SlideShare une entreprise Scribd logo

Phosphor: Illuminating Dynamic Data Flow in Commodity JVMs

J
jon_bell

Dynamic taint analysis is a well-known information flow analysis problem with many possible applications. Taint tracking allows for analysis of application data flow by assigning labels to data, and then propagating those labels through data flow. Taint tracking systems traditionally compromise among performance, precision, soundness, and portability. Performance can be critical, as these systems are often intended to be deployed to production environments, and hence must have low overhead. To be deployed in security-conscious settings, taint tracking must also be sound and precise. Dynamic taint tracking must be portable in order to be easily deployed and adopted for real world purposes, without requiring recompilation of the operating system or language interpreter, and without requiring access to application source code. We present Phosphor, a dynamic taint tracking system for the Java Virtual Machine (JVM) that simultaneously achieves our goals of performance, soundness, precision, and portability. Moreover, to our knowledge, it is the first portable general purpose taint tracking system for the JVM. We evaluated Phosphor's performance on two commonly used JVM languages (Java and Scala), on two successive revisions of two commonly used JVMs (Oracle's HotSpot and OpenJDK's IcedTea) and on Android's Dalvik Virtual Machine, finding its performance to be impressive: as low as 3% (53% on average; 220% at worst) using the DaCapo macro benchmark suite.

Sciences
1  sur  38
Télécharger pour lire hors ligne
Phosphor: Illuminating Dynamic Data Flow in Commodity JVMs Jonathan Bell and Gail Kaiser Columbia University, New York, NY USA Fork me on Github OOPSLA 2014 @_jon_bell_ October 22, 2014
Dynamic Data Flow Analysis: Taint Tracking Output that is derived from tainted input Inputs Application Outputs Flagged (“Tainted”) Input OOPSLA 2014 @_jon_bell_ October 22, 2014
Taint Tracking: Applications • End-user privacy testing: Does this application send my personal data to remote servers? • SQL injection attack avoidance: Do SQL queries contain raw user input • Debugging: Which inputs are relevant to the current (crashed) application state? OOPSLA 2014 @_jon_bell_ October 22, 2014
Qualities of a Successful Analysis OOPSLA 2014 @_jon_bell_ October 22, 2014
Soundness No data leakage! OOPSLA 2014 @_jon_bell_ October 22, 2014
Precision Data is tracked with the right tag OOPSLA 2014 @_jon_bell_ October 22, 2014
Performance Minimal slowdowns OOPSLA 2014 @_jon_bell_ October 22, 2014
Portability No special hardware, OS, or JVM OOPSLA 2014 @_jon_bell_ October 22, 2014
“Normal” Taint Tracking • Associate tags with data, then propagate the tags • Approaches: • Operating System modifications [Vandebogart ’07], [Zeldovich ’06] • Language interpreter modifications [Chandra ’07], [Enck ’10], [Nair ’07], [Son ’13] • Source code modifications [Lam ‘06], [Xu ’06] • Binary instrumentation of applications [Clause ’07], [Cheng ’06], [Kemerlis ’12] Hard to be sound, precise, and performant Not portable OOPSLA 2014 @_jon_bell_ October 22, 2014
Phosphor • Leverages benefits of interpreter-based approaches (information about variables) but fully portably • Instruments all byte code that runs in the JVM (including the JRE API) to track taint tags • Add a variable for each variable • Adds propagation logic OOPSLA 2014 @_jon_bell_ October 22, 2014
Key contribution: How do we efficiently store meta-data for every variable without modifying the JVM itself? OOPSLA 2014 @_jon_bell_ October 22, 2014
JVM Type Organization • Primitive Types • int, long, char, byte, etc. • Reference Types • Arrays, instances of classes • All reference types are assignable to java.lang.Object OOPSLA 2014 @_jon_bell_ October 22, 2014
Phosphor’s taint tag storage Local variable Method argument Return value Operand stack Field Object Stored as a field of the object Object array Stored as a field of each object Primitive Primitive array Shadow variable Shadow array variable Shadow argument Shadow array argument "Boxed" "Boxed" Below the value on stack Array below value on stack Shadow field Shadow array field OOPSLA 2014 @_jon_bell_ October 22, 2014
Taint Propagation • Modify all byte code instructions to be taint-aware by adding extra instructions • Examples: • Arithmetic -> combine tags of inputs • Load variable to stack -> Also load taint tag to stack • Modify method calls to pass taint tags OOPSLA 2014 @_jon_bell_ October 22, 2014
Two big problems OOPSLA 2014 @_jon_bell_ October 22, 2014
Challenge 1: Type Mayhem java.lang.Object Primitive Types Sometimes has extra variable! instanceof instanceof Instances of classes (Objects) Primitive Arrays Always has extra variable! Always has extra variable Never has extra variable! OOPSLA 2014 @_jon_bell_ October 22, 2014
Challenge 1: Type Mayhem byte[] array = new byte[5]; Object ret = array; return ret; int[] array_tag = new int[5]; byte[] array = new byte[5]; Object ret = new TaintedByteArray(array_tag,array); Solution 1: Box taint tag with array when we lose type information OOPSLA 2014 @_jon_bell_ October 22, 2014
Challenge 2: Native Code We can’t instrument everything! OOPSLA 2014 @_jon_bell_ October 22, 2014
Challenge 2: Native Code public int hashCode() { return super.hashCode() * field.hashCode(); } public native int hashCode(); Solution: Wrappers. Rename every method, and leave a wrapper behind OOPSLA 2014 @_jon_bell_ October 22, 2014
Challenge 2: Native Code public int hashCode() { return super.hashCode() * field.hashCode(); } public native int hashCode(); Solution: Wrappers. Rename every method, and leave a wrapper behind public TaintedInt hashCode$$wrapper() { return new TaintedInt(0, hashCode()); } OOPSLA 2014 @_jon_bell_ October 22, 2014
Challenge 2: Native Code Wrappers work both ways: native code can still call a method with the old signature public int[] someMethod(byte in) OOPSLA 2014 @_jon_bell_ October 22, 2014
Challenge 2: Native Code Wrappers work both ways: native code can still call a method with the old signature public int[] someMethod(byte in) public TaintedIntArray someMethod$$wrapper(int in_tag, byte in) { //The original method "someMethod", but with taint tracking } OOPSLA 2014 @_jon_bell_ October 22, 2014
Challenge 2: Native Code Wrappers work both ways: native code can still call a method with the old signature public int[] someMethod(byte in) { return someMethod$$wrapper(0, in).val; } public TaintedIntArray someMethod$$wrapper(int in_tag, byte in) { //The original method "someMethod", but with taint tracking } OOPSLA 2014 @_jon_bell_ October 22, 2014
Challenge 2: Native Code Wrappers work both ways: native code can still call a method with the old signature public int[] someMethod(byte in) { return someMethod$$wrapper(0, in).val; } public TaintedIntArray someMethod$$wrapper(int in_tag, byte in) { //The original method "someMethod", but with taint tracking } OOPSLA 2014 @_jon_bell_ October 22, 2014
Design Limitations • Tracking through native code • Return value’s tag becomes combination of all parameters (heuristic); not found to be a problem in our evaluation • Tracks explicit data flow only (not through control flow) OOPSLA 2014 @_jon_bell_ October 22, 2014
Evaluation • Soundness & Precision • Performance • Portability OOPSLA 2014 @_jon_bell_ October 22, 2014
Soundness & Precision • DroidBench - series of unit tests for Java taint tracking • Passed all except for implicit flows (intended behavior) OOPSLA 2014 @_jon_bell_ October 22, 2014
Performance • Macrobenchmarks (DaCapo, Scalabench) • Microbenchmarks • Versus TaintDroid [Enck, 2010] on CaffeineMark • Versus Trishul [Nair, 2008] on JavaGrande OOPSLA 2014 @_jon_bell_ October 22, 2014
Macrobenchmarks Phosphor Relative Runtime Overhead (Hotspot 7) Average: 53.3% 0% 50% 100% 150% 200% 250% avrora batik eclipse fop h2 jython luindex lusearch pmd sunflow tomcat tradebeans tradesoap xalan actors apparat factorie kiama scaladoc scalap scalariform scalatest scalaxb specs tmt Relative Runtime Overhead scalabench dacapo OOPSLA 2014 @_jon_bell_ October 22, 2014
Macrobenchmarks Phosphor Relative Memory Overhead (Hotspot 7) Average: 270.9% 0% 100% 200% 300% 400% 500% 600% 700% 800% 900% avrora batik eclipse fop h2 jython luindex lusearch pmd sunflow tomcat tradebeans tradesoap xalan actors apparat factorie kiama scaladoc scalap scalariform scalatest scalaxb specs tmt Relative Memory Overhead scalabench dacapo OOPSLA 2014 @_jon_bell_ October 22, 2014
Microbenchmarks Phosphor (Hotspot 7) and Trishul Relative Overhead 0% 20% 40% 60% 80% 100% 120% Arithmetic Assign Cast Create Exception Loop Math Method Serial Relative Runtime Overhead Phoshpor Trishul OOPSLA 2014 @_jon_bell_ October 22, 2014
Microbenchmarks Phosphor (Hotspot 7) and Trishul Relative Overhead 0% 20% 40% 60% 80% 100% 120% Arithmetic Assign Cast Create Exception Loop Math Method Serial Relative Runtime Overhead Phoshpor Phoshpor Trishul Trishul Kaffe OOPSLA 2014 @_jon_bell_ October 22, 2014
Microbenchmarks: Taintdroid • Taintdroid: Taint tracking for Android’s Dalvik VM [Enck, 2010] • Not very precise: one tag per array (not per array element!) • Applied Phosphor to Android! OOPSLA 2014 @_jon_bell_ October 22, 2014
Microbenchmarks Phosphor and Taintdroid Relative Overhead Array-heavy benchmarks 0% 50% 100% 150% 200% String Buffer Sieve Method Loop Logic Float Relative Runtime Overhead Taintdroid 4.3 Phosphor (Android 4.3) OOPSLA 2014 @_jon_bell_ October 22, 2014
Portability JVM Version(s) Success? Oracle (Hotspot) 1.7.0_45, 1.8.0_0 Yes OpenJDK 1.7.0_45, 1.8.0_0 Yes Android Dalvik 4.3.1 Yes Apache Harmony 6.0M3 Yes Kaffe VM 1.1.9 Yes Jikes RVM 3.1.3 No, but may be possible with more work OOPSLA 2014 @_jon_bell_ October 22, 2014
Future Work & Extension • This is a general approach for tracking metadata with variables in unmodified JVMs • Could track any sort of data in principle • We have already extended this approach to track path constraints on inputs OOPSLA 2014 @_jon_bell_ October 22, 2014
OOPSLA 2014 @_jon_bell_ October 22, 2014
Fork me on Github Phosphor: Illuminating Dynamic Data Flow in Commodity JVMs Jonathan Bell and Gail Kaiser Columbia University jbell@cs.columbia.edu @_jon_bell_ https://github.com/Programming-Systems-Lab/Phosphor Artifact * Consistent * Complete * SLA * Well AEC OOP* Reuse Documented * * to asy EEvalua* ted

Recommandé

Python Tools for Visual Studio: Python na Microsoftovom .NET-u
Python Tools for Visual Studio: Python na Microsoftovom .NET-uPython Tools for Visual Studio: Python na Microsoftovom .NET-u
Python Tools for Visual Studio: Python na Microsoftovom .NET-uNikola Plejic
 
String handling(string buffer class)
String handling(string buffer class)String handling(string buffer class)
String handling(string buffer class)Ravi Kant Sahu
 
Functional Java 8 - Introduction
Functional Java 8 - IntroductionFunctional Java 8 - Introduction
Functional Java 8 - IntroductionŁukasz Biały
 
BenG Update on automatic labelling
BenG Update on automatic labellingBenG Update on automatic labelling
BenG Update on automatic labellingVictor de Boer
 
How Green are Java Best Coding Practices? - GreenDays @ Rennes - 2014-07-01
How Green are Java Best Coding Practices? - GreenDays @ Rennes - 2014-07-01How Green are Java Best Coding Practices? - GreenDays @ Rennes - 2014-07-01
How Green are Java Best Coding Practices? - GreenDays @ Rennes - 2014-07-01Jérôme Rocheteau
 
Viva file
Viva fileViva file
Viva fileanupamasingh87
 
Cracking OCA and OCP Java 8 Exams
Cracking OCA and OCP Java 8 ExamsCracking OCA and OCP Java 8 Exams
Cracking OCA and OCP Java 8 ExamsGanesh Samarthyam
 
Code generating beans in Java
Code generating beans in JavaCode generating beans in Java
Code generating beans in JavaStephen Colebourne
 

Recommandé

Python Tools for Visual Studio: Python na Microsoftovom .NET-u
Python Tools for Visual Studio: Python na Microsoftovom .NET-uPython Tools for Visual Studio: Python na Microsoftovom .NET-u
Python Tools for Visual Studio: Python na Microsoftovom .NET-uNikola Plejic
 
String handling(string buffer class)
String handling(string buffer class)String handling(string buffer class)
String handling(string buffer class)Ravi Kant Sahu
 
Functional Java 8 - Introduction
Functional Java 8 - IntroductionFunctional Java 8 - Introduction
Functional Java 8 - IntroductionŁukasz Biały
 
BenG Update on automatic labelling
BenG Update on automatic labellingBenG Update on automatic labelling
BenG Update on automatic labellingVictor de Boer
 
How Green are Java Best Coding Practices? - GreenDays @ Rennes - 2014-07-01
How Green are Java Best Coding Practices? - GreenDays @ Rennes - 2014-07-01How Green are Java Best Coding Practices? - GreenDays @ Rennes - 2014-07-01
How Green are Java Best Coding Practices? - GreenDays @ Rennes - 2014-07-01Jérôme Rocheteau
 
Viva file
Viva fileViva file
Viva fileanupamasingh87
 
Cracking OCA and OCP Java 8 Exams
Cracking OCA and OCP Java 8 ExamsCracking OCA and OCP Java 8 Exams
Cracking OCA and OCP Java 8 ExamsGanesh Samarthyam
 
Code generating beans in Java
Code generating beans in JavaCode generating beans in Java
Code generating beans in JavaStephen Colebourne
 
Developer testing 201: When to Mock and When to Integrate
Developer testing 201: When to Mock and When to IntegrateDeveloper testing 201: When to Mock and When to Integrate
Developer testing 201: When to Mock and When to IntegrateLB Denker
 
Functional programming principles and Java 8
Functional programming principles and Java 8Functional programming principles and Java 8
Functional programming principles and Java 8Dragos Balan
 
Javatraining
JavatrainingJavatraining
Javatrainingducat1989
 
Refactoring to Java 8 (Devoxx UK)
Refactoring to Java 8 (Devoxx UK)Refactoring to Java 8 (Devoxx UK)
Refactoring to Java 8 (Devoxx UK)Trisha Gee
 
Python for Science and Engineering: a presentation to A*STAR and the Singapor...
Python for Science and Engineering: a presentation to A*STAR and the Singapor...Python for Science and Engineering: a presentation to A*STAR and the Singapor...
Python for Science and Engineering: a presentation to A*STAR and the Singapor...pythoncharmers
 
Python indroduction
Python indroductionPython indroduction
Python indroductionFEG
 
Code Generation idioms with Xtend
Code Generation idioms with XtendCode Generation idioms with Xtend
Code Generation idioms with XtendHolger Schill
 
java 8 new features
java 8 new features java 8 new features
java 8 new features Rohit Verma
 
Serializing EMF models with Xtext
Serializing EMF models with XtextSerializing EMF models with Xtext
Serializing EMF models with Xtextmeysholdt
 
Ahead-Of-Time Compilation of Java Applications
Ahead-Of-Time Compilation of Java ApplicationsAhead-Of-Time Compilation of Java Applications
Ahead-Of-Time Compilation of Java ApplicationsNikita Lipsky
 
A Field Guide to DSL Design in Scala
A Field Guide to DSL Design in ScalaA Field Guide to DSL Design in Scala
A Field Guide to DSL Design in ScalaTomer Gabel
 
Python final ppt
Python final pptPython final ppt
Python final pptRipal Ranpara
 
Solr Cluster installation tool "Anuenue"
Solr Cluster installation tool "Anuenue"Solr Cluster installation tool "Anuenue"
Solr Cluster installation tool "Anuenue"Lucidworks (Archived)
 
Developer testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing FanaticDeveloper testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing FanaticLB Denker
 
Python made easy
Python made easy Python made easy
Python made easy Abhishek kumar
 
Anthony Molinaro, OpenX, Erlang LA Meetup Slides
Anthony Molinaro, OpenX, Erlang LA Meetup SlidesAnthony Molinaro, OpenX, Erlang LA Meetup Slides
Anthony Molinaro, OpenX, Erlang LA Meetup SlidesMatthew Sacks
 
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...Edureka!
 
Techorama 2017 - Testing the unit, and beyond.
Techorama 2017 - Testing the unit, and beyond.Techorama 2017 - Testing the unit, and beyond.
Techorama 2017 - Testing the unit, and beyond.Bert Brouns
 
The OCLforUML Profile
The OCLforUML ProfileThe OCLforUML Profile
The OCLforUML ProfileEdward Willink
 
GOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter SlidesGOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter SlidesAlexandra Masterson
 
Codemotion 2015 spock_workshop
Codemotion 2015 spock_workshopCodemotion 2015 spock_workshop
Codemotion 2015 spock_workshopFernando Redondo Ramírez
 
Implementing a JavaScript Engine
Implementing a JavaScript EngineImplementing a JavaScript Engine
Implementing a JavaScript EngineKris Mok
 

Contenu connexe

Tendances

Developer testing 201: When to Mock and When to Integrate
Developer testing 201: When to Mock and When to IntegrateDeveloper testing 201: When to Mock and When to Integrate
Developer testing 201: When to Mock and When to IntegrateLB Denker
 
Functional programming principles and Java 8
Functional programming principles and Java 8Functional programming principles and Java 8
Functional programming principles and Java 8Dragos Balan
 
Javatraining
JavatrainingJavatraining
Javatrainingducat1989
 
Refactoring to Java 8 (Devoxx UK)
Refactoring to Java 8 (Devoxx UK)Refactoring to Java 8 (Devoxx UK)
Refactoring to Java 8 (Devoxx UK)Trisha Gee
 
Python for Science and Engineering: a presentation to A*STAR and the Singapor...
Python for Science and Engineering: a presentation to A*STAR and the Singapor...Python for Science and Engineering: a presentation to A*STAR and the Singapor...
Python for Science and Engineering: a presentation to A*STAR and the Singapor...pythoncharmers
 
Python indroduction
Python indroductionPython indroduction
Python indroductionFEG
 
Code Generation idioms with Xtend
Code Generation idioms with XtendCode Generation idioms with Xtend
Code Generation idioms with XtendHolger Schill
 
java 8 new features
java 8 new features java 8 new features
java 8 new features Rohit Verma
 
Serializing EMF models with Xtext
Serializing EMF models with XtextSerializing EMF models with Xtext
Serializing EMF models with Xtextmeysholdt
 
Ahead-Of-Time Compilation of Java Applications
Ahead-Of-Time Compilation of Java ApplicationsAhead-Of-Time Compilation of Java Applications
Ahead-Of-Time Compilation of Java ApplicationsNikita Lipsky
 
A Field Guide to DSL Design in Scala
A Field Guide to DSL Design in ScalaA Field Guide to DSL Design in Scala
A Field Guide to DSL Design in ScalaTomer Gabel
 
Solr Cluster installation tool "Anuenue"
Solr Cluster installation tool "Anuenue"Solr Cluster installation tool "Anuenue"
Solr Cluster installation tool "Anuenue"Lucidworks (Archived)
 
Developer testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing FanaticDeveloper testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing FanaticLB Denker
 
Anthony Molinaro, OpenX, Erlang LA Meetup Slides
Anthony Molinaro, OpenX, Erlang LA Meetup SlidesAnthony Molinaro, OpenX, Erlang LA Meetup Slides
Anthony Molinaro, OpenX, Erlang LA Meetup SlidesMatthew Sacks
 
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...Edureka!
 
Techorama 2017 - Testing the unit, and beyond.
Techorama 2017 - Testing the unit, and beyond.Techorama 2017 - Testing the unit, and beyond.
Techorama 2017 - Testing the unit, and beyond.Bert Brouns
 

Tendances (19)

Developer testing 201: When to Mock and When to Integrate
Developer testing 201: When to Mock and When to IntegrateDeveloper testing 201: When to Mock and When to Integrate
Developer testing 201: When to Mock and When to Integrate
 
Functional programming principles and Java 8
Functional programming principles and Java 8Functional programming principles and Java 8
Functional programming principles and Java 8
 
Javatraining
JavatrainingJavatraining
Javatraining
 
Refactoring to Java 8 (Devoxx UK)
Refactoring to Java 8 (Devoxx UK)Refactoring to Java 8 (Devoxx UK)
Refactoring to Java 8 (Devoxx UK)
 
Python for Science and Engineering: a presentation to A*STAR and the Singapor...
Python for Science and Engineering: a presentation to A*STAR and the Singapor...Python for Science and Engineering: a presentation to A*STAR and the Singapor...
Python for Science and Engineering: a presentation to A*STAR and the Singapor...
 
Python indroduction
Python indroductionPython indroduction
Python indroduction
 
Code Generation idioms with Xtend
Code Generation idioms with XtendCode Generation idioms with Xtend
Code Generation idioms with Xtend
 
java 8 new features
java 8 new features java 8 new features
java 8 new features
 
Serializing EMF models with Xtext
Serializing EMF models with XtextSerializing EMF models with Xtext
Serializing EMF models with Xtext
 
Ahead-Of-Time Compilation of Java Applications
Ahead-Of-Time Compilation of Java ApplicationsAhead-Of-Time Compilation of Java Applications
Ahead-Of-Time Compilation of Java Applications
 
A Field Guide to DSL Design in Scala
A Field Guide to DSL Design in ScalaA Field Guide to DSL Design in Scala
A Field Guide to DSL Design in Scala
 
Python final ppt
Python final pptPython final ppt
Python final ppt
 
Solr Cluster installation tool "Anuenue"
Solr Cluster installation tool "Anuenue"Solr Cluster installation tool "Anuenue"
Solr Cluster installation tool "Anuenue"
 
Developer testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing FanaticDeveloper testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing Fanatic
 
Python made easy
Python made easy Python made easy
Python made easy
 
Anthony Molinaro, OpenX, Erlang LA Meetup Slides
Anthony Molinaro, OpenX, Erlang LA Meetup SlidesAnthony Molinaro, OpenX, Erlang LA Meetup Slides
Anthony Molinaro, OpenX, Erlang LA Meetup Slides
 
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
 
Techorama 2017 - Testing the unit, and beyond.
Techorama 2017 - Testing the unit, and beyond.Techorama 2017 - Testing the unit, and beyond.
Techorama 2017 - Testing the unit, and beyond.
 
The OCLforUML Profile
The OCLforUML ProfileThe OCLforUML Profile
The OCLforUML Profile
 

Similaire à Phosphor: Illuminating Dynamic Data Flow in Commodity JVMs

GOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter SlidesGOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter SlidesAlexandra Masterson
 
Implementing a JavaScript Engine
Implementing a JavaScript EngineImplementing a JavaScript Engine
Implementing a JavaScript EngineKris Mok
 
Software Uni Conf October 2014
Software Uni Conf October 2014Software Uni Conf October 2014
Software Uni Conf October 2014Nayden Gochev
 
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4j
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4jRobotics, Search and AI with Solr, MyRobotLab, and Deeplearning4j
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4jKevin Watters
 
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...Lucidworks
 
Invoke dynamic your api to hotspot
Invoke dynamic your api to hotspotInvoke dynamic your api to hotspot
Invoke dynamic your api to hotspotBoundary
 
Slicing, Dicing, And Linting OpenAPI
Slicing, Dicing, And Linting OpenAPISlicing, Dicing, And Linting OpenAPI
Slicing, Dicing, And Linting OpenAPIlestrrat
 
Why GC is eating all my CPU?
Why GC is eating all my CPU?Why GC is eating all my CPU?
Why GC is eating all my CPU?Roman Elizarov
 
"Formal Verification in Java" by Shura Iline, Vladimir Ivanov @ JEEConf 2013,...
"Formal Verification in Java" by Shura Iline, Vladimir Ivanov @ JEEConf 2013,..."Formal Verification in Java" by Shura Iline, Vladimir Ivanov @ JEEConf 2013,...
"Formal Verification in Java" by Shura Iline, Vladimir Ivanov @ JEEConf 2013,...Vladimir Ivanov
 
Java Basics for selenium
Java Basics for seleniumJava Basics for selenium
Java Basics for seleniumapoorvams
 
Write code that writes code! A beginner's guide to Annotation Processing - Ja...
Write code that writes code! A beginner's guide to Annotation Processing - Ja...Write code that writes code! A beginner's guide to Annotation Processing - Ja...
Write code that writes code! A beginner's guide to Annotation Processing - Ja...DroidConTLV
 
Write code that writes code!
Write code that writes code!Write code that writes code!
Write code that writes code!Jason Feinstein
 
Perl5 meta programming
Perl5 meta programmingPerl5 meta programming
Perl5 meta programmingkarupanerura
 
Java 8 and beyond, a scala story
Java 8 and beyond, a scala storyJava 8 and beyond, a scala story
Java 8 and beyond, a scala storyittaiz
 
Unit 1 Core Java for Compter Science 3rd
Unit 1 Core Java for Compter Science 3rdUnit 1 Core Java for Compter Science 3rd
Unit 1 Core Java for Compter Science 3rdprat0ham
 

Similaire à Phosphor: Illuminating Dynamic Data Flow in Commodity JVMs (20)

GOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter SlidesGOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter Slides
 
Codemotion 2015 spock_workshop
Codemotion 2015 spock_workshopCodemotion 2015 spock_workshop
Codemotion 2015 spock_workshop
 
Implementing a JavaScript Engine
Implementing a JavaScript EngineImplementing a JavaScript Engine
Implementing a JavaScript Engine
 
Software Uni Conf October 2014
Software Uni Conf October 2014Software Uni Conf October 2014
Software Uni Conf October 2014
 
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4j
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4jRobotics, Search and AI with Solr, MyRobotLab, and Deeplearning4j
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4j
 
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...
 
Invoke dynamic your api to hotspot
Invoke dynamic your api to hotspotInvoke dynamic your api to hotspot
Invoke dynamic your api to hotspot
 
C Sharp Crash Course
C Sharp Crash CourseC Sharp Crash Course
C Sharp Crash Course
 
Slicing, Dicing, And Linting OpenAPI
Slicing, Dicing, And Linting OpenAPISlicing, Dicing, And Linting OpenAPI
Slicing, Dicing, And Linting OpenAPI
 
Why GC is eating all my CPU?
Why GC is eating all my CPU?Why GC is eating all my CPU?
Why GC is eating all my CPU?
 
"Formal Verification in Java" by Shura Iline, Vladimir Ivanov @ JEEConf 2013,...
"Formal Verification in Java" by Shura Iline, Vladimir Ivanov @ JEEConf 2013,..."Formal Verification in Java" by Shura Iline, Vladimir Ivanov @ JEEConf 2013,...
"Formal Verification in Java" by Shura Iline, Vladimir Ivanov @ JEEConf 2013,...
 
Java Basics for selenium
Java Basics for seleniumJava Basics for selenium
Java Basics for selenium
 
C Sharp Course 101.5
C Sharp Course 101.5C Sharp Course 101.5
C Sharp Course 101.5
 
Write code that writes code! A beginner's guide to Annotation Processing - Ja...
Write code that writes code! A beginner's guide to Annotation Processing - Ja...Write code that writes code! A beginner's guide to Annotation Processing - Ja...
Write code that writes code! A beginner's guide to Annotation Processing - Ja...
 
Write code that writes code!
Write code that writes code!Write code that writes code!
Write code that writes code!
 
Scala Introduction
Scala IntroductionScala Introduction
Scala Introduction
 
Jvm2
Jvm2Jvm2
Jvm2
 
Perl5 meta programming
Perl5 meta programmingPerl5 meta programming
Perl5 meta programming
 
Java 8 and beyond, a scala story
Java 8 and beyond, a scala storyJava 8 and beyond, a scala story
Java 8 and beyond, a scala story
 
Unit 1 Core Java for Compter Science 3rd
Unit 1 Core Java for Compter Science 3rdUnit 1 Core Java for Compter Science 3rd
Unit 1 Core Java for Compter Science 3rd
 

Plus de jon_bell

Replay without Recording of Production Bugs for Service Oriented Applications
Replay without Recording of Production Bugs for Service Oriented ApplicationsReplay without Recording of Production Bugs for Service Oriented Applications
Replay without Recording of Production Bugs for Service Oriented Applicationsjon_bell
 
A Large-Scale Study of Test Coverage Evolution
A Large-Scale Study of Test Coverage EvolutionA Large-Scale Study of Test Coverage Evolution
A Large-Scale Study of Test Coverage Evolutionjon_bell
 
CROCHET - Checkpoint Rollback in JVM (ECOOP 2018)
CROCHET - Checkpoint Rollback in JVM (ECOOP 2018)CROCHET - Checkpoint Rollback in JVM (ECOOP 2018)
CROCHET - Checkpoint Rollback in JVM (ECOOP 2018)jon_bell
 
Efficient Dependency Detection for Safe Java Test Acceleration
Efficient Dependency Detection for Safe Java Test AccelerationEfficient Dependency Detection for Safe Java Test Acceleration
Efficient Dependency Detection for Safe Java Test Accelerationjon_bell
 
ICSE 2014: Unit Test Virtualization with VMVM
ICSE 2014: Unit Test Virtualization with VMVMICSE 2014: Unit Test Virtualization with VMVM
ICSE 2014: Unit Test Virtualization with VMVMjon_bell
 
Unit Test Virtualization: Optimizing Testing Time
Unit Test Virtualization: Optimizing Testing TimeUnit Test Virtualization: Optimizing Testing Time
Unit Test Virtualization: Optimizing Testing Timejon_bell
 
Chronicler: Lightweight Recording to Reproduce Field Failures (Presented at I...
Chronicler: Lightweight Recording to Reproduce Field Failures (Presented at I...Chronicler: Lightweight Recording to Reproduce Field Failures (Presented at I...
Chronicler: Lightweight Recording to Reproduce Field Failures (Presented at I...jon_bell
 
A Large-Scale, Longitudinal Study of User Profiles in World of Warcraft
A Large-Scale, Longitudinal Study of User Profiles in World of WarcraftA Large-Scale, Longitudinal Study of User Profiles in World of Warcraft
A Large-Scale, Longitudinal Study of User Profiles in World of Warcraftjon_bell
 

Plus de jon_bell (8)

Replay without Recording of Production Bugs for Service Oriented Applications
Replay without Recording of Production Bugs for Service Oriented ApplicationsReplay without Recording of Production Bugs for Service Oriented Applications
Replay without Recording of Production Bugs for Service Oriented Applications
 
A Large-Scale Study of Test Coverage Evolution
A Large-Scale Study of Test Coverage EvolutionA Large-Scale Study of Test Coverage Evolution
A Large-Scale Study of Test Coverage Evolution
 
CROCHET - Checkpoint Rollback in JVM (ECOOP 2018)
CROCHET - Checkpoint Rollback in JVM (ECOOP 2018)CROCHET - Checkpoint Rollback in JVM (ECOOP 2018)
CROCHET - Checkpoint Rollback in JVM (ECOOP 2018)
 
Efficient Dependency Detection for Safe Java Test Acceleration
Efficient Dependency Detection for Safe Java Test AccelerationEfficient Dependency Detection for Safe Java Test Acceleration
Efficient Dependency Detection for Safe Java Test Acceleration
 
ICSE 2014: Unit Test Virtualization with VMVM
ICSE 2014: Unit Test Virtualization with VMVMICSE 2014: Unit Test Virtualization with VMVM
ICSE 2014: Unit Test Virtualization with VMVM
 
Unit Test Virtualization: Optimizing Testing Time
Unit Test Virtualization: Optimizing Testing TimeUnit Test Virtualization: Optimizing Testing Time
Unit Test Virtualization: Optimizing Testing Time
 
Chronicler: Lightweight Recording to Reproduce Field Failures (Presented at I...
Chronicler: Lightweight Recording to Reproduce Field Failures (Presented at I...Chronicler: Lightweight Recording to Reproduce Field Failures (Presented at I...
Chronicler: Lightweight Recording to Reproduce Field Failures (Presented at I...
 
A Large-Scale, Longitudinal Study of User Profiles in World of Warcraft
A Large-Scale, Longitudinal Study of User Profiles in World of WarcraftA Large-Scale, Longitudinal Study of User Profiles in World of Warcraft
A Large-Scale, Longitudinal Study of User Profiles in World of Warcraft
 

Dernier

Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Lokesh Kothari
 
Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Patrick Diehl
 
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral AnalysisRaman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral AnalysisDiwakar Mishra
 
Animal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptxAnimal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptxUmerFayaz5
 
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...Sérgio Sacani
 
Presentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxPresentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxgindu3009
 
Orientation, design and principles of polyhouse
Orientation, design and principles of polyhouseOrientation, design and principles of polyhouse
Orientation, design and principles of polyhousejana861314
 
Boyles law module in the grade 10 science
Boyles law module in the grade 10 scienceBoyles law module in the grade 10 science
Boyles law module in the grade 10 sciencefloriejanemacaya1
 
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...jana861314
 
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxUnlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxanandsmhk
 
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |aasikanpl
 
Cultivation of KODO MILLET . made by Ghanshyam pptx
Cultivation of KODO MILLET . made by Ghanshyam pptxCultivation of KODO MILLET . made by Ghanshyam pptx
Cultivation of KODO MILLET . made by Ghanshyam pptxpradhanghanshyam7136
 
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡anilsa9823
 
G9 Science Q4- Week 1-2 Projectile Motion.ppt
G9 Science Q4- Week 1-2 Projectile Motion.pptG9 Science Q4- Week 1-2 Projectile Motion.ppt
G9 Science Q4- Week 1-2 Projectile Motion.pptMAESTRELLAMesa2
 
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRDelhi Call girls
 
Natural Polymer Based Nanomaterials
Natural Polymer Based NanomaterialsNatural Polymer Based Nanomaterials
Natural Polymer Based NanomaterialsAArockiyaNisha
 

Dernier (20)

Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
 
Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?
 
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral AnalysisRaman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
 
The Philosophy of Science
The Philosophy of ScienceThe Philosophy of Science
The Philosophy of Science
 
Animal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptxAnimal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptx
 
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
 
Presentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxPresentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptx
 
Orientation, design and principles of polyhouse
Orientation, design and principles of polyhouseOrientation, design and principles of polyhouse
Orientation, design and principles of polyhouse
 
Boyles law module in the grade 10 science
Boyles law module in the grade 10 scienceBoyles law module in the grade 10 science
Boyles law module in the grade 10 science
 
CELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdfCELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdf
 
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
 
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
 
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxUnlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
 
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
 
Cultivation of KODO MILLET . made by Ghanshyam pptx
Cultivation of KODO MILLET . made by Ghanshyam pptxCultivation of KODO MILLET . made by Ghanshyam pptx
Cultivation of KODO MILLET . made by Ghanshyam pptx
 
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
 
G9 Science Q4- Week 1-2 Projectile Motion.ppt
G9 Science Q4- Week 1-2 Projectile Motion.pptG9 Science Q4- Week 1-2 Projectile Motion.ppt
G9 Science Q4- Week 1-2 Projectile Motion.ppt
 
Engler and Prantl system of classification in plant taxonomy
Engler and Prantl system of classification in plant taxonomyEngler and Prantl system of classification in plant taxonomy
Engler and Prantl system of classification in plant taxonomy
 
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
 
Natural Polymer Based Nanomaterials
Natural Polymer Based NanomaterialsNatural Polymer Based Nanomaterials
Natural Polymer Based Nanomaterials
 

Phosphor: Illuminating Dynamic Data Flow in Commodity JVMs

  • 1. Phosphor: Illuminating Dynamic Data Flow in Commodity JVMs Jonathan Bell and Gail Kaiser Columbia University, New York, NY USA Fork me on Github OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 2. Dynamic Data Flow Analysis: Taint Tracking Output that is derived from tainted input Inputs Application Outputs Flagged (“Tainted”) Input OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 3. Taint Tracking: Applications • End-user privacy testing: Does this application send my personal data to remote servers? • SQL injection attack avoidance: Do SQL queries contain raw user input • Debugging: Which inputs are relevant to the current (crashed) application state? OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 4. Qualities of a Successful Analysis OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 5. Soundness No data leakage! OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 6. Precision Data is tracked with the right tag OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 7. Performance Minimal slowdowns OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 8. Portability No special hardware, OS, or JVM OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 9. “Normal” Taint Tracking • Associate tags with data, then propagate the tags • Approaches: • Operating System modifications [Vandebogart ’07], [Zeldovich ’06] • Language interpreter modifications [Chandra ’07], [Enck ’10], [Nair ’07], [Son ’13] • Source code modifications [Lam ‘06], [Xu ’06] • Binary instrumentation of applications [Clause ’07], [Cheng ’06], [Kemerlis ’12] Hard to be sound, precise, and performant Not portable OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 10. Phosphor • Leverages benefits of interpreter-based approaches (information about variables) but fully portably • Instruments all byte code that runs in the JVM (including the JRE API) to track taint tags • Add a variable for each variable • Adds propagation logic OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 11. Key contribution: How do we efficiently store meta-data for every variable without modifying the JVM itself? OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 12. JVM Type Organization • Primitive Types • int, long, char, byte, etc. • Reference Types • Arrays, instances of classes • All reference types are assignable to java.lang.Object OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 13. Phosphor’s taint tag storage Local variable Method argument Return value Operand stack Field Object Stored as a field of the object Object array Stored as a field of each object Primitive Primitive array Shadow variable Shadow array variable Shadow argument Shadow array argument "Boxed" "Boxed" Below the value on stack Array below value on stack Shadow field Shadow array field OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 14. Taint Propagation • Modify all byte code instructions to be taint-aware by adding extra instructions • Examples: • Arithmetic -> combine tags of inputs • Load variable to stack -> Also load taint tag to stack • Modify method calls to pass taint tags OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 15. Two big problems OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 16. Challenge 1: Type Mayhem java.lang.Object Primitive Types Sometimes has extra variable! instanceof instanceof Instances of classes (Objects) Primitive Arrays Always has extra variable! Always has extra variable Never has extra variable! OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 17. Challenge 1: Type Mayhem byte[] array = new byte[5]; Object ret = array; return ret; int[] array_tag = new int[5]; byte[] array = new byte[5]; Object ret = new TaintedByteArray(array_tag,array); Solution 1: Box taint tag with array when we lose type information OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 18. Challenge 2: Native Code We can’t instrument everything! OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 19. Challenge 2: Native Code public int hashCode() { return super.hashCode() * field.hashCode(); } public native int hashCode(); Solution: Wrappers. Rename every method, and leave a wrapper behind OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 20. Challenge 2: Native Code public int hashCode() { return super.hashCode() * field.hashCode(); } public native int hashCode(); Solution: Wrappers. Rename every method, and leave a wrapper behind public TaintedInt hashCode$$wrapper() { return new TaintedInt(0, hashCode()); } OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 21. Challenge 2: Native Code Wrappers work both ways: native code can still call a method with the old signature public int[] someMethod(byte in) OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 22. Challenge 2: Native Code Wrappers work both ways: native code can still call a method with the old signature public int[] someMethod(byte in) public TaintedIntArray someMethod$$wrapper(int in_tag, byte in) { //The original method "someMethod", but with taint tracking } OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 23. Challenge 2: Native Code Wrappers work both ways: native code can still call a method with the old signature public int[] someMethod(byte in) { return someMethod$$wrapper(0, in).val; } public TaintedIntArray someMethod$$wrapper(int in_tag, byte in) { //The original method "someMethod", but with taint tracking } OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 24. Challenge 2: Native Code Wrappers work both ways: native code can still call a method with the old signature public int[] someMethod(byte in) { return someMethod$$wrapper(0, in).val; } public TaintedIntArray someMethod$$wrapper(int in_tag, byte in) { //The original method "someMethod", but with taint tracking } OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 25. Design Limitations • Tracking through native code • Return value’s tag becomes combination of all parameters (heuristic); not found to be a problem in our evaluation • Tracks explicit data flow only (not through control flow) OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 26. Evaluation • Soundness & Precision • Performance • Portability OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 27. Soundness & Precision • DroidBench - series of unit tests for Java taint tracking • Passed all except for implicit flows (intended behavior) OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 28. Performance • Macrobenchmarks (DaCapo, Scalabench) • Microbenchmarks • Versus TaintDroid [Enck, 2010] on CaffeineMark • Versus Trishul [Nair, 2008] on JavaGrande OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 29. Macrobenchmarks Phosphor Relative Runtime Overhead (Hotspot 7) Average: 53.3% 0% 50% 100% 150% 200% 250% avrora batik eclipse fop h2 jython luindex lusearch pmd sunflow tomcat tradebeans tradesoap xalan actors apparat factorie kiama scaladoc scalap scalariform scalatest scalaxb specs tmt Relative Runtime Overhead scalabench dacapo OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 30. Macrobenchmarks Phosphor Relative Memory Overhead (Hotspot 7) Average: 270.9% 0% 100% 200% 300% 400% 500% 600% 700% 800% 900% avrora batik eclipse fop h2 jython luindex lusearch pmd sunflow tomcat tradebeans tradesoap xalan actors apparat factorie kiama scaladoc scalap scalariform scalatest scalaxb specs tmt Relative Memory Overhead scalabench dacapo OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 31. Microbenchmarks Phosphor (Hotspot 7) and Trishul Relative Overhead 0% 20% 40% 60% 80% 100% 120% Arithmetic Assign Cast Create Exception Loop Math Method Serial Relative Runtime Overhead Phoshpor Trishul OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 32. Microbenchmarks Phosphor (Hotspot 7) and Trishul Relative Overhead 0% 20% 40% 60% 80% 100% 120% Arithmetic Assign Cast Create Exception Loop Math Method Serial Relative Runtime Overhead Phoshpor Phoshpor Trishul Trishul Kaffe OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 33. Microbenchmarks: Taintdroid • Taintdroid: Taint tracking for Android’s Dalvik VM [Enck, 2010] • Not very precise: one tag per array (not per array element!) • Applied Phosphor to Android! OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 34. Microbenchmarks Phosphor and Taintdroid Relative Overhead Array-heavy benchmarks 0% 50% 100% 150% 200% String Buffer Sieve Method Loop Logic Float Relative Runtime Overhead Taintdroid 4.3 Phosphor (Android 4.3) OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 35. Portability JVM Version(s) Success? Oracle (Hotspot) 1.7.0_45, 1.8.0_0 Yes OpenJDK 1.7.0_45, 1.8.0_0 Yes Android Dalvik 4.3.1 Yes Apache Harmony 6.0M3 Yes Kaffe VM 1.1.9 Yes Jikes RVM 3.1.3 No, but may be possible with more work OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 36. Future Work & Extension • This is a general approach for tracking metadata with variables in unmodified JVMs • Could track any sort of data in principle • We have already extended this approach to track path constraints on inputs OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 37. OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 38. Fork me on Github Phosphor: Illuminating Dynamic Data Flow in Commodity JVMs Jonathan Bell and Gail Kaiser Columbia University jbell@cs.columbia.edu @_jon_bell_ https://github.com/Programming-Systems-Lab/Phosphor Artifact * Consistent * Complete * SLA * Well AEC OOP* Reuse Documented * * to asy EEvalua* ted