Modern browsers and smartphone operating systems treat applications as mutually untrusting, potentially malicious principals. Applications are (1) isolated except for explicit IPC or inter-application communication channels and (2) unprivileged by default, requiring user permission for additional privileges. Although inter-application communication supports useful collaboration, it also introduces the risk of permission redelegation. Permission re-delegation occurs when an application with permissions performs a privileged task for an application without permissions. This undermines the requirement that the user approve each application’s access to privileged devices and data. We discuss permission re-delegation and demonstrate its risk by launching real-world attacks on Android system applications; several of the vulnerabilities have been confirmed as bugs. We discuss possible ways to address permission redelegation and present IPC Inspection, a new OS mechanism for defending against permission re-delegation. IPC Inspection prevents opportunities for permission redelegation by reducing an application’s permissions after it receives communication from a less privileged application. We have implemented IPC Inspection for a browser and Android, and we show that it prevents the attacks we found in the Android system applications. 1

Dynamic data flow tracking (DFT) deals with tagging and tracking data of interest as they propagate during program execution. DFT has been repeatedly implemented by a variety of tools for numerous purposes, including protection from zero-day and cross-site scripting attacks, detection and prevention of information leaks, and for the analysis of legitimate and malicious software. We present libdft, a dynamic DFT framework that unlike previous work is at once fast, reusable, and works with commodity software and hardware. libdft provides an API for building DFT-enabled tools that work on unmodified binaries, running on common operating systems and hardware, thus facilitating research and rapid prototyping. We explore different approaches for implementing the low-level aspects of instruction-level data tracking, introduce a more efficient and 64-bit capable shadow memory, and identify (and avoid) the common pitfalls responsible for the excessive performance overhead of previous studies. We evaluate libdft using real applications with large codebases like the Apache and MySQL servers, and the Firefox web browser. We also use a series of benchmarks and utilities to compare libdft with similar systems. Our results indicate that it performs at least as fast, if not faster, than previous solutions, and to the best of our knowledge, we are the first to evaluate the performance overhead of a fast dynamic DFT implementation in such depth. Finally, libdft is freely available as open source software.

Do you know where your data are? Who can see them? Who can modify them without a trace? Who can aggregate, summarize, and embed them for purposes other than yours? We don’t, and we suspect neither do you. The problem is that we do not have a widely-available mechanism to answer these questions, and yet, paradoxically, all evidence shows that it should have been solved long ago. The problem is critical; incidents involving sensitive data leakage, unauthorized access, and integrity violations (accidental or not) are a daily occurrence [1]. It is well known, as evidenced by the volume of relevant government regulation and pontification from privacy advocates. It is interesting, since it has inspired much research into data confidentiality, integrity, and authorization. Yet publicizing it, regulating it, and talking about it have not led

Dynamic taint analysis (DTA) is a powerful technique for, among other things, tracking the flow of sensitive information. However, it is vulnerable to false negative errors caused by implicit flows, situations in which tainted data values affect control flow, which in turn affects other data. We propose DTA++, an enhancement to dynamic taintanalysisthatadditionallypropagatestaintalongatargeted subset of control-flow dependencies. Our technique first diagnosesimplicit flowswithin information-preserving transformations,where theyaremost likelyto causeundertainting. Then it generates rules to add additional taint onlyforthosecontroldependencies,avoidingtheexplosion of tainting that can occur when propagating taint along all control dependencies indiscriminately. We implement DTA++ using the BitBlaze platform for binary analysis, and apply it to off-the-shelf Windows/x86 applications. In a case study of 8 applications such as Microsoft Word, DTA++ efficiently locates just a few implicit flows that could otherwise lead to under-tainting, and resolves them bypropagatingtaintwhileintroducinglittleover-tainting. 1.

Preventing exfiltration of sensitive data is a central challenge facing many modern networking environments. In this paper, we propose a network-wide method of confining and controlling the flow of sensitive data within a network. Our approach is based on black-box differencing – we run two logical copies of the network, one with private data scrubbed, and compare outputs of the two to determine if and when private data is being leaked. To ensure outputs of the two copies match, we build upon recent advances that enable computing systems to execute deterministically at scale and with low overheads. We believe our approach could be a useful building block towards building general-purpose schemes that leverage black-box differencing to mitigate leakage of private data. 1