Abstract
We connect runtime monitors for data flow tracking at different abstraction layers (a browser, a mail client, an operating system) and prove the soundness of this generic model w.r.t. a formal notion of explicit information flow. This allows us to (1) increase the precision of the analysis by exploiting the high-level semantics of events at higher levels of abstraction and (2) provide system-wide guarantees at the same time. For instance, using our model, we can soundly reason about the flow of a picture from the network through a browser into a cache file or a window on the screen by combining analyses at multiple layers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Let m be a function of type \(S\rightarrow T\) and \(X \subseteq S\). \(m'=m[x \leftarrow expr ]_{x \in X}\) indicates a function \(S\rightarrow T\) such that \(m'(y) = expr \) for any \(y\in X\) and \(m'(y)=m(y)\) otherwise.
References
Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. ACM Sigplan Not. 44(8), 20–31 (2009)
Biswas, A.K.: Towards improving data driven usage control precision with intra-process data flow tracking. Master’s thesis, Technische Universität München (2014)
Chin, E., Wagner, D.: Efficient character-level taint tracking for java. In Proceedings of the ACM Workshop on Secure Web Services, pp. 3–12 (2009)
Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding data lifetime via whole system simulation. In: USENIX Security (2004)
Crandall, J.R., Chong, F.T.: Minos: control data attack prevention orthogonal to memory model. In: Proceedings MICRO37, pp. 221–232. IEEE (2004)
de Amorim, A.A., Dénes, M., Giannarakis, N., Hritcu, C., Pierce, B.C., Spector-Zabusky, A., Tolmach, A.: Micro-policies (2015)
Demsky, B.: Cross-application data provenance and policy enforcement. ACM Trans. Inf. Syst. Secur. 14(1), 1–22 (2011)
Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: USENIX OSDI (2010)
Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy (1982)
Harvan, M., Pretschner, A.: State-based usage control enforcement with data flow tracking using system call interposition. In: NSS (2009)
Kim, H.C., Keromytis, A.D., Covington, M., Sahita, R.: Capturing information flow with concatenated dynamic taint analysis. In: ARES (2009)
Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E., Morris, R.: Information flow control for standard OS abstractions. In: SOSP (2007)
Kumari, P., Pretschner, A., Peschla, J., Kuhn, J.-M.: Distributed data usage control for web applications: A social network implementation. In: Proceedings of the First ACM Conference on Data and Application Security and Privacy, CODASPY 2011, pp. 85–96. ACM (2011)
Lörscher, M.: Usage Control for a Mail Client. Master thesis, TU Kaiserslautern (2012)
Lovat, E.: Cross-layer Data-centric Usage Control. Ph.D. thesis, Technische Univesität München (2015)
Lovat, E., Fromm, A., Mohr, M., Pretschner, A.: SHRIFT system-wide hybrid information flow tracking. In: Federrath, H., Gollmann, D., Chakravarthy, S.R. (eds.) SEC 2015. IFIP AICT, vol. 455, pp. 371–385. Springer, Heidelberg (2015). doi:10.1007/978-3-319-18467-8_25
Lovat, E., Ochoa, M., Pretschner, A.: Sound and precise cross-layer data flow tracking. Technical Report TUM-I1629, Technische Universität München, January 2016. https://mediatum.ub.tum.de/node?id=1289467
Muniswamy-Reddy, K., Braun, U., Holland, D.A., Macko, P., Maclean, D., Margo, D., Seltzer, M., Smogor, R.: Layering in provenance systems. In: USENIX (2009)
Pretschner, A., Lovat, E., Büchler, M.: Representation-independent data usage control. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., de Capitani di Vimercati, S. (eds.) DPM 2011 and SETOP 2011. LNCS, vol. 7122, pp. 122–140. Springer, Heidelberg (2012)
Rasthofer, S., Arzt, S., Lovat, E., Bodden, E.: Droidforce: Enforcing complex, data-centric, system-wide policies in android. In: ARES (2014)
Smith, G.: On the foundations of quantitative information flow. In: Alfaro, L. (ed.) FOSSACS 2009. LNCS, vol. 5504, pp. 288–302. Springer, Heidelberg (2009)
Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: ACM SIGARCH (2004)
Volpano, D.: Safety versus secrecy. In: Cortesi, A., Filé, G. (eds.) SAS 1999. LNCS, vol. 1694, p. 303. Springer, Heidelberg (1999)
Volpano, D., Smith, G.: A type-based approach to program security. In: Bidoit, M., Dauchet, M. (eds.) CAAP 1997, FASE 1997, and TAPSOFT 1997. LNCS, vol. 1214, pp. 607–621. Springer, Heidelberg (1997)
Wüchner, T., Pretschner, A.: Data loss prevention based on data-driven usage control. In: 23rd IEEE International Symposium on Software Reliability Engineering (ISSRE), pp. 151-160, November 2012
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing system-wide information flow for malware detection and analysis. In: CCS (2007)
Zhang, Q., McCullough, J., Ma, J., Schear, N., Vrable, M., Vahdat, A., Snoeren, A.C., Voelker, G.M., Savage, S.: Neon: System support for derived data management. SIGPLAN Not. 45(7), 63–74 (2010)
Zhu, Y., Jung, J., Song, D., Kohno, T., Wetherall, D.: Privacy scope: A precise information flow tracking system for finding application leaks. Technical Report UCB/EECS-2009-145, EECS Department, University of California, Berkeley, October 2009
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Serialized Events
Let \(t^S(e):\mathcal {E}\rightarrow \mathbb {N}\) and \(t^E(e):\mathcal {E}\rightarrow \mathbb {N}\) be two functions that return, respectively, the time at which a certain event e starts and ends. In the context of multiple layers, we assume that for any event \(e_\dagger \in \mathcal {E}_\dagger \) it holds that \(e_\dagger \) terminates only after starting (\(t^S(e_\dagger )<t^E(e_\dagger )\)) and that for every event e observed, the single layer monitors report an event \(e^{S}\) at time \(t^S(e)\) to notify the beginning of e and an event \(e^{E}\) at time \(t^E(e)\) to notify its end. In concrete implementations it is usually possible to observe or approximate these two aspects of any event.
For \(\dagger \in \mathcal {L}\), let \({\mathcal {E}^{-}_{\dagger }}\subseteq \mathcal {E}_\dagger \times \{S,E\}\) be the set of such indexed events that denote when events in \(\mathcal {E}_\dagger \) start and end. Let \( ser :seq(\mathcal {E}_\dagger ) \rightarrow seq({\mathcal {E}^{-}_{\dagger }})\) the operator that converts a trace of events \(t_\dagger \in seq(\mathcal {E}_\dagger )\) into its indexed equivalent \(t^{-}_\dagger \in seq({\mathcal {E}^{-}_{\dagger }})\) by replacing every event \(e_\dagger \in t_\dagger \) with the sequence \(\langle e^S_\dagger , e^E_\dagger \rangle \).
Lemma 1
For each monitor \(\mathcal {R}_\dagger \) (\(\dagger \in \mathcal {L}\)), there always exists a monitor \(\mathcal {R}^{-}_\dagger :\varSigma _\dagger \times {\mathcal {E}^{-}_{\dagger }} \rightarrow \varSigma _\dagger \) such that \(\forall \sigma _\dagger \in \varSigma _\dagger , \forall t_\dagger \in seq(\mathcal {E}_\dagger ): \mathcal {R}_\dagger (\sigma ,t_\dagger )=\mathcal {R}^{-}_\dagger (\sigma , ser (t_\dagger ))\).
Proof
Given \(\mathcal {R}_\dagger \), the monitor \(\mathcal {R}^{-}_{\dagger }\), defined as \(\mathcal {R}^{-}_{\dagger }(\sigma ,(e_\dagger ,i))=\sigma \) if \(i=S\) and \(\mathcal {R}^{-}_{\dagger }(\sigma ,(e_\dagger ,i))=\mathcal {R}_\dagger (\sigma ,e_\dagger )\) if \(i=E\), respects the property. \(\quad \square \)
It is hence safe to assume, without loss of generality, that every monitor for a layer \(\dagger \) is defined over events in \({\mathcal {E}^{-}_{\dagger }}\). We denote such a monitor \(\mathcal {R}^{-}_{\dagger }\).
Definition 9
(Serializable Trace). A trace \(t=(t_A,t_B)\) is serializable if for every pair of events \(e_A\in t_A, e_B\in t_B\), \(t^S(e_A)\not =t^S(e_B)\) and \(t^E(e_A)\not =t^E(e_B)\).
Let \(\mathcal {E}_{A \otimes B}=\mathcal {E}_A\cup \mathcal {E}_B\) and \({\mathcal {E}^{-}_{{A \otimes B}}}=\mathcal {E}_{A \otimes B}\times \{S,E\}\). If a trace \(t=(t_A,t_B)\in seq(\mathcal {E}_A)\times seq(\mathcal {E}_B)\) is serializable, then it is possible to construct a trace \(t^{-} \in seq({\mathcal {E}^{-}_{{A \otimes B}}})\) that is equivalent to t, in the sense that it is possible to reconstruct each one given the other. \(t^{-}\) is given by the events in \( ser (t_A) \bowtie _t ser (t_B)\) sorted by timestamp. The monitor for the composed system \({\dot{\mathcal {R}}_{{A \otimes B}}}\) described in step 7 of this work assumes the trace of input events \(t=(t_A,t_B)\) to be serializable and provided as a sequence of events in \({\mathcal {E}^{-}_{{A \otimes B}}}\) (\({\dot{\mathcal {R}}_{{A \otimes B}}}:\varSigma _{{A \otimes B}}\times {\mathcal {E}^{-}_{{A \otimes B}}}\rightarrow \varSigma _{{A \otimes B}}\)).
Note that we can relax the assumption on the serializable traces because any trace of events \(t_{A \otimes B}=(t_A,t_B)\) in \({{A \otimes B}}\) can be seen as longest possible concatenation of subtraces \(t_i=(t_{iA},t_{iB})\), such that any event starting in \(t_i\) also terminates within \(t_i\) and viceversa and such that \((t_{1A}::t_{2A}::..::t_{nA})=t_A\) and \((t_{1B}::t_{2B}::..::t_{nB})=t_B\). Then, for each \(t_i\),
\(\mathcal {R}_{{A \otimes B}}\) is a sound monitor that is no less precise than \({\hat{\mathcal {R}}_{(}}\sigma ,t)\) and does not require t to be serializable.
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Lovat, E., Ochoa, M., Pretschner, A. (2016). Sound and Precise Cross-Layer Data Flow Tracking. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds) Engineering Secure Software and Systems. ESSoS 2016. Lecture Notes in Computer Science(), vol 9639. Springer, Cham. https://doi.org/10.1007/978-3-319-30806-7_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-30806-7_3
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-30805-0
Online ISBN: 978-3-319-30806-7
eBook Packages: Computer ScienceComputer Science (R0)