COMP 3000 Essay 2 2010 Question 8 - Revision history

Soma: Protected "COMP 3000 Essay 2 2010 Question 8" ([edit=sysop] (indefinite) [move=sysop] (indefinite))

2010-12-03T19:45:15Z

Protected "COMP 3000 Essay 2 2010 Question 8" ([edit=sysop] (indefinite) [move=sysop] (indefinite))

← Older revision	Revision as of 19:45, 3 December 2010
(No difference)

Sliske: /* Additional questions */

2010-12-02T16:21:33Z

Additional questions

← Older revision		Revision as of 16:21, 2 December 2010
Line 134:		Line 134:
	===Additional questions===		===Additional questions===
	* Provide a brief description of information flow and taint analysis.		* Provide a brief description of information flow and taint analysis.
	** Information flow is the transfer of information between variables, methods, processes, and files. There are two types of information flow: implicit and explicit. Explicit flow is the direct transfer of data that results in it being more accessible than originally intended. Implicit flow refers to the ability to derive information that is supposed to be kept private. Taint analysis attempts to track information flow in order to better understand possible security issues. There are two types of taint analysis: static, which maps all possible paths of a program ; and dynamic, which attempts to follow information as it's transferred in real time. Both can follow both implicit and explicit information flow, however there is a significant run-time disadvantage in tracking implicit flow in dynamic environments, so dynamic taint analysis is often done through emulation. (Background Concepts)		** Information flow is the transfer of information between variables, methods, processes, and files. There are two types of information flow: implicit and explicit. Explicit flow is the direct transfer of data that results in it being more accessible than originally intended. Implicit flow refers to the ability to derive information that is supposed to be kept private. Taint analysis attempts to track information flow in order to better understand possible security issues. There are two types of taint analysis: static, which maps all possible paths of a program; and dynamic, which attempts to follow information as it's transferred in real time. Both can follow both implicit and explicit information flow, however there is a significant run-time disadvantage in tracking implicit flow in dynamic environments, so dynamic taint analysis is often done through emulation. (Background Concepts)
	* How is TaintDroid different from previous taint analysis programs? What are some problems specific to the TaintDroid implementation?		* How is TaintDroid different from previous taint analysis programs? What are some problems specific to the TaintDroid implementation?
	** While dynamic analysis has been done before in many contexts, TaintDroid is one of the first to attempt to do dynamic analysis on a live embedded system with resource constraints, and so has some unique concerns. The most specific is surely the fact that smart phones are resource constrained. Preforming taint analysis without using emulation requires an efficient, low-overhead implementation, or the experiment will grind to a halt. The next largest issue is working with the existing software. TaintDroid needs to go low-level enough in the Android system to see everything the applications may possibly do, and also needs to interpret what the applications on the device are doing with the data, without being able to see the application's source. Since applications are "black-boxes", data may not look the same coming out as going in, and to get around this you must work at a level lower than the applications.(Research Problem)		** While dynamic analysis has been done before in many contexts, TaintDroid is one of the first to attempt to do dynamic analysis on a live embedded system with resource constraints, and so has some unique concerns. The most specific is surely the fact that smart phones are resource constrained. Preforming taint analysis without using emulation requires an efficient, low-overhead implementation, or the experiment will grind to a halt. The next largest issue is working with the existing software. TaintDroid needs to go low-level enough in the Android system to see everything the applications may possibly do, and also needs to interpret what the applications on the device are doing with the data, without being able to see the application's source. Since applications are "black-boxes", data may not look the same coming out as going in, and to get around this you must work at a level lower than the applications.(Research Problem)
	* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one.		* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one.
	** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf [11<nowiki>]</nowiki>].		** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis, or an alternate dynamic analysis implementation [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf [11<nowiki>]</nowiki>].

Sliske: /* Additional questions */

2010-12-02T06:24:02Z

Additional questions

← Older revision		Revision as of 06:24, 2 December 2010
Line 135:		Line 135:
	* Provide a brief description of information flow and taint analysis.		* Provide a brief description of information flow and taint analysis.
	** Information flow is the transfer of information between variables, methods, processes, and files. There are two types of information flow: implicit and explicit. Explicit flow is the direct transfer of data that results in it being more accessible than originally intended. Implicit flow refers to the ability to derive information that is supposed to be kept private. Taint analysis attempts to track information flow in order to better understand possible security issues. There are two types of taint analysis: static, which maps all possible paths of a program ; and dynamic, which attempts to follow information as it's transferred in real time. Both can follow both implicit and explicit information flow, however there is a significant run-time disadvantage in tracking implicit flow in dynamic environments, so dynamic taint analysis is often done through emulation. (Background Concepts)		** Information flow is the transfer of information between variables, methods, processes, and files. There are two types of information flow: implicit and explicit. Explicit flow is the direct transfer of data that results in it being more accessible than originally intended. Implicit flow refers to the ability to derive information that is supposed to be kept private. Taint analysis attempts to track information flow in order to better understand possible security issues. There are two types of taint analysis: static, which maps all possible paths of a program ; and dynamic, which attempts to follow information as it's transferred in real time. Both can follow both implicit and explicit information flow, however there is a significant run-time disadvantage in tracking implicit flow in dynamic environments, so dynamic taint analysis is often done through emulation. (Background Concepts)
	* How is TaintDroid different from previous taint analysis programs? ~~How does it achieve these goals~~?		* How is TaintDroid different from previous taint analysis programs? What are some problems specific to the TaintDroid implementation?
	** While dynamic analysis has been done before in many contexts, TaintDroid is one of the first to attempt to do dynamic analysis on a live embedded system with resource constraints, and so a ~~lot of effort~~ is ~~put into reducing overhead~~. (~~Contribution~~)		** While dynamic analysis has been done before in many contexts, TaintDroid is one of the first to attempt to do dynamic analysis on a live embedded system with resource constraints, and so has some unique concerns. The most specific is surely the fact that smart phones are resource constrained. Preforming taint analysis without using emulation requires an efficient, low-overhead implementation, or the experiment will grind to a halt. The next largest issue is working with the existing software. TaintDroid needs to go low-level enough in the Android system to see everything the applications may possibly do, and also needs to interpret what the applications on the device are doing with the data, without being able to see the application's source. Since applications are "black-boxes", data may not look the same coming out as going in, and to get around this you must work at a level lower than the applications.(Research Problem)
	* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one.		* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one.
	** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf [11<nowiki>]</nowiki>].		** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf [11<nowiki>]</nowiki>].

Sliske: /* Contribution */

2010-12-02T06:09:04Z

Contribution

← Older revision		Revision as of 06:09, 2 December 2010
Line 79:		Line 79:

	=Contribution=		=Contribution=
	The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head is ~~only in regards to~~ a "CPU-bound ~~micro-~~benchmark and ~~imposes negligible overhead on interactive third-party applications~~.~~"(Enck et al., YEAR, p1)~~		The main contribution of the TaintDroid paper is not that they achieved information flow tracking, but that they made it efficient enough to run in real time on real constrained hardware devices with minimal overhead. TaintDroid only causes roughly a 14% CPU overhead and approximately 4.4% memory overhead when tracking 32 taint markings per tainted data unit. It should also be noted that the 14% CPU over-head figure is obtained by using a CPU-bound benchmark, and while highly accurate for the scope it is tested in, the performance loss is not necessarily noticed by the end user.

	This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process~~, a.k.a. inter-application,~~ communications. This also allows them to ~~"patch the~~ taint ~~propagation on return." (Enck et al.~~, ~~YEAR, p3)~~ so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which ~~enables them~~ to ~~ensure "persistent information conservatively retains~~ its taint ~~markings." (Enck et al., YEAR, p3)~~.		This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process communications. This also allows them to modify variable taint tags when a method call returns, so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which allows persistant content to keep its taint marks between sessions.

	Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ [4<nowiki>]</nowiki>], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>], rely on instruction-level dynamic taint analysis using whole system emulation. One analyzer, Panorama Taint System, is able to perform OS-aware whole system taint analysis to detect and analyze malicious code's information processing behavior. As Panorama Taint System was one of the first dynamic taint analysis programs, a core feature in Panorama is the real-time abilities. However, Panorama used instruction-level analysis, and so had a high overhead. Most taint analyzing systems using instruction-level methods will result in the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of real-time analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html [4<nowiki>]</nowiki>][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.		Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ [4<nowiki>]</nowiki>], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>], rely on instruction-level dynamic taint analysis using whole system emulation. One analyzer, Panorama Taint System, is able to perform OS-aware whole system taint analysis to detect and analyze malicious code's information processing behavior. As Panorama Taint System was one of the first dynamic taint analysis programs, a core feature in Panorama is the real-time abilities. However, Panorama used instruction-level analysis, and so had a high overhead. Most taint analyzing systems using instruction-level methods will result in the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of real-time analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html [4<nowiki>]</nowiki>][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.

Sliske: /* Additional questions */

2010-12-02T06:01:53Z

Additional questions

← Older revision		Revision as of 06:01, 2 December 2010
Line 133:		Line 133:

	===Additional questions===		===Additional questions===
			* Provide a brief description of information flow and taint analysis.
			** Information flow is the transfer of information between variables, methods, processes, and files. There are two types of information flow: implicit and explicit. Explicit flow is the direct transfer of data that results in it being more accessible than originally intended. Implicit flow refers to the ability to derive information that is supposed to be kept private. Taint analysis attempts to track information flow in order to better understand possible security issues. There are two types of taint analysis: static, which maps all possible paths of a program ; and dynamic, which attempts to follow information as it's transferred in real time. Both can follow both implicit and explicit information flow, however there is a significant run-time disadvantage in tracking implicit flow in dynamic environments, so dynamic taint analysis is often done through emulation. (Background Concepts)
			* How is TaintDroid different from previous taint analysis programs? How does it achieve these goals?
			** While dynamic analysis has been done before in many contexts, TaintDroid is one of the first to attempt to do dynamic analysis on a live embedded system with resource constraints, and so a lot of effort is put into reducing overhead. (Contribution)
	* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one.		* Although TaintDroid is adept at catching information leak, there are ways an application can bypass the TaintDroid filter. Describe one.
	** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf [11<nowiki>]</nowiki>].		** An application could use implicit flow to derive data from tainted objects. TaintDroid has no way to inspect implicit flow dynamically, due to no branch structures being maintained at the JVM layer, where TaintDroid is implemented. Instead, control structures would be part of the pre-compiled application binaries, which, while not entirely black boxes, are impractical to investigate dynamically. Implicit flow data leaks can, however, be caught by a static analysis [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.2676&rep=rep1&type=pdf [11<nowiki>]</nowiki>].
	* hmmm
	** words go here
	* hmmmmmmmmmm
	** words go here

Sliske: /* Contribution */

2010-12-02T06:01:32Z

Contribution

← Older revision		Revision as of 06:01, 2 December 2010
Line 83:		Line 83:
	This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).		This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).

	Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ [4<nowiki>]</nowiki>], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>], rely on instruction-level dynamic taint analysis using whole system emulation. One analyzer, Panorama Taint System, is able to perform OS-aware whole system taint analysis to detect and analyze malicious code's information processing behavior. As Panorama Taint System was one of the first dynamic taint analysis programs, a core feature in Panorama is the real-time abilities. However, Panorama used instruction-level analysis, and so had a high overhead. Most taint analyzing systems using instruction-level methods will result in the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of real-time analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html [4<nowiki>]</nowiki>][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.		Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ [4<nowiki>]</nowiki>], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>], rely on instruction-level dynamic taint analysis using whole system emulation. One analyzer, Panorama Taint System, is able to perform OS-aware whole system taint analysis to detect and analyze malicious code's information processing behavior. As Panorama Taint System was one of the first dynamic taint analysis programs, a core feature in Panorama is the real-time abilities. However, Panorama used instruction-level analysis, and so had a high overhead. Most taint analyzing systems using instruction-level methods will result in the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of real-time analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html [4<nowiki>]</nowiki>][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.

	By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.		By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.

Sliske: /* Contribution */

2010-12-02T06:00:43Z

Contribution

← Older revision		Revision as of 06:00, 2 December 2010
Line 83:		Line 83:
	This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).		This low overhead is achieved by modifying the code directly at the Java Virtual Machine (JVM) layer of the Android system to provide variable-level tracking. This allows direct control over how and what private information, such as location details from the GPS, is stored and accessed, as opposed to relying on heuristics or manual labels. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] Next, they modified the Java Native Interface (JNI) to provide message-level tracking which allows them to monitor inter-process, a.k.a. inter-application, communications. This also allows them to "patch the taint propagation on return." (Enck et al., YEAR, p3) so they can keep track of information transfer via native code. Finally, by modifying the network interface and secondary storage interfaces they are able to provide file-level taint tracking which enables them to ensure "persistent information conservatively retains its taint markings." (Enck et al., YEAR, p3).

	Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ [4<nowiki>]</nowiki>], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>], rely on instruction-level dynamic taint analysis using whole system emulation. One analyzer, Panorama Taint System, is able to perform OS-aware whole system taint analysis to detect and analyze malicious code's information processing behavior. As Panorama Taint System was one of the first dynamic taint analysis programs, a core feature in Panorama is the real-time abilities. However, Panorama used instruction-level analysis, and so had a high overhead. Most taint analyzing systems using instruction-level methods will result in the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of real-time analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html [4<nowiki>]</nowiki>][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [~~REF~~] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.		Another contribution of TaintDroid is accuracy of tracking sensitive data. Unlike existing solutions that rely on heavy-weight, whole-system emulation [http://www.usenix.org/events/sec04/tech/chow/chow_html/ [4<nowiki>]</nowiki>], the virtualized architecture of Android allows four levels of taint propagation: variable, method, message, and file. The granularity and flow semantics that TaintDroid offers highly influences the performance and accuracy of TaintDroid. Existing taint tracking approaches, like Panorama Taint System [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>], rely on instruction-level dynamic taint analysis using whole system emulation. One analyzer, Panorama Taint System, is able to perform OS-aware whole system taint analysis to detect and analyze malicious code's information processing behavior. As Panorama Taint System was one of the first dynamic taint analysis programs, a core feature in Panorama is the real-time abilities. However, Panorama used instruction-level analysis, and so had a high overhead. Most taint analyzing systems using instruction-level methods will result in the system preforming from 2-20 times slower than normal, which is not suitable at all for the trend of real-time analysis.[http://www.usenix.org/events/sec04/tech/chow/chow_html/index.html [4<nowiki>]</nowiki>][http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.3789&rep=rep1&type=pdf [11<nowiki>]</nowiki>] Moreover, instruction-level tracking faces a serious problem, taint explosion. When we use some complex instructions such as CMPXCHG, REP MOV,the stack pointer may become falsely tainted or taint loss. [http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>] However, TaintDroid solved this problem with the combination of 4 levels of tracking. For example, the variable level allows TaintDroid to provide flow semantics for taint propagation, allowing distinction between different data pointers at different levels to ensure accuracy.

	By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.		By combining these four levels (variable, method, message and file) of taint tracking, TaintDroid was able to effectively track 30 randomly selected, popular, 3rd party android applications. In doing so TaintDroid correctly flagged 105 instances of tainted information transmission. Of these 105, only 35 were legitimate risks.[http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-145.pdf [9<nowiki>]</nowiki>] It also determined that 50% of the applications submitted the users location to advertising servers and 5 of the applications transmitted the users device ID, phone number and SIM card serial number. Clearly, the higher granularity is needed and TaintDroid is providing a step in the right direction, by providing a highly efficient real time tracking system.

Sliske: /* Implicit Flow */

2010-12-02T03:29:40Z

Implicit Flow

← Older revision		Revision as of 03:29, 2 December 2010
Line 36:		Line 36:
	insecure=0</big><br></code>		insecure=0</big><br></code>
	<br>		<br>
	Since can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.		Since the application can determine the value of information in <i>secure</i> using logic statements, we can indirectly access the secure information. Information leak due to implicit flows is much harder to detect and protect from, due to the indirect nature of implicit flows.

	==Taint Analysis==		==Taint Analysis==

Sliske: /* Critique */

2010-12-02T03:23:32Z

Critique

← Older revision		Revision as of 03:23, 2 December 2010
Line 93:		Line 93:
	Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead.		Challenges of monitoring network disclosure of privacy sensitive information are well outlined, as are TaintDroid's workarounds for these challenges. TaintDroid uses dynamic taint analysis to find a way around the challenges, using a taint source as the targeted sensitive information, and a taint marking to identify the information type. It is easy to see that this research was effective, due to the impressive number of information leaks that were found. TaintDroid effectively identifies information misuse at a high percentage. However, while the implementation is strong in that the overhead is so low and accuracy is high, there are trade-offs that were incurred to meet that overhead.

	To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, ~~precompiled~~ binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.		To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, pre-compiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.

	Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone. This implementation choice was reasonable for the research project TaintDroid is, but taint analysis is (hopefully) of high importance to the everyday user~~, and~~ TaintDroid could have aimed to go further than research.		Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone. This implementation choice was reasonable for the research project TaintDroid is, but taint analysis is (hopefully) of high importance to the everyday user; TaintDroid could have aimed to go further than research.

	Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated ~~envioronment~~. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of ~~'malacious~~ applications'.		Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated environment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of malicious applications. This would allow TaintDroid to be used as a black box.

	=References=		=References=

Sliske: /* Critique */

2010-12-02T03:19:24Z

Critique

← Older revision		Revision as of 03:19, 2 December 2010
Line 95:		Line 95:
	To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.		To prevent additional overhead, TaintDroid does not track implicit data flow or control flow. This partially is because the applications being tested are loaded onto the phone as black-box, precompiled binaries; but mostly because the Android JVM does not maintain branch structures, which TaintDroid could use to track implicit flow dynamically. It is presumed that branch structures are maintained at a kernel level, as a static analysis could uncover data leak stemming from implicit data flow, but dynamic analysis such as TaintDroid cannot. This means that applications can bypass the taint analysis by using implicit flow. There are also other issues, particularly in Taint Tag Storage, which are due to the fact that most string objects have the same tag. Because of the similar tags, it is possible for false positives to occur.

	Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone. ~~Essentially~~, ~~this~~ to ~~make an arguement that~~ TaintDroid could have ~~been made with a set of better design choices~~.		Further more, TaintDroid is a firmware modification, not an application which raises the questions of its usability by the average user. Being a firmware modification drastically reduces its usability unless 'Android System' itself incorporates these changes which is highly unlikely as the overheads, in this case a memory overhead of 4.4%, an IPC overhead of 27% and an overall 14% overhead, are on the higher side in an already resource constrained smartphone. This implementation choice was reasonable for the research project TaintDroid is, but taint analysis is (hopefully) of high importance to the everyday user, and TaintDroid could have aimed to go further than research.

	Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.		Consider a possible alternative implementation of TaintDroid. TaintDroid is incorporated in the firmware and hence incurs an additional overhead as the user uses the phone. Consider the implementation of 'TaintCheck' on an x86 platform.[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.2141&rep=rep1&type=pdf [3<nowiki>]</nowiki>] TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. This allows TaintCheck to monitor and control the program’s execution at a fine-grained level. All the TaintCheck needs is the binary which it the rewrites and uses it in its own emulated environment. What this essentially means is that 'TaintCheck' is a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time on an emulated envioronment. Taking this further, we can consider an implementation of TaintDroid based on similar lines. One can then envision an application in which you uploaded the 'application binary' and then TaintDroid would return a result of whether the application is safe or not. This has the advantage of being needed to run just once before installation and hence the overheads won't be much of a concern. This can even allow TaintDroid to incorporate signature based detection of 'malacious applications'.