Program-object level data flow analysis with applications to data leakage and contamination forensics

Gaoyao Xiao, Jun Wang, Peng Liu, Jiang Ming, Dinghao Wu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Scopus citations

Abstract

We introduce a novel Data Flow Analysis (DFA) technique, called PoL-DFA (Program-object Level Data Flow Analysis), to analyze the dynamic data flows of server programs. PoL-DFA symbolically analyzes every instruction in the execution trace of a process to keep track of the data flows among program objects (e.g., integers, structures, arrays), and concatenates these pieces of data flows to obtain the overall data flow graph of the execution. We leverage PoLDFA to identify malicious data flows in data leakage and contamination forensics. In two mocked digital forensic scenarios, for data leakage and contamination respectively, we tested the ability of PoL-DFA to identify data flows among multiple inputs and outputs of server programs. Our results show that PoL-DFA can accurately determine whether the data (or the processed results) from a source file or socket flow to a certain output channel. Based on this information, security administrators can pinpoint the path of data leakage or data contamination. Different from existing dynamic DFA techniques that require excessive amount of instrumentation, PoL-DFA only requires logging the execution traces of the processes being monitored. The measured performance overhead for server programs is 4.24%, on average. The results indicate PoL-DFA is a lightweight DFA solution for data leakage and contamination forensics.

Original languageEnglish (US)
Title of host publicationCODASPY 2016 - Proceedings of the 6th ACM Conference on Data and Application Security and Privacy
PublisherAssociation for Computing Machinery, Inc
Pages277-284
Number of pages8
ISBN (Electronic)9781450339353
DOIs
StatePublished - Mar 9 2016
Event6th ACM Conference on Data and Application Security and Privacy, CODASPY 2016 - New Orleans, United States
Duration: Mar 9 2016Mar 11 2016

Publication series

NameCODASPY 2016 - Proceedings of the 6th ACM Conference on Data and Application Security and Privacy

Other

Other6th ACM Conference on Data and Application Security and Privacy, CODASPY 2016
Country/TerritoryUnited States
CityNew Orleans
Period3/9/163/11/16

All Science Journal Classification (ASJC) codes

  • Computer Science Applications
  • Information Systems
  • Software

Fingerprint

Dive into the research topics of 'Program-object level data flow analysis with applications to data leakage and contamination forensics'. Together they form a unique fingerprint.

Cite this