Research on Information Flow Analysis and Applications
Information flow analysis has long played an important role in security. Recently, it has become very popular in systems security, and has been used for exploit defense as well as malware analysis.
We showed in [17] that fine-grained taint-tracking can be combined with simple and general security policies for blocking most common software vulnerability exploits that rely on subverting the privileges of a victim application. Such exploits include SQL injection, command injection, cross-site scripting, path traversals, memory exploits, and so on. By operating as compile-time transformation on C-programs, our technique can protect most programs written in C, as well as interpreted languages such as PHP whose interpreters are written in C. Moreover, our work provided dramatic improvement in performance over previous fine-grained taint-tracking techniques.
We recently developed static binary rewriting techniques for taint-tracking on binaries [13]. By leveraging novel optimization techniques, our implementation provided 3 to 6 times performance improvement over previous techniques, while remaining robust enough to handle large applications such as Firefox.
Source-code and binary instrumentation approaches may raise robustness and compatibility concerns among those who deploy and administer software systems. To address this problem, we recently developed an efficient blackbox technique for inferring taint by observing inputs and outputs [8].
Information flow remains as one of the main focus areas of our research. Our ongoing research is concerned with applying information flow for whole-system integrity protection [12], as well as portection of shared memory plug-ins; enhancing the accuracy of anomaly detection [18, 9]; and so on.
Related Publications
- [1] Provenance-based Integrity Protection for Windows
Annual Computer Security Applications Conference (ACSAC) December, 2015.
and - [2] WebSheets: Web Applications for Non-Programmers
New Security Paradigms Workshop (NSPW) September, 2015.
and - [3] Towards More Usable Information Flow Policies for Contemporary Operating Systems
ACM Symposium on Access Control Models and Technologies (SACMAT) June, 2014.Honorable mention for Best paper .
, and - [4] Comprehensive Integrity Protection for Desktop Linux (Demo)
ACM Symposium on Access Control Models and Technologies (SACMAT) June, 2014.
and - [5] A Portable User-Level Approach for System-wide Integrity Protection
Annual Computer Security Applications Conference (ACSAC) December, 2013.
and - [6] Protection, Usability and Improvements in Reflected XSS Filters
ACM Symposium on Information, Computer and Communications Security (ASIACCS) May, 2012.
and - [7] Taint-Enhanced Anomaly Detection
International Conference on Information Systems Security (ICISS) December, 2011.
and - [8] An Efficient Black-box Technique for Defeating Web Application Attacks
ISOC Network and Distributed Systems Symposium (NDSS) February, 2009.- [9] Anomalous Taint Detection (Extended Abstract)
Recent Advances in Intrusion Detection (RAID) September, 2008. (Full version available as Technical Report SECLAB08-06).
and - [10] A Practical Technique for Containment of Untrusted Plug-ins
Technical Report (TR) August, 2008.
, , and - [11] On the Limits of Information Flow Techniques for Malware Analysis and Containment
Detection of Intrusions, Malware and Vulnerability Analysis (DIMVA) July, 2008. (Supercedes SECLAB07-03, November 2007).
, and - [12] Practical Proactive Integrity Preservation: A Basis for Malware Defense
IEEE Symposium on Security and Privacy (IEEE S&P) May, 2008.
, , and - [13] Efficient Fine-Grained Binary Instrumentation with Applications to Taint-Tracking
ACM/IEEE International Symposium on Code Generation and Optimization (CGO) April, 2008.
, and - [14] Comprehensive Memory Error Protection via Diversity and Taint-Tracking
PhD Dissertation (Stony Brook University) February, 2008.- [15] Static Binary Analysis And Transformation For Sandboxing Untrusted Plugins
Master's Thesis (Stony Brook University) August, 2007.- [16] Provably Correct Runtime Enforcement of Non-Interference Properties
International Conference on Information and Communications Security (ICICS) December, 2006. (Supercedes Technical Report SECLAB-04-01, Stony Brook University, March, 2004.).
, , and - [17] Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks
USENIX Security Symposium (USENIX Security) August, 2006. (An earlier version appeared as Technical Report SECLAB-05-06, November 2005. Also supercedes Technical Report SECLAB-05-05 A Unified Approach for Preventing Attacks Exploiting a Range of Software Vulnerabilities, August 2005, and Technical Report SECLAB-05-04 Practical dynamic taint analysis for countering input validation attacks on web applications, May 2005, [PDF]).
, and - [18] Dataflow Anomaly Detection
IEEE Symposium on Security and Privacy (IEEE S&P) May, 2006. (Supercedes Technical Report SECLAB-05-03 Improving Attack Detection in Host-Based IDS by Learning Properties of System Call Arguments, July 2005.).
, and