research-article

Lightweight automated detection of unsafe information leakage via exceptions

Authors:

James ClauseAuthors Info & Claims

ISSTA 2014: Proceedings of the 2014 International Symposium on Software Testing and Analysis

Pages 327 - 338

https://doi.org/10.1145/2610384.2610412

Published: 21 July 2014 Publication History

Abstract

Unintended information leakage is one of the most common and severe problems facing modern applications. To help developers detect information leaks before they can be leveraged by attackers, we present a new static analysis-based technique for detecting a specific type of information leak: information leaks via exceptions. Because it focuses on a specific type of leak, the technique is able to be efficient, effective, and easy to use, qualities that are often lacking in more general techniques. We implemented our technique in a prototype tool, UDLD, and performed an extensive empirical evaluation using 19 real web applications. The results of the evaluation show that UDLD is both efficient and effective at detecting unsafe information leaks via exceptions; for the subjects that we considered, UDLD is the fastest among several alternative tools. Moreover, it reported more true leaks than existing state-of-the-art tools with no known false negatives and no false positives.

References

[1]

M. Arrington. AOL proudly releases massive amounts of private data, August 2006. http://techcrunch.com/2006/08/06/aol-proudlyreleases-massive-amounts-of-user-search-data/.

[2]

K. Ashcraft and D. Engler. Using programmer-written compiler extensions to catch security holes. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 143–159, 2002.

Digital Library

[3]

M. Bravenboer and Y. Smaragdakis. Exception analysis and points-to analysis: better together. In Proceedings of the Eighteenth International Symposium on Software Testing and Analysis, pages 1–12, 2009.

Digital Library

[4]

Bug 549459 - Permission denied exception string way too descriptive. URL https://bugzilla.mozilla.org/ show_bug.cgi?id=549459. Accessed: December 20, 2012.

[5]

CA1031. Do not catch general exception types. URL http://msdn.microsoft.com/en-us/ library/ms182137.aspx. Accessed: January 18, 2013.

[6]

G. Candea, M. Delgado, M. Chen, and A. Fox. Automatic failure-path inference: A generic introspection technique for Internet applications. In Proceedings of the third IEEE Workshop on Internet Applications, pages 132–141, 2003.

Digital Library

[7]

N. Carew. Gotocode online bookstore multiple vulnerabilities. URL http://www.exploit-db.com/exploits/ 17921/. Accessed: January 7, 2013.

[8]

C. Casper. Roundup of privacy research: 4Q10, December 2010. http://www.gartner.com/id=1497614.

[9]

J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding data lifetime via whole system simulation. In USENIX Security Symposium, pages 321–336, 2004.

Digital Library

[10]

L. Constantin. Kaspersky Anti-Virus source code leaks online, January 2011. http: //news.softpedia.com/news/Kaspersky-Anti-Virus-Source-Code-Leaked-Online-181297.shtml.

[11]

CVE-2002-0580. URL http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2002-0580. Accessed: December 20, 2012.

[12]

CVE-2006-3389. URL http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2006-3389. Accessed: December 20, 2012.

[13]

CVE-2006-4899. URL http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2006-4899. Accessed: December 20, 2012.

[14]

CVE-2007-1409. URL http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2007-1409. Accessed: December 20, 2012.

[15]

CWE-209. Information exposure through an error message. URL http://cwe.mitre.org/data/ definitions/209.html. Accessed: December 20, 2012.

[16]

CWE-550. Information exposure through server error message. URL http://cwe.mitre.org/data/ definitions/550.html. Accessed: December 20, 2012.

[17]

CWE/SANS. 2011 top 25 most dangerous software errors—on the cusp: Other weaknesses to consider. URL http://cwe.mitre.org/top25/cusp.html. Accessed: December 20, 2012.

[18]

W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, pages 393–409, 2010.

Digital Library

[19]

ERR01-J. Do not allow exceptions to expose sensitive information. URL https://www.securecoding. cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+ information. Accessed: December 20, 2012.

[20]

C. Fu and B. G. Ryder. Exception-chain analysis: Revealing exception handling architecture in Java server applications. In Proceedings of the 29th International Conference on Software Engineering, pages 230–239, 2007.

Digital Library

[21]

C. Fu, A. Milanova, B. G. Ryder, and D. G. Wonnacott. Robustness testing of Java server applications. IEEE Transactions on Software Engineering, 31(4):292–311, april 2005.

Digital Library

[22]

S. Gibson. Half-life 2 source leak, October 2003. http://www.shacknews.com/article/28619/ half-life-2-source-leak.

[23]

W. G. J. Halfond and A. Orso. AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, pages 174–183, 2005.

Digital Library

[24]

C. Hammer, J. Krinke, and G. Snelting. Information flow control for Java based on path conditions in dependence graphs. In IEEE International Symposium on Secure Software Engineering, pages 87–96, 2006.

[25]

Information Shield. International data privacy laws by country, November 2011. http://www. informationshield.com/intprivacylaws.html.

[26]

M. Klum. EVE Online source code leaked, April 2008. http://www.neowin.net/news/eve-onlinesource-code-leaked.

[27]

J. Legon. Profanity, partner’s name hidden in leaked Microsoft code, February 2004. http://articles.cnn. com/2004-02-13/tech/microsoft.source_1_mikegullard-windows-code-source-code.

[28]

R. Lemos. Cisco investigates source code leak, May 2004. http://www.techrepublic.com/article/ciscoinvestigates-source-code-leak/5213772.

[29]

V. Livshits and M. Lam. Finding security vulnerabilities in Java applications with static analysis. In Proceedings of the 14th conference on USENIX Security Symposium, pages 18–18, 2005.

Digital Library

[30]

S. McCamant and M. D. Ernst. Quantitative information flow as network flow capacity. In Proceedings of the 2008 ACM SIGPLAN conference on Programming Language Design and Implementation, pages 193–205, 2008.

Digital Library

[31]

J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium, 2005.

[32]

OWASP. Top 10 2004,. URL https://www.owasp. org/index.php/Top_10_2004. Accessed: December 20, 2012.

[33]

OWASP. Top 10 2007: A6—information leakage and improper error handling,. URL https://www.owasp. org/index.php/Top_10_2007. Accessed: December 20, 2012.

[34]

OWASP. Top 10 2010,. URL https://www.owasp. org/index.php/Top_10_2010. Accessed: December 20, 2012.

[35]

OWASP Vulnerabilities. Overly-broad catch block. URL https://www.owasp.org/index.php/ Overly-Broad_Catch_Block. Accessed: January 18, 2013.

[36]

M. Pistoia, R. J. Flynn, L. Koved, and V. C. Sreedhar. Interprocedural analysis for privileged code placement and tainted variable detection. In Proceedings of the 19th European Conference on Object-Oriented Programming, pages 362–386, 2005.

Digital Library

[37]

J. Richards. Facebook source code leaked onto Internet, June 2008. http://www.foxnews.com/story/0,2933, 293115,00.html.

[38]

M. P. Robillard and G. C. Murphy. Static analysis to support the evolution of exception structure in object-oriented systems. ACM Transactions on Software Engineering and Methodology, 12(2):191–221, Apr. 2003.

Digital Library

[39]

L. Seltzer. Source code leak offers novel security test, February 2004. http://www.eweek.com/ c/a/Security/Source-Code-Leak-Offers-Novel-Security-Test.

[40]

J. Seward and N. Nethercote. Using Valgrind to detect undefined value errors with bit-precision. In USENIX Annual Technical Conference, pages 17–30, 2005.

Digital Library

[41]

S. Sinha, A. Orso, and M. J. Harrold. Automated support for development, maintenance, and testing in the presence of implicit flow control. In Proceedings of 26th International Conference on Software Engineering, pages 336–345, 2004.

Digital Library

[42]

T. J. Watson Libraries for Analysis (WALA). URL http://wala.sf.net. Accessed: January 7, 2013.

[43]

The privacy act of 1974: 5 U.S.C. § 552a. http: //www.justice.gov/opcl/privstat.htm.

[44]

O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: Effective taint analysis of web applications. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 87–97, 2009.

Digital Library

[45]

N. Vachharajani, M. J. Bridges, J. Chang, R. Rangan, G. Ottoni, J. A. Blome, G. A. Reis, M. Vachharajani, and D. I. August. RIFLE: An architectural framework for user-centric information-flow security. In Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture, pages 243–254, 2004.

Digital Library

[46]

K. Zetter. TSA leaks sensitive airport screening manual, December 2009. http://www.wired.com/threatlevel/ 2009/12/tsa-leak.

[47]

K. Zetter. Goldman Sachs programmer sentenced to 8 years in prison for code theft, March 2011. http://www.wired.com/threatlevel/2011/03/ aleynikov-sentencing.

Cited By

Zhang YXue Y(2024)ExceRef: Automatically Refactoring for Exception HandlingProceedings of the 15th Asia-Pacific Symposium on Internetware10.1145/3671016.3674824(239-248)Online publication date: 24-Jul-2024
https://dl.acm.org/doi/10.1145/3671016.3674824
Zhang JWang XZhang HSun HPu YLiu XGrundy JLe Goues CLo D(2020)Learning to handle exceptionsProceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering10.1145/3324884.3416568(29-41)Online publication date: 21-Dec-2020
https://dl.acm.org/doi/10.1145/3324884.3416568
de Pádua GShang WZaidman AKamei YHill E(2018)Studying the relationship between exception handling practices and post-release defectsProceedings of the 15th International Conference on Mining Software Repositories10.1145/3196398.3196435(564-575)Online publication date: 28-May-2018
https://dl.acm.org/doi/10.1145/3196398.3196435
Show More Cited By

Index Terms

Lightweight automated detection of unsafe information leakage via exceptions
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

An exception monitoring system for java
RISE'04: Proceedings of the First international conference on Rapid Integration of Software Engineering Techniques

Exception mechanism is important for the development of robust programs to make sure that exceptions are handled appropriately at run-time. In this paper, we develop a dynamic exception monitoring system, which can trace handling and propagation of ...
A review on exception analysis

Context: Exception handling has become popular in most major programming languages, including Ada, C++, Java, and ML. Since exception handling was introduced in programming languages, there have been various kinds of exception analyses, which analyze ...
Preventing private information leakage in sensor networks

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ISSTA 2014: Proceedings of the 2014 International Symposium on Software Testing and Analysis

July 2014

460 pages

ISBN:9781450326452

DOI:10.1145/2610384

General Chair:
Corina S. Păsăreanu
NASA Ames, USA
,
Program Chair:
Darko Marinov
University of Illinois at Urbana-Champaign, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 July 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ISSTA '14

Sponsor:

SIGSOFT

ISSTA '14: International Symposium on Software Testing and Analysis

July 21 - 25, 2014

CA, San Jose, USA

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Sponsor:
sigsoft

34th ACM SIGSOFT International Symposium on Software Testing and Analysis

June 25 - 28, 2025

Trondheim , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
224
Total Downloads

Downloads (Last 12 months)3
Downloads (Last 6 weeks)1

Reflects downloads up to 25 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhang YXue Y(2024)ExceRef: Automatically Refactoring for Exception HandlingProceedings of the 15th Asia-Pacific Symposium on Internetware10.1145/3671016.3674824(239-248)Online publication date: 24-Jul-2024
https://dl.acm.org/doi/10.1145/3671016.3674824
Zhang JWang XZhang HSun HPu YLiu XGrundy JLe Goues CLo D(2020)Learning to handle exceptionsProceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering10.1145/3324884.3416568(29-41)Online publication date: 21-Dec-2020
https://dl.acm.org/doi/10.1145/3324884.3416568
de Pádua GShang WZaidman AKamei YHill E(2018)Studying the relationship between exception handling practices and post-release defectsProceedings of the 15th International Conference on Mining Software Repositories10.1145/3196398.3196435(564-575)Online publication date: 28-May-2018
https://dl.acm.org/doi/10.1145/3196398.3196435
De Padua GShang W(2017)Revisiting Exception Handling Practices with Exception Flow Analysis2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation (SCAM)10.1109/SCAM.2017.16(11-20)Online publication date: Sep-2017
https://doi.org/10.1109/SCAM.2017.16

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten