1. D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources
Boxuan Gu, Xinfeng Li, Gang Li,
Adam C. Champion, Zhezhe Chen, Feng Qin, and Dong Xuan
The Ohio State University
Infocom 2013

2. Outline Introduction Background Differentiated and Dynamic Tagging
IFT with Dynamic and Differentiated Tagging
Evaluation Method & Experimental Results
Conclusions

3. Introduction
Trend Micro reports that over 25,000 Android malware samples were found in June alone
46%-55% of smartphone apps transmit users’ private information over networks without users’ awareness or consent

4. Introduction TaintDroid
extend Dalvik VM to tag smartphone data using 32 possible types based on their origins
Just 32 origins ...

5. Introduction
D2Taint
track sensitive data from a large number of possible internal and external sources
partition sources into disjoint classes (correspond to different sensitivities)
tag structure updates itself on-the-fly

6. Background Information Flow Tracking Basics
Compiler analysis on programs written in special type-safe programming languages
Software instrumentation at source code, bytecode, or binary level
Architecture support for IFT

7. Background Pre-defined structure sources IDs or sensitivity level
Tag propagation policy
a = b + c --> a.tag = max(b.tag, c.tag)
Tag checking
“Passwords” may not be sent over network

8. TaintDroid

9. TaintDroid

10. TaintDroid
Dalvik opcode:

11. Differentiated and Dynamic Tagging
Source level
different info sources may have different sensitivities in terms of security

12. Differentiated and Dynamic Tagging
Application level
different amounts of storage space to capture heterogeneous sources and correlations

13. Differentiated and Dynamic Tagging
User level
adapt to changing information source access patterns

14. Differentiated and Dynamic Tagging
By examining the source level and application level
Differentiated classes
By examining the user level
Tag dynamics

15. Differentiated and Dynamic Tagging
Tag structure

16. Tag Structure Class 1 Class 2 Class 3 Class 1 Table 0001 google.com
Tag scheme ID
Class 1
Class 2
Class 3
Class 1 Table
0001 google.com
0010 yahoo.com
Tag scheme
00 2/3/1
01 2/2/2
10 4/1/1
11 3/2/1

17. Tag Structures Examples
32 bits, 1 class for each bit: TaintDroid
32 bits, 2-bit tag scheme ID, 3 classes, 16/8/6 bits per class, 4/4/2 bits per source
32 bits, 2-bit tag scheme ID, 2 classes, 24/6 bits per class, 3/2 bits per source

18. Tag Dynamics Each class can have different length at different times
Perform “on-demand” machine learning based on statistical properties of tag space usage and location information tables’ recent hash values
Adjust its tag structure

19. Tag Dynamics Issues Tag Scheme Switching
tag scheme config -> preconfigured
when to switch tag scheme -> on-the-fly
Tag merging

20. IFT with Dynamic and Differentiated Tagging

21. IFT with Dynamic and Differentiated Tagging
When an app start, the dynamic tagging component first loads two configuration files
tag structure definitions
user-defined classes and known data sources

22. IFT with Dynamic and Differentiated Tagging
The dynamic tagging component checks the data source list for each incoming data source by the tag assigner
and tracks incoming sources’ statistics and determines whether it should switch D2Taint to a different tag scheme

23. Dynamic Tagging Component
Dynamic Tagging Core
tag scheme settings: scheme number, bits per tag, number of classes, and a pointer to the class list
class structure: number of classes in the tag system, bits per hashcode, number of reserved slots for the class, and a text description of the class

24. Dynamic Tagging Component
Dynamic Tagging Core
use a global location information table list to record all source information
after a certain number of new sources are added into an location information table, D2Taint decides whether to switch the tag scheme based on these new sources

25. Dynamic Tagging Component
Tag Merger
a.tag = b.tag ⊕ c.tag
if using the same tag scheme?
if using the different tag scheme?
truncate certain significant bits

26. Information Flow Tracking Component
Taint Map
we do not store tags of method local variables, method arguments, and class instance fields adjacent to them in memory

27. Taint Map Method local variables and method arguments
when Dalvik VM allocates a stack frame for a method, our system allocates a stack taint map for it
Class instance fields
to be stored in objects’ taint maps
objects’ taint map is stored immediately after that allocated for the object

28. Information Flow Tracking Component
Tag Assigner
insert our tag assigner logic into file I/O, network I/O, sensor, and other library functions that read private information

29. Information Flow Tracking Component
Tag Propagator
interpreted code and native code: same as TaintDroid
also propagate tags via Binder IPC

30. Information Flow Tracking Component
Tag Checker
trustable sites

31. Evaluation Method & Experimental Results
Android 2.2 on Nexus One
Select 84 “top free” apps from Google Play
CaffeineMark for benchmark

32. Evaluation Method & Experimental Results
Real-world
71 out of 84 apps leak information
reveal the paths by which the information is leaked
33 apps transmit data among many various external sources
12 apps leak devices’ IMEIs/EIDs

33. Evaluation Method & Experimental Results
Performance
-> 9%
-> 7.3%
-> 16%
-> 3%
-> 13%
-> 21%

34. Evaluation Method & Experimental Results
Java Macrobenchmark

35. Evaluation Method & Experimental Results
CaffeineMark’s memory footprint
Android: KB
D2Taint: KB
this test ignored the memory used by location information table, which will dynamically increases as more information sources arrived

36. Evaluation Method & Experimental Results
Sequential websites
dynamic static

37. Evaluation Method & Experimental Results
Random websites
dynamic static

38. Conclusions A novel IFT tagging strategy
using differentiated and dynamic tagging
dynamic tag structure