2 research outputs found
Practical and Effcient Runtime Taint Tracking
Runtime taint tracking is a technique for controlling data propagation in applications.
It is typically used to prevent disclosure of confidential information or
to avoid application vulnerabilities. Taint tracking systems intercept application
operations at runtime, associate meta-data with the data being processed and
inspect the meta-data to detect unauthorised data propagation. To keep metadata
up-to-date, every attempt of the application to access and process data is
intercepted. To ensure that all data propagation is monitored, different categories
of data (e.g. confidential and public data) are kept isolated.
In practice, the interception of application operations and the isolation of different categories of data are hard to achieve. Existing applications, language
interpreters and operating systems need to be re-engineered while keeping metadata
up-to-date incurs significant overhead at runtime. In this thesis we show
that runtime taint tracking can be implemented with minimal changes to existing
infrastructure and with reduced overhead compared to previous approaches. In
other words, we suggest methods to achieve both practical and efficient runtime
taint tracking.
Our key observation is that applications in specific domains are typically implemented
in high-level languages and use a subset of the available language
features. This facilitates the implementation of a taint tracking system because
it needs to support only parts of a programming language and it may leverage
features of the execution platform. This thesis explores three different applications
domains. We start with event processing applications in Java, for which
we introduce a novel solution to achieve isolation and a practical method to
declare restrictions about data propagation. We then focus on securing PHP
web applications. We show that if taint tracking is restricted to a small part of
an application, the runtime overhead is significantly reduced without sacrificing effectiveness. Finally, we target accidental data disclosure in Ruby web applications.
Ruby emerges as an ideal choice for a practical taint tracking system
because it supports meta-programming facilities that simplify interception and
isolation
Combatting Advanced Persistent Threat via Causality Inference and Program Analysis
Cyber attackers are becoming more and more sophisticated. In particular, Advanced Persistent Threat (APT) is a new class of attack that targets a specifc organization and compromises systems over a long time without being detected. Over the years, we have seen notorious examples of APTs including Stuxnet which disrupted Iranian nuclear centrifuges and data breaches affecting millions of users. Investigating APT is challenging as it occurs over an extended period of time and the attack process is highly sophisticated and stealthy. Also, preventing APTs is diffcult due to ever-expanding attack vectors.
In this dissertation, we present proposals for dealing with challenges in attack investigation. Specifcally, we present LDX which conducts precise counter-factual causality inference to determine dependencies between system calls (e.g., between input and output system calls) and allows investigators to determine the origin of an attack (e.g., receiving a spam email) and the propagation path of the attack, and assess the consequences of the attack. LDX is four times more accurate and two orders of magnitude faster than state-of-the-art taint analysis techniques. Moreover, we then present a practical model-based causality inference system, MCI, which achieves precise and accurate causality inference without requiring any modifcation or instrumentation in end-user systems.
Second, we show a general protection system against a wide spectrum of attack vectors and methods. Specifcally, we present A2C that prevents a wide range of attacks by randomizing inputs such that any malicious payloads contained in the inputs are corrupted. The protection provided by A2C is both general (e.g., against various attack vectors) and practical (7% runtime overhead)