research-article

A dynamic taint analyzer for distributed systems

Authors:

Haipeng CaiAuthors Info & Claims

ESEC/FSE 2019: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Pages 1115 - 1119

https://doi.org/10.1145/3338906.3341179

Published: 12 August 2019 Publication History

Abstract

As in other software domains, information flow security is a fundamental aspect of code security in distributed systems. However, most existing solutions to information flow security are limited to centralized software. For distributed systems, such solutions face multiple challenges, including technique applicability, tool portability, and analysis scalability. To overcome these challenges, we present DistTaint, a dynamic information flow (taint) analyzer for distributed systems. By partial-ordering method-execution events, DistTaint infers implicit dependencies in distributed programs, so as to resolve the applicability challenge. It resolves the portability challenge by working fully at application level, without customizing the runtime platform. To achieve scalability, it reduces analysis costs using a multi-phase analysis, where the pre-analysis phase generates method-level results to narrow down the scope of the following statement-level analysis. We evaluated DistTaint against eight real-world distributed systems. Empirical results showed DistTaint’s applicability to, portability with, and scalability for industry-scale distributed systems, along with its capability of discovering known and unknown vulnerabilities. A demo video for DistTaint can be downloaded from https://www.dropbox.com/l/scl/AAAkrm4p63Ffx0rZqblY3zlLFuaohbRxs0 or viewed here https://youtu.be/fy4yMIaKzPE online. The tool package is here: https://www.dropbox.com/sh/kfr9ixucyny1jp2/AAC00aI-I8Od4ywZCqwZ1uaa?dl=0

References

[1]

2014. Vulnerability Details : CVE-2014-0085. https://www.cvedetails.com/cve/ CVE-2014-0085/. 2017. Wikipedia. Lamport timestamps. https://en.wikipedia.org/wiki/Lamport timestamps. 2019. Wikipedia—Voldemort (distributed data store). https://en.wikipedia.org/ wiki/Voldemort (distributed data store).

[2]

AdaCore. 2010. SPARKPro. https://www.adacore.com/sparkpro.

[3]

Apache. 2015. Voldemort. https://github.com/voldemort.

[4]

Apache. 2015. ZooKeeper. https://zookeeper.apache.org/.

[5]

Bamberg University. 2015. Open Chord. http://sourceforge.net/projects/openchord/.

[6]

Haipeng Cai. 2018. Hybrid Program Dependence Approximation for Effective Dynamic Impact Prediction. IEEE Transactions on Software Engineering 44, 4 (2018), 334–364.

[7]

Haipeng Cai and Raul Santelices. 2014. DIVER: Precise Dynamic Impact Analysis Using Dependence-based Trace Pruning. In Proceedings of International Conference on Automated Software Engineering. 343–348.

Digital Library

[8]

Haipeng Cai, Raul Santelices, and Douglas Thain. 2016. DiaPro: Unifying Dynamic Impact Analyses for Improved and Variable Cost-Effectiveness. ACM Transactions on Software Engineering and Methodology (TOSEM) 25, 2 (2016), 18.

Digital Library

[9]

Haipeng Cai and Douglas Thain. 2016. DISTEA: Efficient Dynamic Impact Analysis for Distributed Systems. arXiv preprint arXiv:1604.04638 (2016).

[10]

Haipeng Cai and Douglas Thain. 2016. DistIA: A cost-effective dynamic impact analysis for distributed programs. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering. 344–355.

Digital Library

[11]

Jim Chow, Ben Pfaff, Tal Garfinkel, Kevin Christopher, and Mendel Rosenblum. 2004. Understanding data lifetime via whole system simulation. In USENIX Security Symposium. 321–336.

Digital Library

[12]

James Clause, Wanchun Li, and Alessandro Orso. 2007. Dytan: a generic dynamic taint analysis framework. In Proceedings of the 2007 international symposium on Software testing and analysis. ACM, 196–206.

Digital Library

[13]

William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N Sheth. 2014.

[14]

TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS) 32, 2 (2014), 5.

Digital Library

[15]

Xiaoqin Fu and Haipeng Cai. 2019. Measuring interprocess communications in distributed systems. In Proceedings of the 27th International Conference on Program Comprehension. IEEE Press, 323–334.

Digital Library

[16]

Susan Horwitz, Thomas Reps, and David Binkley. 1990. Interprocedural slicing using dependence graphs. ACM Transactions on Programming Languages and Systems (TOPLAS) 12, 1 (1990), 26–60.

Digital Library

[17]

Jaeyeon Jung, Anmol Sheth, Ben Greenstein, David Wetherall, Gabriel Maganis, and Tadayoshi Kohno. 2008. Privacy oracle: a system for finding application leaks with black box differential testing. In Proceedings of the 15th ACM conference on Computer and communications security. ACM, 279–288.

Digital Library

[18]

Min Gyung Kang, Stephen McCamant, Pongsin Poosankam, and Dawn Song. 2011. Dta++: dynamic taint analysis with targeted control-flow propagation. In NDSS.

[19]

Andrew C Myers. 1999. JFlow: Practical mostly-static information flow control. In Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages. ACM, 228–241.

Digital Library

[20]

Andrew C Myers, Lantian Zheng, Steve Zdancewic, Stephen Chong, and Nathaniel Nystrom. 2001. Jif: Java information flow. Software release. Located at http://www.cs.cornell.edu/jif 2005 (2001).

[21]

Alejandro Russo and Andrei Sabelfeld. 2010. Dynamic vs. static flow-sensitive security analysis. In Proceedings of the 23rd IEEE International Conference on Computer Security Foundations Symposium (CSF). IEEE, 186–199.

Digital Library

[22]

Vincent Simonet. {n.d.}. Flow Caml. https://www.normalesup.org/ ∼ simonet/ soft/flowcaml/.

[23]

G Edward Suh, Jae W Lee, David Zhang, and Srinivas Devadas. 2004. Secure program execution via dynamic information flow tracking. In ACM Sigplan Notices, Vol. 39. ACM, 85–96.

Digital Library

[24]

Neil Vachharajani, Matthew J Bridges, Jonathan Chang, Ram Rangan, Guilherme Ottoni, Jason A Blome, George A Reis, Manish Vachharajani, and David I August. 2004. RIFLE: An architectural framework for user-centric information-flow security. In 37th International Symposium on Microarchitecture (MICRO-37’04). IEEE, 243–254.

Digital Library

[25]

Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda. 2007. Panorama: capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM conference on Computer and communications security. ACM, 116–127.

Digital Library

[26]

David Yu Zhu, Jaeyeon Jung, Dawn Song, Tadayoshi Kohno, and David Wetherall. 2011. TaintEraser: Protecting sensitive data leaks using application-level taint tracking. ACM SIGOPS Operating Systems Review 45, 1 (2011), 142–154. Abstract 1 Introduction 2 Architecture 3 Phase 1: Pre-analysis 4 Phase 2: Coverage Analysis 5 Phase 3: Refinement 6 Applying DistTaint 6.1 Use Cases 6.2 Efficiency and Scalability 6.3 Limitations 7 Conclusion and Future Work References

Digital Library

Cited By

Nong YFang RYi GZhao KLuo XChen FCai HRoychoudhury APaiva AAbreu RStorey M(2024)VGX: Large-Scale Sample Generation for Boosting Learning-Based Software Vulnerability AnalysesProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639116(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639116
Ouyang YShao KChen KShen RChen CXu MZhang YZhang LGrundy JPollock LPenta M(2023)MirrorTaint: Practical Non-Intrusive Dynamic Taint Tracking for JVM-Based Microservice SystemsProceedings of the 45th International Conference on Software Engineering10.1109/ICSE48619.2023.00210(2514-2526)Online publication date: 14-May-2023
https://dl.acm.org/doi/10.1109/ICSE48619.2023.00210
Cai HNong YOu YChen F(2023)Generating Vulnerable Code via Learning-Based Program TransformationsAI Embedded Assurance for Cyber Systems10.1007/978-3-031-42637-7_7(123-138)Online publication date: 11-Aug-2023
https://doi.org/10.1007/978-3-031-42637-7_7
Show More Cited By

Index Terms

A dynamic taint analyzer for distributed systems
1. Security and privacy
  1. Software and application security
    1. Software security engineering
  2. Systems security
    1. Distributed systems security

Recommendations

On the scalable dynamic taint analysis for distributed systems
ESEC/FSE 2019: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

To protect the privacy and search sensitive data leaks, we must solve multiple challenges (e.g., applicability, portability, and scalability) for developing an appropriate taint analysis for distributed systems.We hence present DistTaint, a dynamic ...
Scaling application-level dynamic taint analysis to enterprise-scale distributed systems
ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: Companion Proceedings

With the increasing deployment of enterprise-scale distributed systems, effective and practical defenses for such systems against various security vulnerabilities such as sensitive data leaks are urgently needed. However, most existing solutions are ...
A dynamic marking method for implicit information flow in dynamic taint analysis
SIN '15: Proceedings of the 8th International Conference on Security of Information and Networks

Dynamic taint analysis is an important technique for tracking information flow in software and it has been widely applied in the field of software testing, debugging and vulnerability detection. However, most of the dynamic taint analysis tools only ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ESEC/FSE 2019: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

August 2019

1264 pages

ISBN:9781450355728

DOI:10.1145/3338906

General Chairs:
Marlon Dumas
University of Tartu, Estonia
,
Dietmar Pfahl
University of Tartu, Estonia
,
Program Chairs:
Sven Apel
Saarland University, Germany
,
Alessandra Russo
Imperial College, UK

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 August 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ESEC/FSE '19

Sponsor:

SIGSOFT

ESEC/FSE '19: 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering

August 26 - 30, 2019

Tallinn, Estonia

Acceptance Rates

Overall Acceptance Rate 112 of 543 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
221
Total Downloads

Downloads (Last 12 months)11
Downloads (Last 6 weeks)1

Reflects downloads up to 01 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Nong YFang RYi GZhao KLuo XChen FCai HRoychoudhury APaiva AAbreu RStorey M(2024)VGX: Large-Scale Sample Generation for Boosting Learning-Based Software Vulnerability AnalysesProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639116(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639116
Ouyang YShao KChen KShen RChen CXu MZhang YZhang LGrundy JPollock LPenta M(2023)MirrorTaint: Practical Non-Intrusive Dynamic Taint Tracking for JVM-Based Microservice SystemsProceedings of the 45th International Conference on Software Engineering10.1109/ICSE48619.2023.00210(2514-2526)Online publication date: 14-May-2023
https://dl.acm.org/doi/10.1109/ICSE48619.2023.00210
Cai HNong YOu YChen F(2023)Generating Vulnerable Code via Learning-Based Program TransformationsAI Embedded Assurance for Cyber Systems10.1007/978-3-031-42637-7_7(123-138)Online publication date: 11-Aug-2023
https://doi.org/10.1007/978-3-031-42637-7_7
Fu XLin BCai H(2022)DistFax: A Toolkit for Measuring Interprocess Communications and Quality of Distributed Systems2022 IEEE/ACM 44th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion)10.1109/ICSE-Companion55297.2022.9793800(51-55)Online publication date: May-2022
https://doi.org/10.1109/ICSE-Companion55297.2022.9793800
Wang DGao YDou WWei J(2022)DisTA: Generic Dynamic Taint Tracking for Java-Based Distributed Systems2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN53405.2022.00060(547-558)Online publication date: Jun-2022
https://doi.org/10.1109/DSN53405.2022.00060
Cai HFu X(2021)D2ABS: A Framework for Dynamic Dependence Analysis of Distributed ProgramsIEEE Transactions on Software Engineering10.1109/TSE.2021.3124795(1-1)Online publication date: 2021
https://doi.org/10.1109/TSE.2021.3124795
Nong YCai HYe PLi LChen F(2021)Evaluating and comparing memory error vulnerability detectorsInformation and Software Technology10.1016/j.infsof.2021.106614137(106614)Online publication date: Sep-2021
https://doi.org/10.1016/j.infsof.2021.106614
Fu XCai HLi WLi L(2020)SEADSACM Transactions on Software Engineering and Methodology10.1145/337934530:1(1-45)Online publication date: 31-Dec-2020
https://dl.acm.org/doi/10.1145/3379345

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents