TY - GEN
T1 - Program-object level data flow analysis with applications to data leakage and contamination forensics
AU - Xiao, Gaoyao
AU - Wang, Jun
AU - Liu, Peng
AU - Ming, Jiang
AU - Wu, Dinghao
N1 - Publisher Copyright:
© 2016 ACM.
PY - 2016/3/9
Y1 - 2016/3/9
N2 - We introduce a novel Data Flow Analysis (DFA) technique, called PoL-DFA (Program-object Level Data Flow Analysis), to analyze the dynamic data flows of server programs. PoL-DFA symbolically analyzes every instruction in the execution trace of a process to keep track of the data flows among program objects (e.g., integers, structures, arrays), and concatenates these pieces of data flows to obtain the overall data flow graph of the execution. We leverage PoLDFA to identify malicious data flows in data leakage and contamination forensics. In two mocked digital forensic scenarios, for data leakage and contamination respectively, we tested the ability of PoL-DFA to identify data flows among multiple inputs and outputs of server programs. Our results show that PoL-DFA can accurately determine whether the data (or the processed results) from a source file or socket flow to a certain output channel. Based on this information, security administrators can pinpoint the path of data leakage or data contamination. Different from existing dynamic DFA techniques that require excessive amount of instrumentation, PoL-DFA only requires logging the execution traces of the processes being monitored. The measured performance overhead for server programs is 4.24%, on average. The results indicate PoL-DFA is a lightweight DFA solution for data leakage and contamination forensics.
AB - We introduce a novel Data Flow Analysis (DFA) technique, called PoL-DFA (Program-object Level Data Flow Analysis), to analyze the dynamic data flows of server programs. PoL-DFA symbolically analyzes every instruction in the execution trace of a process to keep track of the data flows among program objects (e.g., integers, structures, arrays), and concatenates these pieces of data flows to obtain the overall data flow graph of the execution. We leverage PoLDFA to identify malicious data flows in data leakage and contamination forensics. In two mocked digital forensic scenarios, for data leakage and contamination respectively, we tested the ability of PoL-DFA to identify data flows among multiple inputs and outputs of server programs. Our results show that PoL-DFA can accurately determine whether the data (or the processed results) from a source file or socket flow to a certain output channel. Based on this information, security administrators can pinpoint the path of data leakage or data contamination. Different from existing dynamic DFA techniques that require excessive amount of instrumentation, PoL-DFA only requires logging the execution traces of the processes being monitored. The measured performance overhead for server programs is 4.24%, on average. The results indicate PoL-DFA is a lightweight DFA solution for data leakage and contamination forensics.
UR - http://www.scopus.com/inward/record.url?scp=84964841821&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84964841821&partnerID=8YFLogxK
U2 - 10.1145/2857705.2857747
DO - 10.1145/2857705.2857747
M3 - Conference contribution
AN - SCOPUS:84964841821
T3 - CODASPY 2016 - Proceedings of the 6th ACM Conference on Data and Application Security and Privacy
SP - 277
EP - 284
BT - CODASPY 2016 - Proceedings of the 6th ACM Conference on Data and Application Security and Privacy
PB - Association for Computing Machinery, Inc
T2 - 6th ACM Conference on Data and Application Security and Privacy, CODASPY 2016
Y2 - 9 March 2016 through 11 March 2016
ER -