Explicit Secrecy: A Policy for Taint Tracking
Daniel Schoepe, Musard Balliu (Chalmers University of Technology), Benjamin C. Pierce (University of Pennsylvania), Andrei Sabelfeld (Chalmers University of Technology)
Taint tracking is a popular security mechanism for tracking data-flow dependencies, both in high-level languages and at the machine code level. But despite the many taint trackers in practical use, the question of what, exactly, tainting means — what security policy it embodies — remains largely unexplored.
We propose explicit secrecy, a generic framework capturing the essence of explicit flows, i.e., the data flows tracked by tainting. The framework is semantic, generalizing previous syntactic approaches to formulating soundness criteria of tainting. We demonstrate the usefulness of the framework by instantiating it with both a simple high-level imperative language and an idealized RISC machine. To further understanding of what is achieved by taint tracking tools, both dynamic and static, we obtain soundness results with respect to explicit secrecy for the tainting engine cores of a collection of popular dynamic and static taint trackers.
Precisely Measuring Quantitative Information Flow: 10K Lines of Code and Beyond
Celina G Val (Amazon), Michael A Enescu, Sam Bayless, William Aiello, Alan J Hu (The University of British Columbia)
This paper considers the quantitative measurement of information flow through a program — the degree of influence a program’s inputs can have over a set of specified program variables. This definition has been proposed as a refinement of taint analysis in the detection of a class of security flaws in programs. Unfortunately, the precise information flow by this definition is difficult to compute, and prior work has sacrificed precision, scalability, and/or automation. In this paper, we show how to compute this information flow (specifically, channel capacity) in a highly precise and automatic manner, and scale to much larger programs than previously possible. We build on recent advances in symbolic execution and SAT solving, and propose further novel improvements as well. We discover two previously-unknown buffer overflows using our tool. Experimentally, we demonstrate that our approach scales to over 10K lines of real C code.
HornDroid: Practical and Sound Static Analysis of Android Applications by SMT Solving
Stefano Calzavara (Università Ca' Foscari Venezia), Ilya Grishchenko, Matteo Maffei (CISPA, Saarland University)
We present HornDroid, a new tool for the static analysis of information flow properties in Android applications. The core idea underlying HornDroid is to use Horn clauses for soundly abstracting the semantics of Android applications and to express security properties as a set of proof obligations that are automatically discharged by an off-the-shelf SMT solver. This approach makes it possible to fine-tune the analysis in order to achieve a high degree of precision while still using off-the-shelf verification tools, thereby leveraging the recent advances in this field. As a matter of fact, HornDroid outperforms state-of-the-art Android static analysis tools on benchmarks proposed by the community. Moreover, HornDroid is the first static analysis tool for Android to come with a formal proof of soundness, which covers the core of the analysis technique: besides yielding correctness assurances, this proof allowed us to identify some critical corner-cases that affect the soundness guarantees provided by some of the previous static analysis tools for Android.
Games Without Frontiers: Investigating Video Games as a Covert Channel
Bridger Hahn, Rishab Nithyanand, Phillipa Gill, Rob Johnson (Stony Brook University)
The Internet has become a critical communication infrastructure for citizens to organize protests and express dissatisfaction with their governments. This fact has not gone unnoticed, with governments clamping down on this medium via censorship, and circumvention researchers working to stay one step ahead. In this paper, we explore video games as a new avenue for covert channels. Two features make video games attractive for use as a cover protocol in censorship circumvention tools: First, games within a genre share many common features. Second, there are many different games, each with their own protocols and server infrastructures. These features allow circumvention tool developers to build a single framework that can be adapted to work with many different games within a genre; therefore allowing quick response to censor created blockades. In addition, censored users can diversify their covert communications across many different games, making it difficult for a censor to respond by simply blocking a single covert channel.
We demonstrate the feasibility of this approach by implementing our circumvention scheme over three real-time strategy games (including two best-selling closed-source games). We evaluate the security of our system prototype, Castle, by quantifying its resilience to a censor-adversary, similarity to real game traffic, and ability to avoid common pitfalls in covert channel design. We use our prototype to demonstrate that our approach can provide the throughput necessary for bootstrapping higher bandwidth channels and also the transfer of textual data, such as web articles, e-mail, SMS messages, and tweets, which are commonly used to organize political actions.