FASE: Functionality-Aware Security Enforcement
ACSAC'16 (2016) (to appear)
Petar Tsankov, Marco Pistoia, Omer Tripp, Martin Vechev, Pietro Ferrara
Dynamic information-flow enforcement systems automatically protect applications against confidentiality and integrity threats. Unfortunately, existing solutions cause undesirable side effects, if not crashes, due to unconstrained modification of run-time values (e.g. anonymizing sensitive identifiers even when these are used for authentication). To address this problem, we present Functionality-Aware Security Enforcement (FASE), a lightweight approach for efficiently securing applications without breaking their functionality. The key idea is to let developers specify functionality constraints and then use a run-time synthesizer to replace sensitive values with constraint-compliant ones. Concretely, FASE consists of: (1) an efficient fine-grained data-flow-tracking engine, (2) a domain-specific language (DSL) for expressing functionality constraints, (3) a synthesizer that derives constraint-compliant values at security-sensitive operations, and (4) an enforcement mechanism that automatically repairs illicit flows at run time. We instantiated FASE to the problem of securing Android applications. Our experiments show that the FASE system is useful in practice: Its average run-time overhead is <12%; it avoids the crashes, side effects, and run-time errors exhibited by existing solutions; and the constraints in the FASE DSL are readable and concise.