Let’s Face It: Faceted Values for Taint Tracking

  • Daniel Schoepe
  • Musard Balliu
  • Frank Piessens
  • Andrei Sabelfeld
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9878)


Taint tracking has been successfully deployed in a range of security applications to track data dependencies in hardware and machine-, binary-, and high-level code. Precision of taint tracking is key for its success in practice: being a vulnerability analysis, false positives must be low for the analysis to be practical. This paper presents an approach to taint tracking, which does not involve tracking taints throughout computation. Instead, we include shadow memories in the execution context, so that a single run of a program has the effect of computing on both tainted and untainted data. This mechanism is inspired by the technique of secure multi-execution, while in contrast to the latter it does not require running the entire program multiple times. We present a general framework and establish its soundness with respect to explicit secrecy, a policy for preventing insecure data leaks, and its precision showing that runs of secure programs are never modified. We show that the technique can be used for attack detection with no false positives. To evaluate the mechanism in practice, we implement DroidFace, a source-to-source transform for an intermediate Java-like language and benchmark its precision and performance with respect to representative static and dynamic taint trackers for Android. The results indicate that the performance penalty is tolerable while achieving both soundness and no false positives on the tested benchmarks.


Security Level Full Version Attack Detection Program Transformation Covert Channel 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work was funded by the European Community under the ProSecuToR project and the Swedish research agencies SSF and VR.


  1. 1.
    Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Traon, Y.L., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: PLDI (2014)Google Scholar
  2. 2.
    Austin, T.H., Flanagan, C.: Multiple facets for dynamic information flow. In: POPL (2012)Google Scholar
  3. 3.
    Austin, T.H., Yang, J., Flanagan, C., Solar-Lezama, A.: Faceted execution of policy-agnostic programs. In: PLAS (2013)Google Scholar
  4. 4.
    Barthe, G., Crespo, J.M., Devriese, D., Piessens, F., Rivas, E.: Secure multi-execution through static program transformation. In: Giese, H., Rosu, G. (eds.) FORTE 2012 and FMOODS 2012. LNCS, vol. 7273, pp. 186–202. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  5. 5.
    Let’s face it: faceted values for taint tracking. Full version and implementation. http://www.cse.chalmers.se/research/group/security/facets
  6. 6.
    Bielova, N., Rezk, T.: A taxonomy of information flow monitors. In: Piessens, F., Viganò, L. (eds.) POST 2016. LNCS, vol. 9635, pp. 46–67. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49635-0_3 CrossRefGoogle Scholar
  7. 7.
    Bolosteanu, I., Garg, D.: Asymmetric secure multi-execution with declassification. In: Piessens, F., Viganò, L. (eds.) POST 2016. LNCS, vol. 9635, pp. 24–45. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49635-0_2 CrossRefGoogle Scholar
  8. 8.
  9. 9.
  10. 10.
    Calzavara, S., Grishchenko, I., Maffei, M.: Horndroid: practical and sound security static analysis of android applications by smt solving. In: EuroS&P (2016)Google Scholar
  11. 11.
    Capizzi, R., Longo, A., Venkatakrishnan, V.N., Sistla, A.P.: Preventing information leaks through shadow executions. In: ACSAC (2008)Google Scholar
  12. 12.
    Chaudhuri, A., Naldurg, P., Rajamani, S.K.: A type system for data-flow integrity on windows vista. In: PLAS (2008)Google Scholar
  13. 13.
    Cheng, W., Zhao, Q., Yu, B., Hiroshige, S.: TaintTrace: efficient flow tracing with dynamic binary rewriting. In: ISCC (2006)Google Scholar
  14. 14.
    Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding data lifetime via whole system simulation. In: USENIX Security Symposium (2004)Google Scholar
  15. 15.
    Cohen, E.S.: Information transmission in sequential programs. In: FSC. Academic Press (1978)Google Scholar
  16. 16.
    Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Commun. ACM 20(7), 504–513 (1977)CrossRefMATHGoogle Scholar
  17. 17.
    Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: S&P (2010)Google Scholar
  18. 18.
    Droidbench: a micro-benchmark suite to assess the stability of taint-analysis tools for android. https://github.com/secure-software-engineering/DroidBench
  19. 19.
    Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. 32(2), 5:1–5:29 (2014). http://doi.acm.org/10.1145/2619091
  20. 20.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: S&P (1982)Google Scholar
  21. 21.
    Gordon, M.I., Kim, D., Perkins, J.H., Gilham, L., Nguyen, N., Rinard, M.C.: Information flow analysis of android applications in droidsafe. In: NDSS (2015)Google Scholar
  22. 22.
    Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting android to protect data from imperious applications. In: CCS (2011)Google Scholar
  23. 23.
    Jia, L., Aljuraidan, J., Fragkaki, E., Bauer, L., Stroucken, M., Fukushima, K., Kiyomoto, S., Miyake, Y.: Run-time enforcement of information-flow properties on android. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 775–792. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  24. 24.
    Kashyap, V., Wiedermann, B., Hardekopf, B.: Timing- and termination-sensitive secure information flow: exploring a new approach. In: S&P (2011)Google Scholar
  25. 25.
    Li, L., Bartel, A., Bissyandé, T.F., Klein, J., Traon, Y.L., Arzt, S., Rasthofer, S., Bodden, E., Octeau, D., McDaniel, P.: Iccta: detecting inter-component privacy leaks in android apps. In: ICSE, vol. 1 (2015)Google Scholar
  26. 26.
    Livshits, B., Chong, S.: Towards fully automatic placement of security sanitizers and declassifiers. In: POPL (2013)Google Scholar
  27. 27.
    Lortz, S., Mantel, H., Starostin, A., Bähr, T., Schneider, D., Weber, A.: Cassandra: towards a Certifying App. Store for Android. In: SPSM (2014)Google Scholar
  28. 28.
    Netscape: using data tainting for security (2006). http://www.aisystech.com/resources/advtopic.htm
  29. 29.
    Odersky, M., Rompf, T.: Unifying functional and object-oriented programming with scala. Commun. ACM 57(4), 76–86 (2014)CrossRefGoogle Scholar
  30. 30.
    Rafnsson, W., Sabelfeld, A.: Secure multi-execution: fine-grained, declassification-aware, and transparent. In: CSF (2013)Google Scholar
  31. 31.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. JSAC 21(1), 5–19 (2003)Google Scholar
  32. 32.
    Schmitz, T., Rhodes, D., Austin, T.H., Knowles, K., Flanagan, C.: Faceted dynamic information flow via control and data monads. In: Piessens, F., Viganò, L. (eds.) POST 2016. LNCS, vol. 9635, pp. 3–23. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49635-0_1 CrossRefGoogle Scholar
  33. 33.
    Schoepe, D., Balliu, M., Pierce, B.C., Sabelfeld, A.: Explicit secrecy: a policy for taint tracking. In: EuroS&P (2016)Google Scholar
  34. 34.
    Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: S&P 2010 (2010)Google Scholar
  35. 35.
    Song, D., et al.: BitBlaze: a new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  36. 36.
    Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: Taj: effective taint analysis of web applications. In: PLDI (2009)Google Scholar
  37. 37.
    Vallée-Rai, R., Co, P., Gagnon, E., Hendren, L.J., Lam, P., Sundaresan, V.: Soot - a java bytecode optimization framework. In: CASCON (1999)Google Scholar
  38. 38.
    Vanhoef, M., De Groef, W., Devriese, D., Piessens, F., Rezk, T.: Stateful declassification policies for event-driven programs. In: CSF (2014)Google Scholar
  39. 39.
    Volpano, D.: Safety versus secrecy. In: Cortesi, A., Filé, G. (eds.) SAS 1999. LNCS, vol. 1694, p. 303. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  40. 40.
    Wei, F., Roy, S., Ou, X., Robby: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: CCS (2014)Google Scholar
  41. 41.
    Yang, J., Yessenov, K., Solar-Lezama, A.: A language for automatically enforcing privacy policies. In: POPL (2012)Google Scholar
  42. 42.
    Zanarini, D., Jaskelioff, M., Russo, A.: Precise enforcement of confidentiality for reactive systems. In: CSF (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Daniel Schoepe
    • 1
  • Musard Balliu
    • 1
  • Frank Piessens
    • 2
  • Andrei Sabelfeld
    • 1
  1. 1.Chalmers University of TechnologyGothenburgSweden
  2. 2.iMinds-DistriNetKU LeuvenLeuvenBelgium

Personalised recommendations