to follow information as it's transferred in real time. Both can follow both implicit and explicit information flow, however there is a significant run-time disadvantage in tracking implicit flow in dynamic environments, so dynamic taint analysis is often done through emulation. (Background Concepts)<br />
* How is TaintDroid different from previous taint analysis programs? How does it achieve these goals?<br />
** While dynamic analysis has been done before in many contexts, TaintDroid is one of the first to attempt to do dynamic analysis on a live embedded system with resource constraints, and so a lot of effort is put into reducing overhead. (Contribution)<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf [11<nowiki>]</nowiki>].</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=6218COMP 3000 Essay 2 2010 Question 82010-12-02T06:01:53Z<p>Sliske: /* Additional questions */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung, Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow the ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper:<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since the application can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf [2<nowiki>]</nowiki>][http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>]<br><br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec [4<nowiki>]</nowiki>] <br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information. However, in this case the "taint" variables are infact important private data. ''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm [6<nowiki>]</nowiki>]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf [7<nowiki>]</nowiki>] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [8<nowiki>]</nowiki>]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf [10<nowiki>]</nowiki>]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ [4<nowiki>]</nowiki>], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>], rely on instruction-level dynamic taint analysis using whole system emulation. One analyzer, Panorama Taint System, is able to perform OS-aware whole system taint analysis to detect and analyze malicious code's information processing behavior. As Panorama Taint System was one of the first dynamic taint analysis programs, a core feature in Panorama is the real-time abilities. However, Panorama used instruction-level analysis, and so had a high overhead. Most taint analyzing systems using instruction-level methods will result in the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of real-time analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html [4<nowiki>]</nowiki>][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, pre-compiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone. This implementation choice was reasonable for the research project TaintDroid is, but taint analysis is (hopefully) of high importance to the everyday user; TaintDroid could have aimed to go further than research. <br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated environment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of malicious applications. This would allow TaintDroid to be used as a black box.<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. ''Communications of the ACM 19, 5'' (May 1976), 236–243<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. ''Twenty-First Annual Computer Security Applications Confrence (ACSAC),'' (2005)<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] ''Proceedings of the Network and Distributed System Security Symposium'' (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. [http://www.usenix.org/events/sec04/tech/chow/chow_html/ Understanding Data Lifetime via Whole System Simulation]. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] ''GINP ENSIMAG GoogleCode'' (2009)<br />
<br />
[6] FITZPATRICK, M. [http://news.bbc.co.uk/2/hi/technology/8559683.stm Mobile that allows bosses to snoop on staff developed]. ''BBC News, Technology'' (March 2010) <br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] ''http://pskl.us''<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] ''International Workshop on Run Time Enforcement for Mobile and Distributed Systems'' (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145, University of California, Berkeley'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006)<br />
<br />
[11] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security'' (2007)<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Provide a brief description of information flow and taint analysis.<br />
** Information flow is the transfer of information between variables, methods, processes, and files. There are two types of information flow: implicit and explicit. Explicit flow is the direct transfer of data that results in it being more accessible than originally intended. Implicit flow refers to the ability to derive information that is supposed to be kept private. Taint analysis attempts to track information flow in order to better understand possible security issues. There are two types of taint analysis: static, which maps all possible paths of a program ; and dynamic, which attempts to follow information as it's transferred in real time. Both can follow both implicit and explicit information flow, however there is a significant run-time disadvantage in tracking implicit flow in dynamic environments, so dynamic taint analysis is often done through emulation. (Background Concepts)<br />
* How is TaintDroid different from previous taint analysis programs? How does it achieve these goals?<br />
** While dynamic analysis has been done before in many contexts, TaintDroid is one of the first to attempt to do dynamic analysis on a live embedded system with resource constraints, and so a lot of effort is put into reducing overhead. (Contribution)<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf [11<nowiki>]</nowiki>].</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=6217COMP 3000 Essay 2 2010 Question 82010-12-02T06:01:32Z<p>Sliske: /* Contribution */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung, Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow the ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper:<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since the application can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf [2<nowiki>]</nowiki>][http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>]<br><br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec [4<nowiki>]</nowiki>] <br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information. However, in this case the "taint" variables are infact important private data. ''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm [6<nowiki>]</nowiki>]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf [7<nowiki>]</nowiki>] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [8<nowiki>]</nowiki>]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf [10<nowiki>]</nowiki>]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ [4<nowiki>]</nowiki>], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>], rely on instruction-level dynamic taint analysis using whole system emulation. One analyzer, Panorama Taint System, is able to perform OS-aware whole system taint analysis to detect and analyze malicious code's information processing behavior. As Panorama Taint System was one of the first dynamic taint analysis programs, a core feature in Panorama is the real-time abilities. However, Panorama used instruction-level analysis, and so had a high overhead. Most taint analyzing systems using instruction-level methods will result in the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of real-time analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html [4<nowiki>]</nowiki>][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, pre-compiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone. This implementation choice was reasonable for the research project TaintDroid is, but taint analysis is (hopefully) of high importance to the everyday user; TaintDroid could have aimed to go further than research. <br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated environment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of malicious applications. This would allow TaintDroid to be used as a black box.<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. ''Communications of the ACM 19, 5'' (May 1976), 236–243<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. ''Twenty-First Annual Computer Security Applications Confrence (ACSAC),'' (2005)<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] ''Proceedings of the Network and Distributed System Security Symposium'' (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. [http://www.usenix.org/events/sec04/tech/chow/chow_html/ Understanding Data Lifetime via Whole System Simulation]. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] ''GINP ENSIMAG GoogleCode'' (2009)<br />
<br />
[6] FITZPATRICK, M. [http://news.bbc.co.uk/2/hi/technology/8559683.stm Mobile that allows bosses to snoop on staff developed]. ''BBC News, Technology'' (March 2010) <br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] ''http://pskl.us''<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] ''International Workshop on Run Time Enforcement for Mobile and Distributed Systems'' (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145, University of California, Berkeley'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006)<br />
<br />
[11] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security'' (2007)<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf [11<nowiki>]</nowiki>].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=6215COMP 3000 Essay 2 2010 Question 82010-12-02T06:00:43Z<p>Sliske: /* Contribution */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung, Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow the ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper:<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since the application can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf [2<nowiki>]</nowiki>][http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>]<br><br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec [4<nowiki>]</nowiki>] <br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information. However, in this case the "taint" variables are infact important private data. ''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm [6<nowiki>]</nowiki>]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf [7<nowiki>]</nowiki>] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [8<nowiki>]</nowiki>]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf [10<nowiki>]</nowiki>]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ [4<nowiki>]</nowiki>], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>], rely on instruction-level dynamic taint analysis using whole system emulation. One analyzer, Panorama Taint System, is able to perform OS-aware whole system taint analysis to detect and analyze malicious code's information processing behavior. As Panorama Taint System was one of the first dynamic taint analysis programs, a core feature in Panorama is the real-time abilities. However, Panorama used instruction-level analysis, and so had a high overhead. Most taint analyzing systems using instruction-level methods will result in the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of real-time analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html [4<nowiki>]</nowiki>][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, pre-compiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone. This implementation choice was reasonable for the research project TaintDroid is, but taint analysis is (hopefully) of high importance to the everyday user; TaintDroid could have aimed to go further than research. <br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated environment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of malicious applications. This would allow TaintDroid to be used as a black box.<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. ''Communications of the ACM 19, 5'' (May 1976), 236–243<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. ''Twenty-First Annual Computer Security Applications Confrence (ACSAC),'' (2005)<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] ''Proceedings of the Network and Distributed System Security Symposium'' (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. [http://www.usenix.org/events/sec04/tech/chow/chow_html/ Understanding Data Lifetime via Whole System Simulation]. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] ''GINP ENSIMAG GoogleCode'' (2009)<br />
<br />
[6] FITZPATRICK, M. [http://news.bbc.co.uk/2/hi/technology/8559683.stm Mobile that allows bosses to snoop on staff developed]. ''BBC News, Technology'' (March 2010) <br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] ''http://pskl.us''<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] ''International Workshop on Run Time Enforcement for Mobile and Distributed Systems'' (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145, University of California, Berkeley'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006)<br />
<br />
[11] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security'' (2007)<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf [11<nowiki>]</nowiki>].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=6135COMP 3000 Essay 2 2010 Question 82010-12-02T03:29:40Z<p>Sliske: /* Implicit Flow */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung, Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow the ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper:<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since the application can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf [2<nowiki>]</nowiki>][http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>]<br><br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec [4<nowiki>]</nowiki>] <br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information. However, in this case the "taint" variables are infact important private data. ''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm [6<nowiki>]</nowiki>]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf [7<nowiki>]</nowiki>] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [8<nowiki>]</nowiki>]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf [10<nowiki>]</nowiki>]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ [4<nowiki>]</nowiki>], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>], rely on instruction-level dynamic taint analysis using whole system emulation. One analyzer, Panorama Taint System, is able to perform OS-aware whole system taint analysis to detect and analyze malicious code's information processing behavior. As Panorama Taint System was one of the first dynamic taint analysis programs, a core feature in Panorama is the real-time abilities. However, Panorama used instruction-level analysis, and so had a high overhead. Most taint analyzing systems using instruction-level methods will result in the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of real-time analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html [4<nowiki>]</nowiki>][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, pre-compiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone. This implementation choice was reasonable for the research project TaintDroid is, but taint analysis is (hopefully) of high importance to the everyday user; TaintDroid could have aimed to go further than research. <br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated environment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of malicious applications. This would allow TaintDroid to be used as a black box.<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. ''Communications of the ACM 19, 5'' (May 1976), 236–243<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. ''Twenty-First Annual Computer Security Applications Confrence (ACSAC),'' (2005)<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] ''Proceedings of the Network and Distributed System Security Symposium'' (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. [http://www.usenix.org/events/sec04/tech/chow/chow_html/ Understanding Data Lifetime via Whole System Simulation]. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] ''GINP ENSIMAG GoogleCode'' (2009)<br />
<br />
[6] FITZPATRICK, M. [http://news.bbc.co.uk/2/hi/technology/8559683.stm Mobile that allows bosses to snoop on staff developed]. ''BBC News, Technology'' (March 2010) <br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] ''http://pskl.us''<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] ''International Workshop on Run Time Enforcement for Mobile and Distributed Systems'' (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145, University of California, Berkeley'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006)<br />
<br />
[11] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security'' (2007)<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf [11<nowiki>]</nowiki>].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=6128COMP 3000 Essay 2 2010 Question 82010-12-02T03:23:32Z<p>Sliske: /* Critique */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung, Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow the ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper:<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf [2<nowiki>]</nowiki>][http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>]<br><br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec [4<nowiki>]</nowiki>] <br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information. However, in this case the "taint" variables are infact important private data. ''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm [6<nowiki>]</nowiki>]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf [7<nowiki>]</nowiki>] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [8<nowiki>]</nowiki>]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf [10<nowiki>]</nowiki>]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ [4<nowiki>]</nowiki>], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>], rely on instruction-level dynamic taint analysis using whole system emulation. One analyzer, Panorama Taint System, is able to perform OS-aware whole system taint analysis to detect and analyze malicious code's information processing behavior. As Panorama Taint System was one of the first dynamic taint analysis programs, a core feature in Panorama is the real-time abilities. However, Panorama used instruction-level analysis, and so had a high overhead. Most taint analyzing systems using instruction-level methods will result in the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of real-time analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html [4<nowiki>]</nowiki>][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, pre-compiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone. This implementation choice was reasonable for the research project TaintDroid is, but taint analysis is (hopefully) of high importance to the everyday user; TaintDroid could have aimed to go further than research. <br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated environment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of malicious applications. This would allow TaintDroid to be used as a black box.<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. ''Communications of the ACM 19, 5'' (May 1976), 236–243<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. ''Twenty-First Annual Computer Security Applications Confrence (ACSAC),'' (2005)<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] ''Proceedings of the Network and Distributed System Security Symposium'' (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. [http://www.usenix.org/events/sec04/tech/chow/chow_html/ Understanding Data Lifetime via Whole System Simulation]. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] ''GINP ENSIMAG GoogleCode'' (2009)<br />
<br />
[6] FITZPATRICK, M. [http://news.bbc.co.uk/2/hi/technology/8559683.stm Mobile that allows bosses to snoop on staff developed]. ''BBC News, Technology'' (March 2010) <br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] ''http://pskl.us''<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] ''International Workshop on Run Time Enforcement for Mobile and Distributed Systems'' (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145, University of California, Berkeley'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006)<br />
<br />
[11] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security'' (2007)<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf [11<nowiki>]</nowiki>].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=6120COMP 3000 Essay 2 2010 Question 82010-12-02T03:19:24Z<p>Sliske: /* Critique */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung, Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow the ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper:<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf [2<nowiki>]</nowiki>][http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>]<br><br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec [4<nowiki>]</nowiki>] <br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information. However, in this case the "taint" variables are infact important private data. ''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm [6<nowiki>]</nowiki>]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf [7<nowiki>]</nowiki>] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [8<nowiki>]</nowiki>]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf [10<nowiki>]</nowiki>]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ [4<nowiki>]</nowiki>], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>], rely on instruction-level dynamic taint analysis using whole system emulation. One analyzer, Panorama Taint System, is able to perform OS-aware whole system taint analysis to detect and analyze malicious code's information processing behavior. As Panorama Taint System was one of the first dynamic taint analysis programs, a core feature in Panorama is the real-time abilities. However, Panorama used instruction-level analysis, and so had a high overhead. Most taint analyzing systems using instruction-level methods will result in the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of real-time analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html [4<nowiki>]</nowiki>][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone. This implementation choice was reasonable for the research project TaintDroid is, but taint analysis is (hopefully) of high importance to the everyday user, and TaintDroid could have aimed to go further than research.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. ''Communications of the ACM 19, 5'' (May 1976), 236–243<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. ''Twenty-First Annual Computer Security Applications Confrence (ACSAC),'' (2005)<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] ''Proceedings of the Network and Distributed System Security Symposium'' (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. [http://www.usenix.org/events/sec04/tech/chow/chow_html/ Understanding Data Lifetime via Whole System Simulation]. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] ''GINP ENSIMAG GoogleCode'' (2009)<br />
<br />
[6] FITZPATRICK, M. [http://news.bbc.co.uk/2/hi/technology/8559683.stm Mobile that allows bosses to snoop on staff developed]. ''BBC News, Technology'' (March 2010) <br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] ''http://pskl.us''<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] ''International Workshop on Run Time Enforcement for Mobile and Distributed Systems'' (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145, University of California, Berkeley'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006)<br />
<br />
[11] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security'' (2007)<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf [11<nowiki>]</nowiki>].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=6115COMP 3000 Essay 2 2010 Question 82010-12-02T03:11:45Z<p>Sliske: /* Background Concepts */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung, Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow the ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper:<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf [2<nowiki>]</nowiki>][http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>]<br><br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec [4<nowiki>]</nowiki>] <br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information. However, in this case the "taint" variables are infact important private data. ''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm [6<nowiki>]</nowiki>]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf [7<nowiki>]</nowiki>] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [8<nowiki>]</nowiki>]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf [10<nowiki>]</nowiki>]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ [4<nowiki>]</nowiki>], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>], rely on instruction-level dynamic taint analysis using whole system emulation. One analyzer, Panorama Taint System, is able to perform OS-aware whole system taint analysis to detect and analyze malicious code's information processing behavior. As Panorama Taint System was one of the first dynamic taint analysis programs, a core feature in Panorama is the real-time abilities. However, Panorama used instruction-level analysis, and so had a high overhead. Most taint analyzing systems using instruction-level methods will result in the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of real-time analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html [4<nowiki>]</nowiki>][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone. Essentially, this to make an arguement that TaintDroid could have been made with a set of better design choices. <br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. ''Communications of the ACM 19, 5'' (May 1976), 236–243<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. ''Twenty-First Annual Computer Security Applications Confrence (ACSAC),'' (2005)<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] ''Proceedings of the Network and Distributed System Security Symposium'' (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. [http://www.usenix.org/events/sec04/tech/chow/chow_html/ Understanding Data Lifetime via Whole System Simulation]. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] ''GINP ENSIMAG GoogleCode'' (2009)<br />
<br />
[6] FITZPATRICK, M. [http://news.bbc.co.uk/2/hi/technology/8559683.stm Mobile that allows bosses to snoop on staff developed]. ''BBC News, Technology'' (March 2010) <br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] ''http://pskl.us''<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] ''International Workshop on Run Time Enforcement for Mobile and Distributed Systems'' (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145, University of California, Berkeley'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006)<br />
<br />
[11] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security'' (2007)<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf [11<nowiki>]</nowiki>].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=Talk:COMP_3000_Essay_2_2010_Question_8&diff=6111Talk:COMP 3000 Essay 2 2010 Question 82010-12-02T03:11:17Z<p>Sliske: /* Work Plan */</p>
<hr />
<div>Group Members<br />
<br />
Trevor Bonesaw Malone - tmalone@connect.carleton.ca //FIRST POST!<br />
<br />
Qi Zhang - qzhang13@connect.carleton.ca<br />
<br />
Gregory Bint - gbint@connect.carleton.ca<br />
<br />
Gautam Akiwate - gakiwate@connect.carleton.ca<br />
<br />
Corey Ling - cling@connect.carleton.ca<br />
<br />
Sarah Liske<br />
<br />
<br />
<br />
== Work Plan ==<br />
<br />
As Trevor intimated, we should have clear division of work going forward. This is sort of the break down as I see it. Please edit as you think of new ideas!<br />
<br />
* Background Concepts<br />
** Information Flow Theory. (Implicit and Explicit Flows.) --Done[--[[User:Gautam|Gautam]] 03:54, 28 November 2010 (UTC)]<br />
** What is dynamic taint analysis --Done[--[[User:Gautam|Gautam]] 05:07, 28 November 2010 (UTC)]<br />
** What is the difference between dynamic and static analysis --Done[--[[User:Gautam|Gautam]] 03:54, 30 November 2010 (UTC)]]<br />
* Research Problem<br />
** How do we build a DTA engine for a phone? - done, but by who?<br />
** Why do we want to? (information misuse) - done, but by who?<br />
* Contribution<br />
** How did they implement their DTA engine (Done: --[[User:Cling|Cling]] 04:50, 26 November 2010 (UTC))<br />
** What did they find about information misuse (Done: --[[User:Cling|Cling]] 04:50, 26 November 2010 (UTC))<br />
** Compared to the existing taint tracking approaches. [[User:Zhangqi|Zhangqi]] 07:11, 27 November 2010 (UTC)<br />
** (What else should be in the contributions? Anything need fleshing out?) (Working on that now :) ) sliske<br />
* Critique<br />
**Added two paragraphs at the end of the present critique. Please incorporate it into your content as you deem fit.--[[User:Gautam|Gautam]] 09:07, 30 November 2010 (UTC) <br />
**^ done. fleshed out critique, and added a bit about how taintdroid doesn't track implicit flow. Also reworded (the entire essay) for clarity where necessary/checked spelling. It would be a good idea for everyone to read it over once for spelling/clarity before thursday, just in case something doesn't make sense - sliske<br />
* References<br />
** The article has 61 references! We can probably use some of them<br />
**whee! reading papers and sticking in information as need be. Also working out how to cite properly, as there are two citations used currently<br />
**references added and citations taken care of. will go over fill in a few places where information may be lacking after class sliske<br />
**Referencing is a little askew. The numbers don't match the papers as listed in the referencing. Also the papers are usually cited with a number and enclosed in "[]"<br />
**thanks for giving the paper a read over/noticing that :)<br />
<br />
List of information we need to find external sources for:<br />
* History of taint analysis<br />
* History of privacy research relating to smart phones<br />
<br />
== Work In Progress ==<br />
<br />
Log what you are working on *right now* so that other people don't try to do the same thing. Make sure to clear your name from here when you are done.<br />
<br />
* Gregory Bint: Research Problem<br />
** Need to find some history on smart phone security research for the second part.<br />
<br />
* Gautam Akiwate: Background Concepts<br />
** Any resources on Dynamic taint Analysis would be appreciated!<br />
<br />
* Qi Zhang, Corey Ling: Contributions<br />
<br />
* Trevor Malone: Critique<br />
<br />
* Sarah Liske: References and Questions, Clarity/Spelling.<br />
<br />
== Some Notes from the Video ==<br />
<br />
Tracking of privacy sensitive data through Dynamic Taint Analysis (aka. Taint Tracking). The trick is to mark private data as it sourced, and then follow those marks until (unless) they leave the phone.<br />
<br />
Android phones run Java apps, which are compiled into DEX, and then run on top of the Dalvik VM. It is this VM that we modify so that we can support the storage and tracking of taint tags.<br />
<br />
Taint sources<br />
* low -bandwidth sensors<br />
** Location<br />
** Accelerometer<br />
* High-bandwidth sensors<br />
** Mic<br />
** Camera<br />
* Information DB<br />
** Address book<br />
** SMS storage<br />
* Device ID<br />
** IMEI<br />
** IMSI (don't actually track this one because of false positives)<br />
** ICC_ID<br />
** Phone Number<br />
<br />
Taint sink (where marked data can leave the phone)<br />
* Network Taint Sink<br />
<br />
Taint propagation<br />
* ???<br />
<br />
Taint tags are stored in memory interleaved with the variables they are tracking<br />
<br />
Some standard Data Flow technique is used to propagate these tags, especially as one variable that is marked may be assigned to another, so now that variable needs to be tracked as well.<br />
<br />
Tracks explicit flows of data, not implicit<br />
To fully capture implicit flows, you need to do static analysis, which is hard with closed-source apps, and cannot be done real-time<br />
<br />
Implicit flows are not tracked<br />
* Implicit flows can involve "taint-scope", tracking based on conditionals in code<br />
<br />
<br />
=== Performance ===<br />
<br />
The goal is to create a real time tracking system, so the TaintDroid's performance impact is of some importance<br />
<br />
14% CPU overhead<br />
4.4% memory overhead<br />
<br />
Macro benchmarks (to get a feel for what the phone's usability is like with TD running)<br />
* App load: 3% (2ms) <br />
<br />
<br />
=== Findings ===<br />
<br />
20 out of 30 tested applications share data in a way that is not expected.<br />
<br />
67 of 105 flagged pieces of data leaving the device had no obviously legitimate purpose (verified by the authors).<br />
<br />
Many apps sent location data and other unique identifiers to advertising servers.<br />
<br />
Most apps do not mention anything to the user.<br />
<br />
<br />
=== Limitations ===<br />
<br />
Tracks only explicit data flows.<br />
<br />
An application *could* launder the tags off of the data, if they really wanted to hide this sort of thing from TaintDroid.<br />
<br />
There are methods that could be used to protect against this, but they go against the goal of a light-weight, real-time tracking system. TD is not necessarily about catching truly malicious programs, but rather just those that leak information.<br />
<br />
<br />
Why do apps take this information?<br />
* Lazy; in the demo video, the wallpaper app seems to use the IMEI just as a ready made unique ID<br />
* Overzealous; the developer might thing they *need* the data for something, but actually <br />
* Ads; advertises do seem a little presumptuous in their data collection<br />
* Spying; bosses or spouses<br />
* Malicious; <br />
<br />
<br />
=== QA Period ===<br />
<br />
Q: how do we prevent a malicious app from removing a taint attribute on a file<br />
<br />
A: TD operates a too low a level for this to be a problem; TD assumes that the native code is trusted<br />
<br />
<br />
Q: It seems like you had a lot of false positives<br />
<br />
A: The point of this tool was to identify privacy sensitive information as having left the phone, not whether or not a privacy violation has taken place.<br />
<br />
<br />
Q: Now that TD is released; couldn't malicious apps use some of the methods described in the paper to get around it? <br />
<br />
A: Well, yes, but it is not just about maliciousness, it could just laziness or over-zealous ad stuff.<br />
<br />
==Other Information==<br />
<br />
Hey guys, thought I would just post a generalized paragraph about our essay.<br />
<br />
In today’s society, Smartphones are the new big thing. To me that’s what makes this paper so interesting. This paper focuses on private information in android phones and the misuse of this information. The misuse of information includes the SIM card, the ID of the device, or the phone number. TaintDroid is used on smart phones with an efficient taint tracking and analysis system. It has the ability to track sensitive data from multiple sources and examines the misuse of such data. In their study, out of 80 popular third-party applications, TaintDroid monitored that 68 applications had potential misuse of user’s private data. This tool is great for knowing with applications are safe and which are not, so your private data can remained private.<br />
<br />
Also, we should really think of splitting up the work in some way. If some people have specific sections they would like to do lets figure that out now so we can divide the workload and get it done over the next couple of days. I don't personally care what part I'm going to have to do, so lets get this going. Any other information people wanna post feel free the more the better, even if we don't end up using it.<br />
<br />
[[user:Tmalone|Trevor Malone]]<br />
<br />
Hey guys! Anything else we need to get done? Let me know and I can help in anyway possible.<br />
<br />
[[user:Tmalone|Trevor Malone]]<br />
<br />
==Relevant Sources==<br />
*NEWSOME,J.,AND SONG,D.Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection]<br />
<u>Seems to be THE Dynamic Taint Analysis Paper.Talks about implementation on TaintCheck. Could be also useful for critique section</u> -[Gautam]</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=6109COMP 3000 Essay 2 2010 Question 82010-12-02T03:10:30Z<p>Sliske: /* References */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung, Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow the ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf [2<nowiki>]</nowiki>][http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>]<br><br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec [4<nowiki>]</nowiki>] <br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information. However, in this case the "taint" variables are infact important private data. ''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm [6<nowiki>]</nowiki>]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf [7<nowiki>]</nowiki>] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [8<nowiki>]</nowiki>]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf [10<nowiki>]</nowiki>]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ [4<nowiki>]</nowiki>], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>], rely on instruction-level dynamic taint analysis using whole system emulation. One analyzer, Panorama Taint System, is able to perform OS-aware whole system taint analysis to detect and analyze malicious code's information processing behavior. As Panorama Taint System was one of the first dynamic taint analysis programs, a core feature in Panorama is the real-time abilities. However, Panorama used instruction-level analysis, and so had a high overhead. Most taint analyzing systems using instruction-level methods will result in the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of real-time analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html [4<nowiki>]</nowiki>][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone. Essentially, this to make an arguement that TaintDroid could have been made with a set of better design choices. <br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. ''Communications of the ACM 19, 5'' (May 1976), 236–243<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. ''Twenty-First Annual Computer Security Applications Confrence (ACSAC),'' (2005)<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] ''Proceedings of the Network and Distributed System Security Symposium'' (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. [http://www.usenix.org/events/sec04/tech/chow/chow_html/ Understanding Data Lifetime via Whole System Simulation]. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] ''GINP ENSIMAG GoogleCode'' (2009)<br />
<br />
[6] FITZPATRICK, M. [http://news.bbc.co.uk/2/hi/technology/8559683.stm Mobile that allows bosses to snoop on staff developed]. ''BBC News, Technology'' (March 2010) <br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] ''http://pskl.us''<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] ''International Workshop on Run Time Enforcement for Mobile and Distributed Systems'' (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145, University of California, Berkeley'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006)<br />
<br />
[11] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security'' (2007)<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf [11<nowiki>]</nowiki>].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=6105COMP 3000 Essay 2 2010 Question 82010-12-02T03:07:57Z<p>Sliske: /* Contribution */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung, Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow the ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf [2<nowiki>]</nowiki>][http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>]<br><br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec [4<nowiki>]</nowiki>] <br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf [5<nowiki>]</nowiki>] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf [1<nowiki>]</nowiki>]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information. However, in this case the "taint" variables are infact important private data. ''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm [6<nowiki>]</nowiki>]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf [7<nowiki>]</nowiki>] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [8<nowiki>]</nowiki>]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf [3<nowiki>]</nowiki>]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf [10<nowiki>]</nowiki>]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ [4<nowiki>]</nowiki>], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>], rely on instruction-level dynamic taint analysis using whole system emulation. One analyzer, Panorama Taint System, is able to perform OS-aware whole system taint analysis to detect and analyze malicious code's information processing behavior. As Panorama Taint System was one of the first dynamic taint analysis programs, a core feature in Panorama is the real-time abilities. However, Panorama used instruction-level analysis, and so had a high overhead. Most taint analyzing systems using instruction-level methods will result in the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of real-time analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html [4<nowiki>]</nowiki>][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone. Essentially, this to make an arguement that TaintDroid could have been made with a set of better design choices. <br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. ''Communications of the ACM 19, 5'' (May 1976), 236–243<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. ''Twenty-First Annual Computer Security Applications Confrence (ACSAC),'' (2005)<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] ''Proceedings of the Network and Distributed System Security Symposium'' (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. [http://www.usenix.org/events/sec04/tech/chow/chow_html/ Understanding Data Lifetime via Whole System Simulation]. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] ''GINP ENSIMAG GoogleCode''(2009)<br />
<br />
[6] FITZPATRICK, M. [http://news.bbc.co.uk/2/hi/technology/8559683.stm Mobile that allows bosses to snoop on staff developed]. ''BBC News, Technology'' (March 2010) <br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] ''http://pskl.us''<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] ''International Workshop on Run Time Enforcement for Mobile and Distributed Systems'' (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145, University of California, Berkeley'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006)<br />
<br />
[11] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security'' (2007)<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf [11<nowiki>]</nowiki>].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=6053COMP 3000 Essay 2 2010 Question 82010-12-02T01:03:03Z<p>Sliske: /* Contribution */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. ''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf 10]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ 4], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 11], rely on instruction-level dynamic taint analysis using whole system emulation. Panorama Taint System is able to perform OS-aware whole system taint analysis to detect and analyze malicious code's information processing behavior. The core feature of this kind of taint analysis is realtime. But this method will lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html 4][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 11] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf 11].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. ''Communications of the ACM 19, 5'' (May 1976), 236–243<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. ''Twenty-First Annual Computer Security Applications Confrence (ACSAC),'' (2005)<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] ''Proceedings of the Network and Distributed System Security Symposium'' (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. [http://www.usenix.org/events/sec04/tech/chow/chow_html/ Understanding Data Lifetime via Whole System Simulation]. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] ''GINP ENSIMAG GoogleCode''(2009)<br />
<br />
[6] FITZPATRICK, M. [http://news.bbc.co.uk/2/hi/technology/8559683.stm Mobile that allows bosses to snoop on staff developed]. ''BBC News, Technology'' (March 2010) <br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] ''http://pskl.us''<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] ''International Workshop on Run Time Enforcement for Mobile and Distributed Systems'' (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145, University of California, Berkeley'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006)<br />
<br />
[11] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security'' (2007)</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5994COMP 3000 Essay 2 2010 Question 82010-12-01T19:59:28Z<p>Sliske: /* Mathematical Model */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. ''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf 10]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ 4], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 11], rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html 4][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 11] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf 11].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. ''Communications of the ACM 19, 5'' (May 1976), 236–243<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. ''Twenty-First Annual Computer Security Applications Confrence (ACSAC),'' (2005)<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] ''Proceedings of the Network and Distributed System Security Symposium'' (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. [http://www.usenix.org/events/sec04/tech/chow/chow_html/ Understanding Data Lifetime via Whole System Simulation]. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] ''GINP ENSIMAG GoogleCode''(2009)<br />
<br />
[6] FITZPATRICK, M. [http://news.bbc.co.uk/2/hi/technology/8559683.stm Mobile that allows bosses to snoop on staff developed]. ''BBC News, Technology'' (March 2010) <br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] ''http://pskl.us''<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] ''International Workshop on Run Time Enforcement for Mobile and Distributed Systems'' (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145, University of California, Berkeley'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006)<br />
<br />
[11] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security'' (2007)</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5992COMP 3000 Essay 2 2010 Question 82010-12-01T19:56:17Z<p>Sliske: /* References */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf 10]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ 4], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 11], rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html 4][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 11] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf 11].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. ''Communications of the ACM 19, 5'' (May 1976), 236–243<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. ''Twenty-First Annual Computer Security Applications Confrence (ACSAC),'' (2005)<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] ''Proceedings of the Network and Distributed System Security Symposium'' (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. [http://www.usenix.org/events/sec04/tech/chow/chow_html/ Understanding Data Lifetime via Whole System Simulation]. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] ''GINP ENSIMAG GoogleCode''(2009)<br />
<br />
[6] FITZPATRICK, M. [http://news.bbc.co.uk/2/hi/technology/8559683.stm Mobile that allows bosses to snoop on staff developed]. ''BBC News, Technology'' (March 2010) <br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] ''http://pskl.us''<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] ''International Workshop on Run Time Enforcement for Mobile and Distributed Systems'' (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145, University of California, Berkeley'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006)<br />
<br />
[11] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security'' (2007)</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5991COMP 3000 Essay 2 2010 Question 82010-12-01T19:55:59Z<p>Sliske: /* References */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf 10]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ 4], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 11], rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html 4][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 11] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf 11].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. ''Communications of the ACM 19, 5'' (May 1976), 236–243<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. ''Twenty-First Annual Computer Security Applications Confrence (ACSAC),'' (2005)<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] ''Proceedings of the Network and Distributed System Security Symposium'' (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. [http://www.usenix.org/events/sec04/tech/chow/chow_html/ Understanding Data Lifetime via Whole System Simulation]. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] ''GINP ENSIMAG GoogleCode''(2009)<br />
<br />
[6] Fitzpatrick, M. [http://news.bbc.co.uk/2/hi/technology/8559683.stm Mobile that allows bosses to snoop on staff developed]. ''BBC News, Technology'' (March 2010) <br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] ''http://pskl.us''<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] ''International Workshop on Run Time Enforcement for Mobile and Distributed Systems'' (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145, University of California, Berkeley'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006)<br />
<br />
[11] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security'' (2007)</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5990COMP 3000 Essay 2 2010 Question 82010-12-01T19:54:14Z<p>Sliske: /* References */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf 10]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ 4], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 11], rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html 4][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 11] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf 11].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. ''Communications of the ACM 19, 5'' (May 1976), 236–243.<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] ''Proceedings of the Network and Distributed System Security Symposium'' (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. [http://www.usenix.org/events/sec04/tech/chow/chow_html/ Understanding Data Lifetime via Whole System Simulation]. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] ''GINP ENSIMAG GoogleCode''(2009)<br />
<br />
[6] Fitzpatrick, M. [http://news.bbc.co.uk/2/hi/technology/8559683.stm Mobile that allows bosses to snoop on staff developed]. ''BBC News, Technology'' (March 2010) <br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] ''http://pskl.us''<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] ''International Workshop on Run Time Enforcement for Mobile and Distributed Systems'' (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145, University of California, Berkeley'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006).<br />
<br />
[11] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5989COMP 3000 Essay 2 2010 Question 82010-12-01T19:53:51Z<p>Sliske: /* References */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf 10]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ 4], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 11], rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html 4][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 11] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf 11].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. ''Communications of the ACM 19, 5'' (May 1976), 236–243.<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] ''Proceedings of the Network and Distributed System Security Symposium'' (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. [http://www.usenix.org/events/sec04/tech/chow/chow_html/ Understanding Data Lifetime via Whole System Simulation]. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] ''GINP ENSIMAG GoogleCode''(2009)<br />
<br />
[6] Fitzpatrick, M. (March 2010). [http://news.bbc.co.uk/2/hi/technology/8559683.stm Mobile that allows bosses to snoop on staff developed]. BBC News, Technology. <br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] ''http://pskl.us''<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] ''International Workshop on Run Time Enforcement for Mobile and Distributed Systems'' (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145, University of California, Berkeley'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006).<br />
<br />
[11] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5988COMP 3000 Essay 2 2010 Question 82010-12-01T19:51:25Z<p>Sliske: /* References */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf 10]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ 4], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 11], rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html 4][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 11] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf 11].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. ''Communications of the ACM 19, 5'' (May 1976), 236–243.<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] ''Proceedings of the Network and Distributed System Security Symposium'' (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. [http://www.usenix.org/events/sec04/tech/chow/chow_html/ Understanding Data Lifetime via Whole System Simulation]. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] ''GINP ENSIMAG GoogleCode''(2009)<br />
<br />
[6] http://news.bbc.co.uk/2/hi/technology/8559683.stm<br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] ''http://pskl.us''<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] ''International Workshop on Run Time Enforcement for Mobile and Distributed Systems'' (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145, University of California, Berkeley'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006).<br />
<br />
[11] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=Talk:COMP_3000_Essay_2_2010_Question_8&diff=5986Talk:COMP 3000 Essay 2 2010 Question 82010-12-01T19:49:35Z<p>Sliske: /* Work Plan */</p>
<hr />
<div>Group Members<br />
<br />
Trevor Bonesaw Malone - tmalone@connect.carleton.ca //FIRST POST!<br />
<br />
Qi Zhang - qzhang13@connect.carleton.ca<br />
<br />
Gregory Bint - gbint@connect.carleton.ca<br />
<br />
Gautam Akiwate - gakiwate@connect.carleton.ca<br />
<br />
Corey Ling - cling@connect.carleton.ca<br />
<br />
Sarah Liske<br />
<br />
==Relevant Sources==<br />
*NEWSOME,J.,AND SONG,D.Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection]<br />
<u>Seems to be THE Dynamic Taint Analysis Paper.Talks about implementation on TaintCheck. Could be also useful for critique section</u> -[Gautam]<br />
<br />
== Work Plan ==<br />
<br />
As Trevor intimated, we should have clear division of work going forward. This is sort of the break down as I see it. Please edit as you think of new ideas!<br />
<br />
* Background Concepts<br />
** Information Flow Theory. (Implicit and Explicit Flows.) --Done[--[[User:Gautam|Gautam]] 03:54, 28 November 2010 (UTC)]<br />
** What is dynamic taint analysis --Done[--[[User:Gautam|Gautam]] 05:07, 28 November 2010 (UTC)]<br />
** What is the difference between dynamic and static analysis - it's there, who added it?<br />
* Research Problem<br />
** How do we build a DTA engine for a phone? - done, but by who?<br />
** Why do we want to? (information misuse) - done, but by who?<br />
* Contribution<br />
** How did they implement their DTA engine (Done: --[[User:Cling|Cling]] 04:50, 26 November 2010 (UTC))<br />
** What did they find about information misuse (Done: --[[User:Cling|Cling]] 04:50, 26 November 2010 (UTC))<br />
** Compared to the existing taint tracking approaches. [[User:Zhangqi|Zhangqi]] 07:11, 27 November 2010 (UTC) (Added something. Still looking for other examples,in progress)<br />
** (What else should be in the contributions? Anything need fleshing out?) (Working on that now :) ) sliske<br />
* Critique<br />
**Added two paragraphs at the end of the present critique. Please incorporate it into your content as you deem fit.--[[User:Gautam|Gautam]] 09:07, 30 November 2010 (UTC) <br />
**^ done. fleshed out critique, and added a bit about how taintdroid doesn't track implicit flow. Also reworded (the entire essay) for clarity where necessary/checked spelling. It would be a good idea for everyone to read it over once for spelling/clarity before thursday, just in case something doesn't make sense - sliske<br />
* References<br />
** The article has 61 references! We can probably use some of them<br />
**whee! reading papers and sticking in information as need be. Also working out how to cite properly, as there are two citations used currently<br />
references added and citations taken care of. will go over fill in a few places where information may be lacking after class sliske<br />
<br />
List of information we need to find external sources for:<br />
* History of taint analysis<br />
* History of privacy research relating to smart phones<br />
<br />
== Work In Progress ==<br />
<br />
Log what you are working on *right now* so that other people don't try to do the same thing. Make sure to clear your name from here when you are done.<br />
<br />
* Gregory Bint: Research Problem<br />
** Need to find some history on smart phone security research for the second part.<br />
<br />
* Gautam Akiwate: Background Concepts<br />
** Any resources on Dynamic taint Analysis would be appreciated!<br />
<br />
* Corey Ling: Contributions (Qi Zhang) <br />
<br />
* Trevor Malone: Critique<br />
<br />
* Sarah Liske: References and Questions, Clarity/Spelling.<br />
<br />
== Some Notes from the Video ==<br />
<br />
Tracking of privacy sensitive data through Dynamic Taint Analysis (aka. Taint Tracking). The trick is to mark private data as it sourced, and then follow those marks until (unless) they leave the phone.<br />
<br />
Android phones run Java apps, which are compiled into DEX, and then run on top of the Dalvik VM. It is this VM that we modify so that we can support the storage and tracking of taint tags.<br />
<br />
Taint sources<br />
* low -bandwidth sensors<br />
** Location<br />
** Accelerometer<br />
* High-bandwidth sensors<br />
** Mic<br />
** Camera<br />
* Information DB<br />
** Address book<br />
** SMS storage<br />
* Device ID<br />
** IMEI<br />
** IMSI (don't actually track this one because of false positives)<br />
** ICC_ID<br />
** Phone Number<br />
<br />
Taint sink (where marked data can leave the phone)<br />
* Network Taint Sink<br />
<br />
Taint propagation<br />
* ???<br />
<br />
Taint tags are stored in memory interleaved with the variables they are tracking<br />
<br />
Some standard Data Flow technique is used to propagate these tags, especially as one variable that is marked may be assigned to another, so now that variable needs to be tracked as well.<br />
<br />
Tracks explicit flows of data, not implicit<br />
To fully capture implicit flows, you need to do static analysis, which is hard with closed-source apps, and cannot be done real-time<br />
<br />
Implicit flows are not tracked<br />
* Implicit flows can involve "taint-scope", tracking based on conditionals in code<br />
<br />
<br />
=== Performance ===<br />
<br />
The goal is to create a real time tracking system, so the TaintDroid's performance impact is of some importance<br />
<br />
14% CPU overhead<br />
4.4% memory overhead<br />
<br />
Macro benchmarks (to get a feel for what the phone's usability is like with TD running)<br />
* App load: 3% (2ms) <br />
<br />
<br />
=== Findings ===<br />
<br />
20 out of 30 tested applications share data in a way that is not expected.<br />
<br />
67 of 105 flagged pieces of data leaving the device had no obviously legitimate purpose (verified by the authors).<br />
<br />
Many apps sent location data and other unique identifiers to advertising servers.<br />
<br />
Most apps do not mention anything to the user.<br />
<br />
<br />
=== Limitations ===<br />
<br />
Tracks only explicit data flows.<br />
<br />
An application *could* launder the tags off of the data, if they really wanted to hide this sort of thing from TaintDroid.<br />
<br />
There are methods that could be used to protect against this, but they go against the goal of a light-weight, real-time tracking system. TD is not necessarily about catching truly malicious programs, but rather just those that leak information.<br />
<br />
<br />
Why do apps take this information?<br />
* Lazy; in the demo video, the wallpaper app seems to use the IMEI just as a ready made unique ID<br />
* Overzealous; the developer might thing they *need* the data for something, but actually <br />
* Ads; advertises do seem a little presumptuous in their data collection<br />
* Spying; bosses or spouses<br />
* Malicious; <br />
<br />
<br />
=== QA Period ===<br />
<br />
Q: how do we prevent a malicious app from removing a taint attribute on a file<br />
<br />
A: TD operates a too low a level for this to be a problem; TD assumes that the native code is trusted<br />
<br />
<br />
Q: It seems like you had a lot of false positives<br />
<br />
A: The point of this tool was to identify privacy sensitive information as having left the phone, not whether or not a privacy violation has taken place.<br />
<br />
<br />
Q: Now that TD is released; couldn't malicious apps use some of the methods described in the paper to get around it? <br />
<br />
A: Well, yes, but it is not just about maliciousness, it could just laziness or over-zealous ad stuff.<br />
<br />
==Other Information==<br />
<br />
Hey guys, thought I would just post a generalized paragraph about our essay.<br />
<br />
In today’s society, Smartphones are the new big thing. To me that’s what makes this paper so interesting. This paper focuses on private information in android phones and the misuse of this information. The misuse of information includes the SIM card, the ID of the device, or the phone number. TaintDroid is used on smart phones with an efficient taint tracking and analysis system. It has the ability to track sensitive data from multiple sources and examines the misuse of such data. In their study, out of 80 popular third-party applications, TaintDroid monitored that 68 applications had potential misuse of user’s private data. This tool is great for knowing with applications are safe and which are not, so your private data can remained private.<br />
<br />
Also, we should really think of splitting up the work in some way. If some people have specific sections they would like to do lets figure that out now so we can divide the workload and get it done over the next couple of days. I don't personally care what part I'm going to have to do, so lets get this going. Any other information people wanna post feel free the more the better, even if we don't end up using it.<br />
<br />
[[user:Tmalone|Trevor Malone]]<br />
<br />
Hey guys! Anything else we need to get done? Let me know and I can help in anyway possible.<br />
<br />
[[user:Tmalone|Trevor Malone]]</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5985COMP 3000 Essay 2 2010 Question 82010-12-01T19:46:15Z<p>Sliske: /* References */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf 10]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ 4], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 11], rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html 4][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 11] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf 11].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. ''Communications of the ACM 19, 5'' (May 1976), 236–243.<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. [http://www.usenix.org/events/sec04/tech/chow/chow_html/ Understanding Data Lifetime via Whole System Simulation]. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[6] http://news.bbc.co.uk/2/hi/technology/8559683.stm<br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006).<br />
<br />
[11] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5984COMP 3000 Essay 2 2010 Question 82010-12-01T19:44:55Z<p>Sliske: /* Questions */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf 10]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ 4], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 11], rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html 4][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 11] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf 11].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. Understanding Data Lifetime via Whole System Simulation. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[6] http://news.bbc.co.uk/2/hi/technology/8559683.stm<br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006).<br />
<br />
[11] <br />
<br />
[] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5983COMP 3000 Essay 2 2010 Question 82010-12-01T19:44:31Z<p>Sliske: /* Contribution */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf 10]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ 4], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 11], rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html 4][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 11] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. Understanding Data Lifetime via Whole System Simulation. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[6] http://news.bbc.co.uk/2/hi/technology/8559683.stm<br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006).<br />
<br />
[11] <br />
<br />
[] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5982COMP 3000 Essay 2 2010 Question 82010-12-01T19:44:30Z<p>Sliske: /* Critique */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf 10]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ 4], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 12], rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html 4][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 12] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. Understanding Data Lifetime via Whole System Simulation. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[6] http://news.bbc.co.uk/2/hi/technology/8559683.stm<br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006).<br />
<br />
[11] <br />
<br />
[] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5981COMP 3000 Essay 2 2010 Question 82010-12-01T19:43:36Z<p>Sliske: /* Contribution */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf 10]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ 4], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 12], rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html 4][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 12] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. Understanding Data Lifetime via Whole System Simulation. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[6] http://news.bbc.co.uk/2/hi/technology/8559683.stm<br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006).<br />
<br />
[11] <br />
<br />
[] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5980COMP 3000 Essay 2 2010 Question 82010-12-01T19:38:15Z<p>Sliske: /* References */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf 10]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. Understanding Data Lifetime via Whole System Simulation. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[6] http://news.bbc.co.uk/2/hi/technology/8559683.stm<br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006).<br />
<br />
[11] <br />
<br />
[] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5979COMP 3000 Essay 2 2010 Question 82010-12-01T19:37:33Z<p>Sliske: /* References */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf 10]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[6] http://news.bbc.co.uk/2/hi/technology/8559683.stm<br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006).<br />
<br />
[11] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. Understanding Data Lifetime via Whole System Simulation. ''Proceedings of the 13th USENIX Security<br />
Symposium'' (August 2004).<br />
<br />
[] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5978COMP 3000 Essay 2 2010 Question 82010-12-01T19:35:00Z<p>Sliske: /* Research problem */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf 10]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[6] http://news.bbc.co.uk/2/hi/technology/8559683.stm<br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006).<br />
<br />
[] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5977COMP 3000 Essay 2 2010 Question 82010-12-01T19:34:47Z<p>Sliske: /* References */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[REF]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br />
<br />
[5] CEARA, D., POTET, ML., et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[6] http://news.bbc.co.uk/2/hi/technology/8559683.stm<br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145'' (2009)<br />
<br />
[10] CHUNG LAM, L., CHIUEH, T., [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.74.1478&rep=rep1&type=pdf A General Dynamic Information Flow Tracking Framework for Security Applications]. ''Proceedings of the Annual Computer Security Applications Conference (ACSAC)'' (2006).<br />
<br />
[] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5976COMP 3000 Essay 2 2010 Question 82010-12-01T19:25:46Z<p>Sliske: /* References */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[REF]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br />
<br />
[5] D CEARA, ML POTET et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[6] http://news.bbc.co.uk/2/hi/technology/8559683.stm<br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)<br />
<br />
[9] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145'' (2009)<br />
<br />
[] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5975COMP 3000 Essay 2 2010 Question 82010-12-01T19:25:25Z<p>Sliske: /* References */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[REF]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br />
<br />
[5] D CEARA, ML POTET et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[6] http://news.bbc.co.uk/2/hi/technology/8559683.stm<br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)<br />
<br />
[] ZHU, Y., JUNG, J., KOHNO, T., WETHERALL, D., [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks]. ''Technical Report No. UCB/EECS-2009-145'' (2009)<br />
<br />
[] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5974COMP 3000 Essay 2 2010 Question 82010-12-01T19:23:58Z<p>Sliske: /* Research problem */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf 9]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[REF]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br />
<br />
[5] D CEARA, ML POTET et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[6] http://news.bbc.co.uk/2/hi/technology/8559683.stm<br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)<br />
<br />
[] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5973COMP 3000 Essay 2 2010 Question 82010-12-01T19:20:21Z<p>Sliske: /* Static Taint Analysis */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[REF]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[REF]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br />
<br />
[5] D CEARA, ML POTET et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[6] http://news.bbc.co.uk/2/hi/technology/8559683.stm<br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)<br />
<br />
[] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5967COMP 3000 Essay 2 2010 Question 82010-12-01T18:16:16Z<p>Sliske: /* References */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [REF]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[REF]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[REF]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[2] HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br />
<br />
[5] D CEARA, ML POTET et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[6] http://news.bbc.co.uk/2/hi/technology/8559683.stm<br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[8] NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)<br />
<br />
[] YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5966COMP 3000 Essay 2 2010 Question 82010-12-01T18:16:03Z<p>Sliske: /* References */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [REF]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[REF]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[REF]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[1] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[2]HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[3] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
[4] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br />
<br />
[5]D CEARA, ML POTET et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[6] http://news.bbc.co.uk/2/hi/technology/8559683.stm<br />
<br />
[7] SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[8]NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)<br />
<br />
[]YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5965COMP 3000 Essay 2 2010 Question 82010-12-01T18:15:54Z<p>Sliske: /* Research problem */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [REF]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm 6]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf 7] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf 8]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf 3]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[REF]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[REF]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[]D CEARA, ML POTET et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
<br />
<br />
<br />
[]YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''<br />
<br />
[] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec:future Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br />
<br />
[]HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[]SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[]NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5964COMP 3000 Essay 2 2010 Question 82010-12-01T18:14:09Z<p>Sliske: /* Taint Analysis */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf 2]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 3] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec 4]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf 5] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [REF]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[REF]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[REF]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[]D CEARA, ML POTET et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
<br />
<br />
<br />
[]YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''<br />
<br />
[] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec:future Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br />
<br />
[]HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[]SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[]NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5963COMP 3000 Essay 2 2010 Question 82010-12-01T18:12:29Z<p>Sliske: /* Information Flow */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf 1] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [REF]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[REF]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[REF]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[]D CEARA, ML POTET et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
<br />
<br />
<br />
[]YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''<br />
<br />
[] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec:future Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br />
<br />
[]HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[]SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[]NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5961COMP 3000 Essay 2 2010 Question 82010-12-01T18:09:41Z<p>Sliske: /* Additional questions */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [REF]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[REF]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[REF]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[]D CEARA, ML POTET et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
<br />
<br />
<br />
[]YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''<br />
<br />
[] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec:future Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br />
<br />
[]HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[]SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[]NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5959COMP 3000 Essay 2 2010 Question 82010-12-01T18:08:30Z<p>Sliske: /* Static Taint Analysis */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [REF]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[REF]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[REF]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects, as TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid has been implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[]D CEARA, ML POTET et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
<br />
<br />
<br />
[]YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''<br />
<br />
[] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec:future Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br />
<br />
[]HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[]SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[]NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5958COMP 3000 Essay 2 2010 Question 82010-12-01T18:07:42Z<p>Sliske: /* Taint Analysis */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [REF] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf]<br><br />
<br />
''Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone)<br>''<br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[REF]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[REF]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects, as TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid has been implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[]D CEARA, ML POTET et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
<br />
<br />
<br />
[]YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''<br />
<br />
[] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec:future Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br />
<br />
[]HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[]SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[]NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5957COMP 3000 Essay 2 2010 Question 82010-12-01T18:06:28Z<p>Sliske: /* Research problem */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [REF] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [REF]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf]<br><br />
<br />
<i>Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone :D)<br> For more detailed information on Taint Analysis refer "Detecting Software Vulnerabilities Static Taint Analysis"[2]</i><br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.1353&rep=rep1&type=pdf]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[REF]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[REF]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects, as TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid has been implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[]D CEARA, ML POTET et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
<br />
<br />
<br />
[]YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''<br />
<br />
[] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec:future Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br />
<br />
[]HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[]SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[]NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5956COMP 3000 Essay 2 2010 Question 82010-12-01T18:03:36Z<p>Sliske: /* References */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [REF] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [REF]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf]<br><br />
<br />
<i>Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone :D)<br> For more detailed information on Taint Analysis refer "Detecting Software Vulnerabilities Static Taint Analysis"[2]</i><br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.[REF]<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[REF]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[REF]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[REF]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects, as TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid has been implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br />
<br />
[]D CEARA, ML POTET et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br />
<br />
[] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br />
<br />
<br />
<br />
<br />
[]YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''<br />
<br />
[] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec:future Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br />
<br />
[]HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
<br />
[]SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br />
<br />
[]NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007)</div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5955COMP 3000 Essay 2 2010 Question 82010-12-01T18:03:05Z<p>Sliske: /* References */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [REF] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [REF]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf]<br><br />
<br />
<i>Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone :D)<br> For more detailed information on Taint Analysis refer "Detecting Software Vulnerabilities Static Taint Analysis"[2]</i><br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.[REF]<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[REF]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[REF]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[REF]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects, as TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid has been implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br><br />
[]D CEARA, ML POTET et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br><br />
[] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br><br />
<br />
<br />
[]YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis]. In ''Proceedings of ACM Computer and Communications Security (2007).''<br><br />
[] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec:future Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br><br />
[]HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
[]SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br><br />
[]NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007) <br></div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5954COMP 3000 Essay 2 2010 Question 82010-12-01T18:02:41Z<p>Sliske: /* References */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [REF] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [REF]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf]<br><br />
<br />
<i>Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone :D)<br> For more detailed information on Taint Analysis refer "Detecting Software Vulnerabilities Static Taint Analysis"[2]</i><br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.[REF]<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[REF]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[REF]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[REF]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects, as TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid has been implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br><br />
[]D CEARA, ML POTET et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br><br />
[] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br><br />
<br />
<br />
[]YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf Panorama: Capturing system-wide Information Flow for Malware Detection and Analysis. In ''Proceedings of ACM Computer and Communications Security (2007).''<br><br />
[] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec:future Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br><br />
[]HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
[]SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br><br />
[]NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007) <br></div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5953COMP 3000 Essay 2 2010 Question 82010-12-01T18:00:41Z<p>Sliske: /* Critique */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [REF] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [REF]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf]<br><br />
<br />
<i>Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone :D)<br> For more detailed information on Taint Analysis refer "Detecting Software Vulnerabilities Static Taint Analysis"[2]</i><br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.[REF]<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[REF]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[REF]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[REF]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects, as TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid has been implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br><br />
[]D CEARA, ML POTET et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br><br />
[] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br><br />
<br />
[] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec:future Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br><br />
[]HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
[]SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br><br />
[]NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007) <br></div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5952COMP 3000 Essay 2 2010 Question 82010-12-01T18:00:33Z<p>Sliske: /* Critique */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [REF] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [REF]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf]<br><br />
<br />
<i>Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone :D)<br> For more detailed information on Taint Analysis refer "Detecting Software Vulnerabilities Static Taint Analysis"[2]</i><br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.[REF]<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[REF]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[REF]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[REF]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 1] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects, as TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid has been implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br><br />
[]D CEARA, ML POTET et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br><br />
[] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br><br />
<br />
[] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec:future Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br><br />
[]HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
[]SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br><br />
[]NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007) <br></div>Sliskehttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_8&diff=5951COMP 3000 Essay 2 2010 Question 82010-12-01T18:00:22Z<p>Sliske: /* Critique */</p>
<hr />
<div>=TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones=<br />
'''Authors:''' <br><br />
* William Enck, Patrick McDaniel ''The Pennsylvania State University''<br><br />
* Peter Gilbert, Landon P. Cox ''Duke University''<br><br />
* Byung-Gon Chun, Jaeyeon Jung Anmol N. Sheth ''Intel Labs''<br />
<br />
[http://appanalysis.org/tdroid10.pdf Direct Link]<br />
<br />
[http://www.appanalysis.org/ Official Website]<br />
<br />
[http://www.youtube.com/watch?v=qnLujX1Dw4Y Video Demonstration]<br />
<br />
=Background Concepts=<br />
To follow these ideas in this paper, the ideas which form the basis of this theory have to be understood. All in all, the following two concepts can be said to be central to understanding this paper.<br><br />
==Information Flow==<br />
Information flow as the name suggests is the transfer of information. This transfer of information can be between two processes or within a given process, for example, between variables. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] Information Flow Theory tries to quantify this flow of information into a mathematical model.<br> <br />
In a security model the information flow can be categorized into:<br> <br />
===Explicit Flow===<br />
Explicit flow is when information subject to security classifications is transferred to a variable or process which is not subject to the same or higher level of security, causing a security breach. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] The breach occurs because information is now more visible than it was intended to be. An example of explicit flow is shown below:<br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
notsecure = secure</big><br></code><br />
<br><br />
The information in <i>'secure'</i> which is PRIVATE is transferred to <i>'notsecure'</i> which is PUBLIC which is an information leak. <br />
<br><br />
<br />
===Implicit Flow===<br />
Implicit Flow is when information subject to security classifications is deduced indirectly. This the leakage of information occurs through the program control flow. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf] Depending on the flow of the program the secure information can be compromised, as shown below<br><br />
<br><br />
<code>PRIVATE VAR <big>secure</big><br><br />
PUBLIC VAR <big>notsecure<br><br />
if secure="blah blah" then:<br><br />
insecure=1<br><br />
else:<br><br />
insecure=0</big><br></code><br />
<br><br />
Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.<br />
<br />
==Taint Analysis==<br />
<br />
The basic premise of taint analysis is to follow the information flow of "tainted" variables to ensure that they do not create a security breach. Any variable that can be modified directly or indirectly by the user and can become a security vulnerability is "tainted". Through various operations the "taint" can be passed from variable to variable, propagating it. When a tainted variable is used to execute potentially dangerous commands a breach is logged, allowing detection of possible security concerns. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf]<br><br />
<br />
===Dynamic Taint Analysis===<br />
Taint Analysis done at run-time is called as Dynamic Taint Analysis. The approach used in dynamic taint analysis is to label data originating from untrusted sources as tainted. The analysis keeps track of all the tainted data in memory and when such data is used in a potentially dangerous situation, a leak is logged. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf] This approach offers the capabilities to detect most input validation vulnerabilities with a very low false positive rate. However, the execution of the program is slower because of the additional checks being preformed. [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec]<br><br />
<br />
===Static Taint Analysis===<br />
Static taint analysis is the technique used for detecting the over approximation of the set of instructions that are influenced by user input. The set of tainted instructions is computed statically by analyzing the sources of the program. [REF] The main advantage for static taint analysis is that it takes into account all the possible execution paths of the program. On the other hand the analysis may not be as accurate as a dynamic analysis because the static analysis does not have access to any additional run-time information of the program. [REF]<br><br />
<br />
===Mathematical Model===<br />
<big><code>For all variables V = {T,U} ;T are tainted and U are untainted:<br><br />
Using <big>⊕</big>: V x V -> V, x, y ∈ V <br><br />
x<big>⊕</big>y = T; x = T OR y = T<br><br />
x<big>⊕</big>y = U, if x = U AND y = U<br />
</code></big> <br><br />
<br />
It is now easy to see that whenever a tainted variable is used by another variable, the variable that used the tainted variable becomes tainted as well; the taint is propagated. Taking this further we can see that, if needed, we can tag variables as tainted by attaching to them a tainted tag, which can then be tracked or used as wanted. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf]<br><br />
<br />
<i>Note: The paper talks about Dynamic Taint Analysis. TaintDroid makes ingenious use of "taint" to taint variables that are of value and tracks their progress. Though in the actual context of Taint Analysis "taint" is used for untrusted information however in this case the "taint" variables are infact important private data. (Just in case if it confused someone :D)<br> For more detailed information on Taint Analysis refer "Detecting Software Vulnerabilities Static Taint Analysis"[2]</i><br />
<br />
=Research problem=<br />
<br />
In today’s society, smartphones are a prominent new technology. Smartphones, by their nature, are linked into many private details of our lives, including not only classic data like our contact list, but new kinds of data smartphones make available, such as location data. Smartphones also have the ability to download and run third party applications which can connect to the internet; indeed, this is why we call them "smart". Except for the odd tunnel or elevator, these phones are constantly connected to the internet. When you combine third party applications with an internet connection on a device that stores an immense amount of personal data, you suddenly find yourself unsure of how your data is being used; what is to stop a third party application from disseminating our private information? As it turns out, very little. [http://news.bbc.co.uk/2/hi/technology/8559683.stm]<br />
<br />
A telling example of this is a wallpaper application that sends your phone number back to the developer.[http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf] Once the app is running on your phone, it can typically access any of the information on your phone that it has been given permission to access, and it is not necessarily clear when the application has accessed data, or what it is doing with it.<br />
<br />
The authors of this paper set out to try to understand what kind of information is being collected and where that information is being sent, and in order to do that, they first needed to build a means of tracking that information.<br />
<br />
The strategy they chose is called Dynamic Taint Analysis, sometimes called Taint Tracking. The basic idea being to mark (or ''taint'') sensitive information at its source, and to then follow that mark as the data moves through a system. In the context of this paper, if ever we should see marked data leave the network interface of the phone, then we know that some sensitive information has been disseminated.<br />
<br />
There are many difficulties associated with implementing such a system on a smartphone. Their design goals were to create a light-weight, minimal overhead, real-time tracking system that runs directly on a real phone, with real applications. To be really useful, the tracking system must not impact the user experience too heavily.<br />
<br />
Some implementation difficulties are:<br />
* Smart phones are resource constrained. Processing power and memory are limited, and any processing that we do perform will consume battery power. If the tracking system is to be real-time, the phone must be considered "usable" by the end user, and so the system must be truly light weight.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf]<br />
* Third party applications arrive in a compiled format; we cannot analyze their source code.[REF]<br />
* Applications may do complex things with the sensitive data. It is unlikely that the application will simply read a location from the GPS and dump it straight out over the network. More likely is that the application will use that data in some way, or combine it with other data, before it is sent. We need to be able to track sensitive data throughout this entire process if we hope to perform any useful analysis.[REF]<br />
* Applications can share information with other applications, meaning that our tracking has to work across multiple processes.[REF]<br />
* The tracking must operate on a real phone, not a simulated one. With a simulated system, where we control the virtual hardware and memory, we can be certain that we can see everything that an application might do. On a real device, how can we get low-level enough to see everything the applications do?[REF]<br />
<br />
=Contribution=<br />
The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is only in regards to a "CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications."(Enck et al., YEAR, p1)<br />
<br />
This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed. [REF] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. [REF] Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).[REF]<br />
<br />
Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [REF], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System, rely on instruction-level dynamic taint analysis using whole system emulation. This method can lead to the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of realtime analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [REF] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.<br />
<br />
By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[REF] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.<br />
<br />
=Critique=<br />
<br />
This paper has quite a bit of information, but has a very strong structure in explaining what TaintDroid is and what it does, which makes it easy to read. The paper begins with a high-level overview of TaintDroid, then explains the history followed by an explanation of sources that are tracked by TaintDroid and its design. It continues with test results and the strengths and weaknesses of TaintDroid, with references to related work. <br />
<br />
Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead. <br />
<br />
To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.<br />
<br />
Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone.<br />
<br />
Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf 13] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.<br />
<br />
=Questions=<br />
Possible exam questions and brief answers are listed below, along with the section to go to to find more information pertaining to that question.<br />
<br />
===Anil's questions===<br />
* What is one source of false positives in TaintDroid? (In other words, what kind of code/data behavior leads to false alarms?)<br />
** Some applications are making legitimate use of sensitive data; for example, Google Maps needs to know your location in order to work, and the use of this data is known by the user. TaintDroid cannot know whether the user has consented to the use of some data, and so flags it as a leak. (Critique - Content)<br />
* What part of Android was modified for TaintDroid? Is this part of Android's kernel? Explain briefly. <br />
** The Dalvic VM is modified. Dalvic is the java virtual machine used by Android to run user applications. Although Dalvic is a core part of the Android operating system, it is not a part of the kernel. Dalvic runs on top of the Android kernel as a user process. All third party user applications run on top of Dalvic, however, so it is a sufficiently "low-level" point of the system to implement taint tracking. (Contribution)<br />
<br />
===Additional questions===<br />
* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one. <br />
** An application could use implicit flow to derive data from tainted objects, as TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid has been implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf].<br />
* hmmm<br />
** words go here<br />
* hmmmmmmmmmm<br />
** words go here<br />
<br />
=References=<br />
[] DENNING, D. E. [http://www.cs.georgetown.edu/~denning/infosec/lattice76.pdf A Lattice Model of Secure Information Flow]. Communications of the ACM 19, 5 (May 1976), 236–243.<br><br />
[]D CEARA, ML POTET et.al [http://tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf Detecting Software Vulnerabilities Static Taint Analysis] GINP ENSIMAG GoogleCode(2009)<br><br />
[] NEWSOME,J.,AND SONG,D. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software] Proceedings of the Network and Distributed System Security Symposium (NDSS 2005)<br><br />
<br />
[] CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., ROSENBLUM, M., [http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html#sec:future Understanding Data Lifetime via Whole System Simulation] USENIX Secutiry '04 <br><br />
[]HALDAR, V., CHANDRA, D., FRANZ, M. [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.3118&rep=rep1&type=pdf Dynamic Taint Propagation for Java]. University of California.<br />
[]SMITH, E. [http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).] http://pskl.us<br><br />
[]NAIR, S. K., SIMPSON, P. N., CRISPO, B., AND TANENBAUM, [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf A. S. A Virtual Machine Based Information Flow Control Systemfor Policy Enforcement.] International Workshop<br />
on Run Time Enforcement for Mobile and Distributed Systems (REM 2007) <br></div>Sliske