Privacy Assessment Using Static Taint Analysis (Tool Paper)
نویسندگان
چکیده
When developing and maintaining distributed systems, auditing privacy properties gains more and more relevance. Nevertheless, this task is lacking support of automated tools and, hence, is mostly carried out manually. We present a formal approach which enables auditors to model the flow of critical data in order to shed new light on a system and to automatically verify given privacy constraints. The formalization is incorporated into a larger policy analysis and verification framework and overall soundness is proven with Isabelle/HOL. Using this solution, it becomes possible to automatically compute architectures which follow specified privacy conditions or to input an existing architecture for verification. Our tool is evaluated in two real-world case studies, where we uncover and fix previously unknown violations of privacy. Published at FORTE 2017. The final publication is available at Springer via http://dx.doi.org/10.1007/978-3-319-60225-7_16
منابع مشابه
I know what leaked in your pocket: uncovering privacy leaks on Android Apps with Static Taint Analysis
Android applications may leak privacy data carelessly or maliciously. In this work we perform inter-component dataflow analysis to detect privacy leaks between components of Android applications. Unlike all current approaches, our tool, called IccTA, propagates the context between the components, which improves the precision of the analysis. IccTA outperforms all other available tools by reachi...
متن کاملSUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps
While smartphones and mobile apps have been an essential part of our lives, privacy is a serious concern. Previous mobile privacy related research efforts have largely focused on predefined known sourcesmanaged by smartphones. Sensitive user inputs through UI (User Interface), another information source that may contain a lot of sensitive information, have been mostly neglected. In this paper, ...
متن کاملDetecting Privacy Leaks in Android Apps
The number of Android apps have grown explosively in recent years and the number of apps leaking private data have also grown. It is necessary to make sure all the apps are not leaking private data before putting them to the app markets and thereby a privacy leaks detection tool is needed. We propose a static taint analysis approach which leverages the control-flow graph (CFG) of apps to detect...
متن کاملStatic Exploration of Taint-Style Vulnerabilities Found by Fuzzing
Taint-style vulnerabilities comprise a majority of fuzzer discovered program faults. These vulnerabilities usually manifest as memory access violations caused by tainted program input. Although fuzzers have helped uncover a majority of taint-style vulnerabilities in software to date, they are limited by (i) extent of test coverage; and (ii) the availability of fuzzable test cases. Therefore, fu...
متن کاملTaint Analysis for System-Wide Privacy Audits: A Framework and Real-World Case Studies
Privacy analysis is critical but also a time-consuming and tedious task. We present a formalization which facilitates designing and auditing privacy properties of IT systems. It is based on static taint analysis and makes ow and processing of privacy-critical data explicit, globally as well as on the level of individual data subjects. Formally, we show equivalence to traditional label-based inf...
متن کامل