Guarding Programs Against Attacks with Dynamic Data Flow Analysis

The defense of computers against malicious attackers is a growing challenge. While techniques have been proposed for guarding programs against specific attacks, such as buffer overruns and format string attacks, few solutions are flexible enough to deal with a wide range of attacks. However, most attacks, known and unknown, involve manipulation of input data to the program—a problem well suited to data flow analysis. Many data flow analyses can be performed both statically and dynamically, albeit with different semantics. The dynamic version—known as dynamic data flow analysis—tracks the flow of abstract properties as the program executes, and is a form of program monitoring. Furthermore, dynamic data flow analysis can accurately monitor security-related flow properties that current methods, such as inlined reference monitors, cannot. Unfortunately, a straightforward implementation of dynamic data flow analysis can be prohibitively expensive because it attaches extra state to every object and monitors the program at every statement. This paper presents a system for using dynamic data flow analysis to dynamically monitor programs. We argue that data flow analysis is a flexible mechanism for implementing a wide range of program monitors, including security-enforcing monitors. We also show how our system unites static and dynamic data flow analysis: the same specification that defines what to dynamically monitor can also be used to drive a static analysis that optimizes the resulting system. We apply our system to the construction of monitors that guard programs against format string vulnerabilities. For a set of five open-source server programs, we find that 80% of the program statements are instrumented in a straightforward implementation of dynamic data flow analysis. When the corresponding static analysis is used, only 0.5% of the statements are instrumented, thus demonstrating the power of our system.