modelgen
play

Modelgen: Mining Explicit Information Flow Specifications from - PowerPoint PPT Presentation

Jan 07, 2023 •145 likes •992 views

Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp, Saswat Anand, Alex Aiken Stanford University I Why mine specifications? Whole-program static analysis Application Whole-program static

  1. Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp, Saswat Anand, Alex Aiken Stanford University

  2. I Why mine specifications?

  3. Whole-program static analysis Application

  4. Whole-program static analysis Static Malware? Application Analysis Bugs? Documentation

  5. Whole-program static analysis? Application Platform (e.g. Android)

  6. Whole-program static analysis? ??? Static Application Analysis Platform (e.g. Android)

  7. Whole-program static analysis? ??? Static Application Analysis Platform • Native code (e.g. Android)

  8. Whole-program static analysis? ??? Static Application Analysis Platform • Native code (e.g. Android) • Reflection

  9. Whole-program static analysis? ??? Static Application Analysis Platform • Native code (e.g. Android) • Reflection • Complex OOP patterns / indirection

  10. Whole-program static analysis? ??? Static Application Analysis Platform • Native code (e.g. Android) • Reflection • Complex OOP patterns / indirection • Large (e.g. Android >2 MLOC, Java)

  11. Whole-program static analysis? ??? Static Application Analysis Platform • Native code (e.g. Android) • Reflection • Complex OOP patterns / indirection • Large (e.g. Android >2 MLOC, Java)

  12. Options: Best-case Under-approximation Static Application Analysis (Very) Unsound Platform False negatives (e.g. Android)

  13. Options: Worst-case Over-approximation Static Application Analysis (Very) Imprecise Platform False positives (e.g. Android)

  14. Options: Specifications Slight over-approximation • Application Manually written • Platform (e.g. Android) Effort intensive* • * Our system (STAMP): Models for 1,116 methods, written over 2 years

  15. Mining Specifications Slight over-approximation • Application Manually written • Platform (e.g. Android) Effort intensive •

  16. Mining Specifications Slight over-approximation • Application Mined automatically using • Platform dynamic analysis (e.g. Android)

  17. Mining Specifications Application Platform Specifications (e.g. Android) Dynamic Analysis

  18. Mining Specifications Static Malware? Application Analysis Bugs? Platform Documentation Specifications (e.g. Android) Dynamic Analysis

  19. II Information flow specifications

  20. Static taint analysis Information Flow Report #LOCATION -> ! INTERNET S.T.A.M.P. Static #CONTACTS -> ! Analysis INTERNET #PHONE_NUM -> Human !INTERNET Auditor

  21. Information flow specifications // Set-up SocketChannel socket = ...; CharBuffer buffer = ...; CharsetEncoder encoder = ...; TelephonyManager tMgr = ...; // Leak phone number // ( #PHONE_NUM -> !INTERNET ) String mPhoneNumber = tMgr.getLine1Number(); CharBuffer b1 = buffer.put(mPhoneNumber,0,10); ByteBuffer bytebuffer = encoder.encode(b1); socket.write(bytebuffer);

  22. Information flow specifications // Set-up SocketChannel socket = ...; CharBuffer buffer = ...; CharsetEncoder encoder = ...; TelephonyManager tMgr = ...; // Leak phone number // ( #PHONE_NUM -> !INTERNET ) String mPhoneNumber = tMgr.getLine1Number(); CharBuffer b1 = buffer.put(mPhoneNumber,0,10); ByteBuffer bytebuffer = encoder.encode(b1); socket.write(bytebuffer); #PHONE_NUM ->

  23. Information flow specifications // Set-up SocketChannel socket = ...; CharBuffer buffer = ...; CharsetEncoder encoder = ...; TelephonyManager tMgr = ...; // Leak phone number // ( #PHONE_NUM -> !INTERNET ) String mPhoneNumber = tMgr.getLine1Number(); CharBuffer b1 = buffer.put(mPhoneNumber,0,10); ByteBuffer bytebuffer = encoder.encode(b1); socket.write(bytebuffer); #PHONE_NUM -> ... -> ... -> ... -> !INTERNET

  24. Information flow specifications // Set-up SocketChannel socket = ...; CharBuffer buffer = ...; CharsetEncoder encoder = ...; TelephonyManager tMgr = ...; // Leak phone number // ( #PHONE_NUM -> !INTERNET ) String mPhoneNumber = tMgr.getLine1Number(); CharBuffer b1 = buffer.put(mPhoneNumber,0,10); ByteBuffer bytebuffer = encoder.encode(b1); socket.write(bytebuffer);

  25. Information flow specifications TelephonyManager.getLine1Number() // Set-up #PHONE_NUM -> return SocketChannel socket = ...; CharBuffer buffer = ...; CharsetEncoder encoder = ...; TelephonyManager tMgr = ...; // Leak phone number // ( #PHONE_NUM -> !INTERNET ) String mPhoneNumber = tMgr.getLine1Number(); CharBuffer b1 = buffer.put(mPhoneNumber,0,10); ByteBuffer bytebuffer = encoder.encode(b1); socket.write(bytebuffer); #PHONE_NUM -> mPhoneNumber

  26. Information flow specifications TelephonyManager.getLine1Number() // Set-up #PHONE_NUM -> return SocketChannel socket = ...; CharBuffer buffer = ...; CharBuffer.put(String,int,int) CharsetEncoder encoder = ...; arg#1 -> this TelephonyManager tMgr = ...; arg#1 -> return this -> return // Leak phone number // ( #PHONE_NUM -> !INTERNET ) String mPhoneNumber = tMgr.getLine1Number(); CharBuffer b1 = buffer.put(mPhoneNumber,0,10); ByteBuffer bytebuffer = encoder.encode(b1); socket.write(bytebuffer); #PHONE_NUM -> mPhoneNumber -> b1

  27. Information flow specifications TelephonyManager.getLine1Number() // Set-up #PHONE_NUM -> return SocketChannel socket = ...; CharBuffer buffer = ...; CharBuffer.put(String,int,int) CharsetEncoder encoder = ...; arg#1 -> this TelephonyManager tMgr = ...; arg#1 -> return this -> return // Leak phone number // ( #PHONE_NUM -> !INTERNET ) CharsetEncoder.encode(CharBuffer) String mPhoneNumber = tMgr.getLine1Number(); arg#1 -> return CharBuffer b1 = buffer.put(mPhoneNumber,0,10); ByteBuffer bytebuffer = encoder.encode(b1); socket.write(bytebuffer); #PHONE_NUM -> mPhoneNumber -> b1 -> bytebuffer

  28. Information flow specifications TelephonyManager.getLine1Number() // Set-up #PHONE_NUM -> return SocketChannel socket = ...; CharBuffer buffer = ...; CharBuffer.put(String,int,int) CharsetEncoder encoder = ...; arg#1 -> this TelephonyManager tMgr = ...; arg#1 -> return this -> return // Leak phone number // ( #PHONE_NUM -> !INTERNET ) CharsetEncoder.encode(CharBuffer) String mPhoneNumber = tMgr.getLine1Number(); arg#1 -> return CharBuffer b1 = buffer.put(mPhoneNumber,0,10); ByteBuffer bytebuffer = encoder.encode(b1); SocketChannel.write(ByteBuffer) socket.write(bytebuffer); arg#1 -> !INTERNET #PHONE_NUM -> mPhoneNumber -> b1 -> bytebuffer -> !INTERNET

  29. III Technique

  30. Instrument, run, analyze Instrument Run Analyze

  31. Instrument, run, analyze Instrument Run Analyze

  32. Instrument, run, analyze Instrument Run Analyze

  33. Instrument, run, analyze Instrument Run Analyze

  34. Instrument, run, analyze Instrument Run Analyze

  35. Method trace Definition:

  36. Method trace Definition: Sequence of recorded operations between • method entry and return.

  37. Method trace Definition: Sequence of recorded operations between • method entry and return. Including calls to other methods. •

  38. Example o . m ( arg1 , arg2 ) : t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization o3 = o.g o2.f = t return o

  39. Example o . m ( arg1 , arg2 ) : t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization o3 = o.g o2.f = t return o

  40. Example o . m ( arg1 , arg2 ) : t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization o3 = o.g o2.f = t return o

  41. Example o . m ( arg1 , arg2 ) : t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization o3 = o.g o2.f = t return o

  42. Example o . m ( arg1 , arg2 ) : Spec: t = arg1 ⊗ arg2 arg1->this o1 = o.f arg2->this o2 = o1.g Initialization o3 = o.g o2.f = t return o

  43. Example o . m ( arg1 , arg2 ) : Spec: t = arg1 ⊗ arg2 arg1->this o1 = o.f arg2->this o2 = o1.g Initialization this->return o3 = o.g o2.f = t return o

  44. Example o . m ( arg1 , arg2 ) : Spec: t = arg1 ⊗ arg2 arg1->this o1 = o.f arg2->this o2 = o1.g Initialization this->return o3 = o.g o2.f = t arg1->return return o arg2-> return

  45. Example: Initialization o . m ( arg1 , arg2 ) : ret = o . m ( arg1 , arg2 ) t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization o3 = o.g o2.f = t return o

  46. Example: Taint propagation o . m ( arg1 , arg2 ) : ret = o . m ( arg1 , arg2 ) t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization t o3 = o.g o2.f = t return o

  47. Example: Loads o . m ( arg1 , arg2 ) : ret = o . m ( arg1 , arg2 ) t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization o1 o3 = o.g o2.f = t return o

  48. Example: Loads o . m ( arg1 , arg2 ) : ret = o . m ( arg1 , arg2 ) t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization o1 o3 = o.g o2.f = t o2 return o

  49. Example: Loads o . m ( arg1 , arg2 ) : ret = o . m ( arg1 , arg2 ) t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization o3 o3 = o.g o2.f = t return o

  50. Example: Loads o . m ( arg1 , arg2 ) : ret = o . m ( arg1 , arg2 ) t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization o3 = o.g o2.f = t return o

  51. Example: Store o . m ( arg1 , arg2 ) : ret = o . m ( arg1 , arg2 ) t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization o3 = o.g o2.f = t return o

Recommend

More recommend