Visible to the public Taint Analysis, 2014

SoS Newsletter- Advanced Book Block


SoS Logo

Taint Analysis



Taint analysis is an important method for analyzing software to determine possible paths for exploitation. As such, it relates to the problems of composability and metrics. The work cited here was published in 2014.

Yadegari, B.; Debray, S., “Bit-Level Taint Analysis,” Source Code Analysis and Manipulation (SCAM), 2014 IEEE 14th International Working Conference on, vol., no., pp. 255, 264, 28-29 Sept. 2014. doi:10.1109/SCAM.2014.43
Abstract: Taint analysis has a wide variety of applications in software analysis, making the precision of taint analysis an important consideration. Current taint analysis algorithms, including previous work on bit-precise taint analyses, suffer from shortcomings that can lead to significant loss of precision (under/over tainting) in some situations. This paper discusses these limitations of existing taint analysis algorithms, shows how they can lead to imprecise taint propagation, and proposes a generalization of current bit-level taint analysis techniques to address these problems and improve their precision. Experiments using a deobfuscation tool indicate that our enhanced taint analysis algorithm leads to significant improvements in the quality of deobfuscation.
Keywords: data flow analysis; bit-level taint analysis; bit-precise taint analysis; deobfuscation tool; software analysis; taint analysis algorithms; taint propagation; Algorithm design and analysis; Data handling; Heuristic algorithms; Performance analysis; Registers; Semantics; Standards; Program Understanding; Reverse Engineering; Taint Analysis (ID#: 15-)

Junhyoung Kim; TaeGuen Kim; Eul Gyu Im, “Survey of Dynamic Taint Analysis,” Network Infrastructure and Digital Content (IC-NIDC), 2014 4th IEEE International Conference on, vol., no., pp. 269, 272, 19-21 Sept. 2014. doi:10.1109/ICNIDC.2014.7000307
Abstract: Dynamic taint analysis (DTA) is to analyze execution paths that an attacker may use to exploit a system. Dynamic taint analysis is a method to analyze executable files by tracing information flow without source code. DTA marks certain inputs to program as tainted, and then propagates values operated with tainted inputs. Due to the increased popularity of dynamic taint analysis, there have been a few recent research approaches to provide a generalized tainting infrastructure. In this paper, we introduce some approaches of dynamic taint analysis, and analyze their approaches. Lam and Chiueh’s approach proposed a method that instruments code to perform taint marking and propagation. DYTAN considers three dimensions: taint source, propagation policies, taint sink. These dimensions make DYTAN to be more general framework for dynamic taint analysis. DTA++ proposes an idea to vanilla dynamic taint analysis that propagates additional taints along with targeted control dependencies. Control dependency causes results of taint analysis to have decreased accuracies. To improve accuracies, DTA++ showed that data transformation containing implicit flows should propagate properly to avoid under-tainting.
Keywords: data flow analysis; security of data; system monitoring; DTA++; DYTAN; attacker; control dependency; data transformation; dynamic taint analysis; executable files; execution paths; generalized tainting infrastructure; information flow tracing; propagation policies; taint marking; taint propagation; taint sink; taint source; Accuracy; Computer security; Instruments; Performance analysis; Software; Testing; dynamic taint analysis (ID#: 15-6636)

Jinxin Ma; Puhan Zhang; Guowei Dong; Shuai Shao; Jiangxiao Zhang, “TWalker: An Efficient Taint Analysis Tool,” Information Assurance and Security (IAS), 2014 10th International Conference on, vol., no., pp. 18, 22, 28-30 Nov. 2014. doi:10.1109/ISIAS.2014.7064628
Abstract: The taint analysis method is usually effective for vulnerabilities detection. Existing works mostly care about the accuracy of taint propagation, not considering the time cost. We proposed a novel method to improve the efficiency of taint propagation with indices. Based our method, we have implemented TWalker, an effective vulnerabilities detection tool that enables easy data flow analysis of the real world programs, providing faster taint analysis than other existing works. TWalker has four properties: first, it works directly on the programs without source code; second, it monitors the program’s execution and records its necessary context; third, it delivers fine-grained taint analysis, providing fast taint propagation with indices; fourth, it could detect vulnerabilities effectively based on two security property rules. We have evaluated TWalker with several real world programs and compared it with a typical taint analysis tool. The experimental results show that our tool could perform taint propagation much faster than other tool, having better ability for vulnerabilities detection.
Keywords: data flow analysis; security of data; TWalker; efficient taint analysis tool; fine grained taint analysis; program execution; security property rules; taint propagation; vulnerabilities detection; Context; Indexes; Monitoring; Software; indices; security property; taint analysis; trace (ID#: 15-6637)

Lokhande, B.; Dhavale, S., “Overview of Information Flow Tracking Techniques Based on Taint Analysis for Android,” Computing for Sustainable Global Development (INDIACom), 2014 International Conference on, vol., no., pp. 749, 753, 5-7 March 2014. doi:10.1109/IndiaCom.2014.6828062
Abstract: Smartphones today are ubiquitous source of sensitive information. Information leakage instances on the smartphones are on the rise because of exponential growth in smartphone market. Android is the most widely used operating system on smartphones. Many information flow tracking and information leakage detection techniques are developed on Android operating system. Taint analysis is commonly used data flow analysis technique which tracks the flow of sensitive information and its leakage. This paper provides an overview of existing Information flow tracking techniques based on the Taint analysis for android applications. It is observed that static analysis techniques look at the complete program code and all possible paths of execution before its run, whereas dynamic analysis looks at the instructions executed in the program-run in the real time. We provide in depth analysis of both static and dynamic taint analysis approaches.
Keywords: Android (operating system); data flow analysis; smart phones; Android; Information leakage instances; data flow analysis technique; dynamic analysis; dynamic taint analysis approaches; exponential smartphone market growth; information flow tracking techniques; information leakage detection techniques; program code; program-run; static analysis techniques; static taint analysis approaches; Androids; Humanoid robots; Operating systems; Privacy; Real-time systems; Security; Smart phones; Android Operating System; Mobile Security; static and dynamic taint analysis (ID#: 15-6638)

Gen Li; Ying Zhang; Shuang-xi Wang; Kai Lu, “Online Taint Propagation Analysis with Precise Pointer-to Analysis for Detecting Bugs in Binaries,” High Performance Computing and Communications, 2014 IEEE 6th Int’l Symposium on Cyberspace Safety and Security, 2014 IEEE 11th Int’l Conference on Embedded Software and Systems (HPCC,CSS,ICESS), 2014 IEEE International Conference on, vol., no., pp. 778, 784, 20-22 Aug. 2014. doi:10.1109/HPCC.2014.130
Abstract: Dynamic test generation approach is becoming increasingly popular to find security vulnerabilities in software, and is applied to detect bugs in binaries. However, the existing such systems adopt offline symbolic analysis and execution, based on program execution trace which includes the flow of execution instructions and the operand values, with all pointers or indirect memory access replaced by their execution values. And this yields two fatal problems: first, all symbolic information of pointers or indirect memory access is missing, secondly, the symbolic information of other variables is not accurate, especially for variables operated with pointers. We propose an approach, online taint propagation analysis for finding fatal bugs for pre-release software in binaries, and implement a systematic automatic dynamic test generation system, Hunter, for binary software testing. Our system implements accurate analysis by online taint propagation analysis and online byte-precise points-to analysis, thus online finding unknown high-priority fatal bugs that must be fixed immediately at a pre-release stage in binaries. The effectiveness of the techniques approach are both validated by revealing many fatal bugs in both benchmarks and large real world applications.
Keywords: program debugging; program testing; security of data; Hunter; automatic dynamic test generation system; binary software testing; bugs detection; dynamic test generation approach; online byte-precise point-to analysis; online taint propagation analysis; program execution trace; software security vulnerability; symbolic analysis; symbolic execution; Benchmark testing; Binary codes; Computer bugs; Layout; Security; Software; online byte-precise point-to analysis; symbolic taint analysis; taint-oriented online analysis (ID#: 15-6639)

Zhang Puhan; Wu Jianxiong; Wang Xin; Zehui Wu, "Program Crash Analysis Based on Taint Analysis,” P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), 2014 Ninth International Conference on, vol., no., pp. 492, 498, 8-10 Nov. 2014. doi:10.1109/3PGCIC.2014.100
Abstract: Software exception analysis can not only improve software stability before putting into commercial, but also could optimize the priority of patch updates subsequently. We propose a more practical software exception analysis approach based on taint analysis, from the view that whether an exception of the software can be exploited by an attacker. It first identifies the type of exceptions, then do taint analysis on the trace that between the program entry point to exception point, and recording taint information of memory set and registers. It finally gives the result by integrating the above recording and the subsequent instructions analysis. We implement this approach to our exception analysis framework ExpTracer, and do the evaluation with some exploitable/un-exploitable exceptions which shows that our approach is more accurate in identifying exceptions compared with current tools.
Keywords: exception handling; program diagnostics; ExpTracer; exception point; exploitable exceptions; memory set; patch update priority optimization; program crash analysis; program entry point; registers; software exception analysis; software stability; subsequent instruction analysis; taint analysis; unexploitable exceptions; Algorithm design and analysis; Computer crashes; Instruments; Optimization; Personnel; Registers; Software; Software engineering; crash analysis; exception classification (ID#: 15-6640)

Ping Wang; Wun Jie Chao; Kuo-Ming Chao; Chi-Chun Lo, “Using Taint Analysis for Threat Risk of Cloud Applications,” e-Business Engineering (ICEBE), 2014 IEEE 11th International Conference on, vol., no., pp. 185, 190, 5-7 Nov. 2014. doi:10.1109/ICEBE.2014.40
Abstract: Most existing approaches to developing cloud applications using threat analysis involve program vulnerability analyses for identifying the security holes associated with malware attacks. New malware attacks can bypass firewall-based detection by bypassing stack protection and by using Hypertext Transfer Protocol logging, kernel hacks, and library hack techniques, and to the cloud applications. In performing threat analysis for unspecified malware attacks, software engineers can use a taint analysis technique for tracking information flows between attack sources (malware) and detect vulnerabilities of targeted network applications. This paper proposes a threat risk analysis model incorporating an improved attack tree analysis scheme for solving the mobile security problem, in the model, Android programs perform taint checking to analyse the risks posed by suspicious applications. In probabilistic risk analysis, defence evaluation metrics are used for each attack path for assisting a defender simulate the attack results against malware attacks and estimate the impact losses. Finally, a case of threat analysis of a typical cyber security attack is presented to demonstrate the proposed approach.
Keywords: Android (operating system); firewalls; hypermedia; invasive software; mobile computing; program diagnostics; risk analysis; trees (mathematics); Android programs; attack sources; cloud applications; cyber security attack; defence evaluation metrics; firewall-based detection; hypertext transfer protocol logging; improved attack tree analysis scheme; information flow tracking; kernel hacks; library hack techniques; malware attacks; mobile security problem; probabilistic risk analysis; program vulnerability analysis; security holes; software engineers; stack protection; taint analysis technique; taint checking; threat analysis; threat risk analysis model; Analytical models; Malware; Measurement; Probabilistic logic; Risk analysis; Software; Attack defence tree; Cyber attacks; Taint checking; Threat; analysis (ID#: 15-6641)

Meijian Li; Wang, Yongjun; Xie, Peidai; Zhijian Huang, “Reverse Analysis of Secure Communication Protocol Based on Taint Analysis,” Communications Security Conference (CSC 2014), 2014, vol., no., pp. 1, 8, 22-24 May 2014. doi:10.1049/cp.2014.0729
Abstract: To maintain communications confidentiality, security protocols are widely used in more and more network applications. Moreover, some malwares even leverage these kinds of protocols to evade inspection by IDS. Most security protocols are designed and verified by formalized methods; however, observation shows that protocol implementations commonly contain flaws or vulnerabilities. Therefore, research on reverse engineering of security protocols can play an important role in improving the security of network applications, especially by providing another way to fight against malwares. Nevertheless, previous protocol reverse engineering technologies, which are based on analysis of network traces, encounter great challenges when the network messages transmitted between different protocol principals are encrypted. This paper proposes a taint analysis based method, which aims to infer the message format from dynamic execution of security protocol applications. The proposed approach is based on the observation that the process of message parsing in cryptographic protocol applications reveals rich information about the hierarchical structures and semantics of their messages. Hence, by observing calls to library function and instruction execution in network programs, the proposed approach can reverse derive large amount of information about their protocol, such as message format and protocol model, even the communication is encrypted. Experiments show that the reverse analysis results not only accurately identify message fields, but also unveil the structure of the encrypted message fields.
Keywords: Dynamic-Binary-Analysis; Protocol-Format; Protocol-Reverse-Engineering; Security-Protocol; Taint-Analysis (ID#: 15-6642)

Ki-Jin Eom; Choong-Hyun Choi; Joon-Young Paik; Eun-Sun Cho, “An Efficient Static Taint-Analysis Detecting Exploitable-Points on ARM Binaries,” Reliable Distributed Systems (SRDS), 2014 IEEE 33rd International Symposium on, vol., no., pp. 345, 346, 6-9 Oct. 2014. doi:10.1109/SRDS.2014.66
Abstract: This paper aims to differentiate benign vulnerabilities from those used by cyber-attacks, based on STA (Static TaintAnalysis.) To achieve this goal, the proposed STA determines if a crash is from severe vulnerabilities, after analyzing related exploitable-points in ARM binaries. We envision that the proposed analysis would reduce the complexity of analysis, by making use of CPA (Constant Propagation Analysis) and runtime information of crash points.
Keywords: program diagnostics; security of data; ARM binaries; CPA; STA; benign vulnerabilities; constant propagation analysis; cyber-attacks; exploitable-points detection; runtime information; static taint-analysis; Reliability; ARM binary; IDA Pro plug-in; crash point; data flow analysis; exploitable; reverse engineering; taint Analysis (ID#: 15-6643)

Schutte, J.; Titze, D.; de Fuentes, J.M., “AppCaulk: Data Leak Prevention by Injecting Targeted Taint Tracking into Android Apps,” Trust, Security and Privacy in Computing and Communications (TrustCom), 2014 IEEE 13th International Conference on, vol., no., pp. 370, 379, 24-26 Sept. 2014. doi:10.1109/TrustCom.2014.48
Abstract: As Android is entering the business domain, leaks of business-critical and personal information through apps become major threats. Due to the context-insensitive nature of the Android permission model, information flow policies cannot be enforced by on-board mechanisms. We therefore propose AppCaulk, an approach to harden any existing Android app by injecting a targeted dynamic taint analysis, which tracks and blocks unwanted information flows at runtime. Critical data flows are first discovered using a static taint analysis and the relevant data propagation paths are instrumented by a taint tracking code at register level. At runtime the dynamic taint analysis woven into the app detects and blocks data leaks as they are about to occur. In contrast to existing taint analysis approaches like Taint droid, AppCaulk does not require modification of the Android middleware and can thus be applied to any stock Android installation. In this paper, we explain the design of AppCaulk, describe the evaluation of its prototype, and compare its effectiveness with Taintdroid.
Keywords: Android (operating system); authorisation; middleware; Android apps; Android middleware; AppCaulk; Taintdroid; business domain; business-critical information leaks; context-insensitive Android permission model; critical data flows; data leak blockage; data leak detection; data leak prevention; data propagation paths; dynamic taint analysis; information flow blockage; information flow policies; information flow tracking; personal information leaks; register level; static taint analysis; stock Android installation; taint tracking code; targeted dynamic taint tracking analysis; Androids; Humanoid robots; Instruments; Middleware; Registers; Runtime; Smart phones; Android; information flow; instrumentation; taint analysis (ID#: 15-6644)

Jun Cai; Shangfei Yang; Jinquan Men; Jun He, “Automatic Software Vulnerability Detection Based on Guided Deep Fuzzing,” Software Engineering and Service Science (ICSESS), 2014 5th IEEE International Conference on, vol., no., pp. 231, 234, 27-29 June 2014. doi:10.1109/ICSESS.2014.6933551
Abstract: Software security has become a very import part of information security in recent years. Fuzzing has proven successful in finding software vulnerabilities which are one major cause of information security incidents. However, the efficiency of traditional fuzz testing tools is usually very poor due to the blindness of test generation. In this paper, we present Sword, an automatic fuzzing system for software vulnerability detection, which combines fuzzing with symbolic execution and taint analysis techniques to tackle the above problem. Sword first uses symbolic execution to collect program execution paths and their corresponding constrains, then uses taint analysis to check these paths, the most dangerous paths which most likely lead to vulnerabilities will be further deep fuzzed. Thus, with the guidance of symbolic execution and taint analysis, Sword generates test cases most likely to trigger potential vulnerabilities lying deep in applications.
Keywords: program diagnostics; program testing; security of data; Sword; automatic fuzzing system; automatic software vulnerability detection; guided deep fuzzing; information security; software security; symbolic execution; taint analysis technique; Databases; Engines; Information security; Monitoring; Software; Software testing; fuzzing; software vulnerability detection; taint analysis (ID#: 15-6645)

Wei Lin; Jinlong Fei; Yuefei Zhu; Xiaolong Shi, “A Method of Multiple Encryption and Sectional Encryption Protocol Reverse Engineering,” Computational Intelligence and Security (CIS), 2014 Tenth International Conference on, vol., no., pp. 420, 424, 15-16 Nov. 2014. doi:10.1109/CIS.2014.114
Abstract: Research on unknown network protocol reverse engineering is of great significance in many network security applications. Currently most of methods are limited in analyzing plain-text protocols, and a few of method can partly analyze the encryption protocol which is powerless for multiple encryption protocol or sectional encryption protocol. This paper proposes a method of encrypted protocol reverse engineering based on dynamic taint analysis. The method uses Pin to record executed instructions, and then conducts off-line analysis of the data dependencies to build two taint propagation graphs on instruction and function level, then recover the decryption process. The decrypted plaintext can be located due to the decryption process feature. And then, the format of protocol can be parsed. Experiments show that the method can accurately locate the decrypted protocol data of the multiple encryption and sectional encryption protocol, and restore the original format.
Keywords: computer network security; cryptographic protocols; reverse engineering; Pin; data dependencies; decryption process feature; dynamic taint analysis; encryption protocol reverse engineering; executed instructions; function level; instruction level; network security applications; offline analysis; plain-text protocols; plaintext decryption process; sectional encryption protocol; taint propagation graphs; unknown network protocol reverse engineering; Encryption; Flow graphs; Memory management; Protocols; Reverse engineering; decryption process recovering Introduction; multiple encryption; sectional encryption (ID#: 15-6646)

Rawat, S.; Mounier, L.; Potet, M.-L., “LiSTT: An Investigation into Unsound-Incomplete Yet Practical Result Yielding Static Taintflow Analysis,” Availability, Reliability and Security (ARES), 2014 Ninth International Conference on, vol., no., pp. 498, 505, 8-12 Sept. 2014. doi:10.1109/ARES.2014.74
Abstract: Vulnerability analysis is an important component of software assurance practices. One of its most challenging issues is to find software flaws that could be exploited by malicious users. A necessary condition is the existence of some tainted information flow between tainted input sources and vulnerable functions. Finding the existence of such a taint flow dynamically is an expensive and nondeterministic process. On the other hand, though static analysis may explore (theoretically) all the tainted paths, scalability is an issue, especially in the view of complete- and soundness. In this paper, we explore the possibilities of making static analysis scalable, by compromising its complete- and soundness properties and yet making it effective in detecting taint flows that lead to vulnerability exploitation. This technique is based on a combination of call graph slicing and data-flow analysis. A prototype tool has been developed, and we give experimental results showing that this approach is effective on large applications.
Keywords: data flow analysis; program testing; security of data; software fault tolerance; LiSTT; call graph slicing; complete properties; data-flow analysis; malicious users; security testing; software assurance practices; software flaws; soundness properties; static taintflow analysis; taint flows detection; tainted information flow; tainted input sources; tainted paths; vulnerability analysis; vulnerable functions; Binary codes; Complexity theory; Context; Scalability; Security; Software; Testing; Security testing (assurance); binary code; program chopping; static taint analysis (ID#: 15-6647)

Gupta, M.K.; Govil, M.C.; Singh, G., “A Context-Sensitive Approach for Precise Detection of Cross-Site Scripting Vulnerabilities,” Innovations in Information Technology (INNOVATIONS), 2014 10th International Conference on, vol., no., pp. 7, 12, 9-11 Nov. 2014. doi:10.1109/INNOVATIONS.2014.6987553
Abstract: Currently, dependence on web applications is increasing rapidly for social communication, health services, financial transactions and many other purposes. Unfortunately, the presence of cross-site scripting vulnerabilities in these applications allows malicious user to steals sensitive information, install malware, and performs various malicious operations. Researchers proposed various approaches and developed tools to detect XSS vulnerability from source code of web applications. However, existing approaches and tools are not free from false positive and false negative results. In this paper, we propose a taint analysis and defensive programming based HTML context-sensitive approach for precise detection of XSS vulnerability from source code of PHP web applications. It also provides automatic suggestions to improve the vulnerable source code. Preliminary experiments and results on test subjects show that proposed approach is more efficient than existing ones.
Keywords: Internet; hypermedia markup languages; invasive software; source code (software); Web application; XSS vulnerability; cross-site scripting vulnerability; defensive programming based HTML context-sensitive approach; financial transaction; health services; malicious operation; malicious user; malware; precise detection; sensitive information; social communication; source code; taint analysis; Browsers; Context; HTML; Security; Servers; Software; Standards; Cross-Site Scripting; Software Development Life Cycle; Taint Analysis; Vulnerability Detection; XSS Attacks (ID#: 15-6648)

Short, A.; Feng Li, “Android Smartphone Third Party Advertising Library Data Leak Analysis,” Mobile Ad Hoc and Sensor Systems (MASS), 2014 IEEE 11th International Conference on, vol., no., pp. 749, 754, 28-30 Oct. 2014. doi:10.1109/MASS.2014.131
Abstract: Android has many security flaws that are being exploited by malicious developers. Common malware includes many different kinds of behaviors; from complicated root exploits — to simple private data leakage via explicit permissions. The security features that have been put in place by the Android developers have proven to be insufficient and incapable of preventing malware from proliferating through official and unofficial repositories. Private data leakage has become a popular topic because of the sheer number of applications that request the various permissions to access mobile device’s private data and an influx of general privacy concerns amongst the Android community.
Keywords: authorisation; data privacy; invasive software; smart phones; Android smartphone third party advertising library data leak analysis; malware; mobile device private data access; official repositories; private data leakage; security flaws; unofficial repositories; Advertising; Fingerprint recognition; Libraries; Malware; Smart phones; Testing; taint analysis; data leaks; advertising libraries; malware evasion; Droidbox (ID#: 15-6649)

Peng Li; Guodong Li; Gopalakrishnan, G., “Practical Symbolic Race Checking of GPU Programs,” High Performance Computing, Networking, Storage and Analysis, SC14: International Conference for, vol., no., pp. 179, 190, 16-21 Nov. 2014. doi:10.1109/SC.2014.20
Abstract: Even the careful GPU programmer can inadvertently introduce data races while writing and optimizing code. Currently available GPU race checking methods fall short either in terms of their formal guarantees, ease of use, or practicality. Existing symbolic methods: (1) do not fully support existing CUDA kernels, (2) may require user-specified assertions or invariants, (3) often require users to guess which inputs may be safely made concrete, (4) tend to explode in complexity when the number of threads is increased, and (5) explode in the face of thread-ID based decisions, especially in a loop. We present SESA, a new tool combining Symbolic Execution and Static Analysis to analyze C++ CUDA programs that overcomes all these limitations. SESA also scales well to handle non-trivial benchmarks such as Parboil and Lonestar, and is the only tool of its class that handles such practical examples. This paper presents SESA’s methodological innovations and practical results.
Keywords: C++ language; graphics processing units; parallel architectures; program diagnostics; C++ CUDA program; CUDA kernel; GPU program; Lonestar; Parboil; SESA; static analysis; symbolic execution; symbolic race checking; thread-ID based decision; Concrete; Graphics processing units; History; Indexes; Instruction sets; Kernel; Schedules; CUDA; Data Flow Analysis; Formal Verification; GPU; Parallelism; Symbolic Execution; Taint Analysis; Virtual Machine (ID#: 15-6650)

Gupta, M.K.; Govil, M.C.; Singh, G., “An Approach to Minimize False Positive in SQLI Vulnerabilities Detection Techniques Through Data Mining,” Signal Propagation and Computer Technology (ICSPCT), 2014 International Conference on, vol., no., pp. 407, 410, 12-13 July 2014. doi:10.1109/ICSPCT.2014.6884962
Abstract: Dependence on web applications is increasing very rapidly in recent time for social communications, health problem, financial transaction and many other purposes. Unfortunately, the presence of security weaknesses in web applications allows malicious user’s to exploit various security vulnerabilities and become the reason of their failure. Currently, SQL Injection (SQLI) attacks exploit most dangerous security vulnerabilities in various popular web applications i.e. eBay, Google, Facebook, Twitter etc. Research on taint based vulnerability detection has been quite intensive in the past decade. However, these techniques are not free from false positive and false negative results. In this paper, we propose an approach to minimize false positive in SQLI vulnerability detection techniques using data mining concepts. We have implemented a prototype tool for PHP, MySQL technologies and evaluated it on six real world applications and NIST Benchmarks. Our evaluation and comparison results show that proposed technique detects SQLI vulnerabilities with low percentage of false positives.
Keywords: Internet; SQL; data mining; security of data; social networking (online); software reliability; Facebook; Google; MySQL technology; PHP; SQL injection attack; SQLI vulnerability detection techniques; Twitter; data mining; eBay; false positive minimization; financial transaction; health problem; social communications; taint based vulnerability detection; Computers; Software; SQLI attack; SQLI vulnerability; false positive; input validation; sanitization; taint analysis (ID#: 15-6651)

Zhang Puhan; Wu Jianxiong; Wang Xin; Wu Zehui, “Decrypted Data Detection Algorithm Based on Dynamic Dataflow Analysis,” Computer, Information and Telecommunication Systems (CITS), 2014 International Conference on, vol., no., pp. 1, 4, 7-9 July 2014. doi:10.1109/CITS.2014.6878965
Abstract: Cryptographic algorithm detection has received a lot of attentions in these days, whereas the method to detect decrypted data remains further research. A decrypted memory detection method using dynamic dataflow analysis is proposed in this paper. Based on the intuition that decrypted data is generated in the cryptographic function and the unique feature of decrypted data, by analyzing the parameter sets of cryptographic function, we propose a model based on the input and output of cryptographic function. Experimental results demonstrate that our approach can effectively detect decrypted memory.
Keywords: cryptography; data flow analysis; cryptographic algorithm detection; decrypted data; decrypted memory detection method; dynamic dataflow analysis; Algorithm design and analysis; Encryption; Heuristic algorithms; Software; Software algorithms; Cryptographic; Dataflow analysis; Decrypted memory; Taint analysis (ID#: 15-6652)

Shao Shuai; Dong Guowei; Guo Tao; Yang Tianchang; Shi Chenjie, “Analysis on Password Protection in Android Applications,” P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), 2014 Ninth International Conference on, vol., no., pp. 504, 507, 8-10 Nov. 2014. doi:10.1109/3PGCIC.2014.102
Abstract: Although there has been much research on the leakage of sensitive data in Android applications, most of the existing research focus on how to detect the malware or adware that are intentionally collecting user privacy. There are not much research on analyzing the vulnerabilities of apps that may cause the leakage of privacy. In this paper, we present a vulnerability analyzing method which combines taint analysis and cryptography misuse detection. The four steps of this method are decompile, taint analysis, API call record, cryptography misuse analysis, all of which steps except taint analysis can be executed by the existing tools. We develop a prototype tool PW Exam to analysis how the passwords are handled and if the app is vulnerable to password leakage. Our experiment shows that a third of apps are vulnerable to leak the users’ passwords.
Keywords: cryptography; data privacy; mobile computing; smart phones; API call record; Android applications; PW Exam; cryptography misuse analysis; cryptography misuse detection; decompile step; password leakage; password protection; taint analysis; user privacy; vulnerability analyzing method; Androids; Encryption; Humanoid robots; Privacy; Smart phones; Android apps; leakage; password; vulnerability (ID#: 15-6653)

Bo Wu; Mengjun Li; Bin Zhang; Quan Zhang; Chaojing Tang, “Directed Symbolic Execution for Binary Vulnerability Mining,” Electronics, Computer and Applications, 2014 IEEE Workshop on, vol., no., pp. 614, 617, 8-9 May 2014. doi:10.1109/IWECA.2014.6845694
Abstract: Despite more than two decades of independent, academic, and industry-related research, software vulnerabilities remain the main reason that undermine the security of our systems. Taint analysis and symbolic execution are among the most promising approaches for vulnerability detection, but either one can't remit the problem separately. In this paper, we try to combine taint analysis and symbolic execution for binary vulnerability mining and proposed a method named directed symbolic execution. Our three-step approach firstly adopts dynamic taint analysis technology to identify the safety-related data, and then uses symbolic execution system to execute the binary software while marks those safety-related data as symbols, and finally discovers vulnerabilities with our check-model. The evaluation shows that our method can be used to detect vulnerabilities in binary software more efficiently.
Keywords: data mining; program diagnostics; security of data; software reliability; binary software; binary vulnerability mining; check-model; directed symbolic execution method; dynamic taint analysis technology; safety-related data identification; software vulnerability detection; Context; Protocols; Software; Symbolic Execution; Vulnerability detection; Vulnerability model (ID#: 15-6654)

Mell, P.; Harang, R.E., “Using Network Tainting to Bound the Scope of Network Ingress Attacks,” Software Security and Reliability (SERE), 2014 Eighth International Conference on, vol., no., pp. 206, 215, June 30 2014–July 2 2014. doi:10.1109/SERE.2014.34
Abstract: This research describes a novel security metric, network taint, which is related to software taint analysis. We use it here to bound the possible malicious influence of a known compromised node through monitoring and evaluating network flows. The result is a dynamically changing defense-in-depth map that shows threat level indicators gleaned from monotonically decreasing threat chains. We augment this analysis with concepts from the complex networks research area in forming dynamically changing security perimeters and measuring the cardinality of the set of threatened nodes within them. In providing this, we hope to advance network incident response activities by providing a rapid automated initial triage service that can guide and prioritize investigative activities.
Keywords: network theory (graphs); security of data; defense-in-depth map; network flow evaluation; network flow monitoring; network incident response activities; network ingress attacks; network tainting metric; security metric; security perimeters; software taint analysis; threat level indicators; Algorithm design and analysis; Complex networks; Digital signal processing; Measurement; Monitoring; Security; Software; complex networks; network tainting; scale-free; security (ID#: 15-6655)

Chenxiong Qian; Xiapu Luo; Yuru Shao; Chan, A.T.S., “On Tracking Information Flows through JNI in Android Applications,” Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP International Conference on, vol., no., pp. 180, 191, 23-26 June 2014. doi:10.1109/DSN.2014.30
Abstract: Android provides native development kit through JNI for developing high-performance applications (or simply apps). Although recent years have witnessed a considerable increase in the number of apps employing native libraries, only a few systems can examine them. However, none of them scrutinizes the interactions through JNI in them. In this paper, we conduct a systematic study on tracking information flows through JNI in apps. More precisely, we first perform a large-scale examination on apps using JNI and report interesting observations. Then, we identify scenarios where information flows uncaught by existing systems can result in information leakage. Based on these insights, we propose and implement NDroid, an efficient dynamic taint analysis system for checking information flows through JNI. The evaluation through real apps shows NDroid can effectively identify information leaks through JNI with low performance overheads.
Keywords: Android (operating system); Java; Android applications; JNI; Java Native Interface; NDroid systems; high-performance applications; information flow tracking; Androids; Context; Engines; Games; Humanoid robots; Java; Libraries (ID#: 15-6656)

Zhongyuan Qin; Yuqing Xu; Yuxing Di; Qunfang Zhang; Jie Huang, “Android Malware Detection Based on Permission and Behavior Analysis,” Cyberspace Technology (CCT 2014), International Conference on, vol., no., pp. 1, 4, 8-10 Nov. 2014. doi:10.1049/cp.2014.1352
Abstract: The development of mobile Internet and application store accelerates the spread of malicious applications on smartphones, especially on Android platform. In this paper, we propose an integrated Android malware detection scheme, combining permission and behavior analysis. For APK files which had been detected, their MD5 values are extracted as signature for detection. For APK files which had not been detected, detection is carried based on permission and behavior analysis. Behavior analysis contained taint propagation analysis and semantic analysis. Experiment results show that this system can detect the malware of privacy stealing and malicious deduction successfully.
Keywords: Internet; data privacy; invasive software; mobile computing; smart phones; APK files; MD5 value extraction; application store; behavior analysis; integrated Android malware detection scheme; mobile Internet development; permission analysis; propagation analysis; semantic analysis; smart phones; Android; behavior analysis; malware; permission (ID#: 15-6657)

Wenmin Xiao; Jianhua Sun; Hao Chen; Xianghua Xu, “Preventing Client Side XSS with Rewrite Based Dynamic Information Flow,” Parallel Architectures, Algorithms and Programming (PAAP), 2014 Sixth International Symposium on, vol., no., pp. 238, 243, 13-15 July 2014. doi:10.1109/PAAP.2014.10
Abstract: This paper presents the design and implementation of an information flow tracking framework based on code rewrite to prevent sensitive information leaks in browsers, combining the ideas of taint and information flow analysis. Our system has two main processes. First, it abstracts the semantic of JavaScript code and converts it to a general form of intermediate representation on the basis of JavaScript abstract syntax tree. Second, the abstract intermediate representation is implemented as a special taint engine to analyze tainted information flow. Our approach can ensure fine-grained isolation for both confidentiality and integrity of information. We have implemented a proof-of-concept prototype, named JSTFlow, and have deployed it as a browser proxy to rewrite web applications at runtime. The experiment results show that JSTFlow can guarantee the security of sensitive data and detect XSS attacks with about 3x performance overhead. Because it does not involve any modifications to the target system, our system is readily deployable in practice.
Keywords: Internet; Java; data flow analysis; online front-ends; security of data; JSTFlow; JavaScript abstract syntax tree; JavaScript code; Web applications; XSS attacks; abstract intermediate representation; browser proxy; browsers; client side XSS; code rewrite; fine-grained isolation; information flow tracking framework; performance overhead; rewrite based dynamic information flow; sensitive information leaks; taint engine; tainted information flow; Abstracts; Browsers; Data models; Engines; Security; Semantics; Syntactics; JavaScript; cross-site scripting; information flow analysis; information security; taint model (ID#: 15-6658)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.