Skip to main content
SpringerLink
Log in

Tailoring Taint Analysis to GDPR

  • Conference paper
  • First Online:
Book cover Privacy Technologies and Policy (APF 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11079))

Included in the following conference series:

Abstract

Static analysis is the analysis of software at compile time without executing it. Its goal is to explore all execution paths without needing specific inputs to drive the execution. Thanks to its wide coverage, this approach, and in particular taint analysis, has been widely applied to detect security vulnerabilities like SQL injections and XSS. The European General Data Protection Regulation requires all controllers of sensitive data to enforce an approach based on privacy by design and by default. In such context, verification and testing techniques can be applied to check if the system implementation follows the constraints identified at design time. Therefore, static program analysis might be applied to track how sensitive data is automatically managed by a software, and if such software could leak some of this data.

In this paper, we formalize and discuss how taint analysis can be extended and augmented in order to detect potential unintended leakages of sensitive data. Starting from the specification of how sensitive data is retrieved and it could be leaked, and what types of leakages are allowed by the privacy policy established by the controller of sensitive data, we apply standard taint analysis to detect potential leakages, we reconstruct the flow to check if the flow is allowed or not, and we report full details about all the flows not allowed by the privacy policy. This approach has been implemented on the Julia static analysis, and we report some promising experimental results on the OWASP WebGoat benchmark.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679.

  2. 2.

    https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-does-data-protection-design-and-default-mean_en.

  3. 3.

    The source code can be found at https://github.com/WebGoat/WebGoat-Legacy/releases/tag/v6.0.1.

  4. 4.

    The Open Web Application Security Project, available at the web address https://www.owasp.org/index.php/Main_Page.

  5. 5.

    https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project.

  6. 6.

    How to abstract heap locations is an orthogonal problem that has been deeply investigated by the static analysis research community. We refer the interested reader to [13, 17] for more details.

  7. 7.

    The construction of the static call graph is an orthogonal problem that has been widely investigate by the static analysis community. We refer the interested reader to [16, 26] for more detail.

References

  1. Absint. https://www.absint.com/

  2. Grammatech. https://www.grammatech.com/

  3. Arzt, S., et al.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of PLDI 2014. ACM (2014)

    Google Scholar 

  4. Blanchet, B., et al.: A static analyzer for large safety-critical software. In: Proceedings of PLDI 2003. ACM (2003)

    Google Scholar 

  5. Burato, E., Ferrara, P., Spoto, F.: Security analysis of the OWASP benchmark with Julia. In: Proceedings of ITASEC 2017 (2017)

    Google Scholar 

  6. Clarke Jr., E.M., Grumberg, O., Peled, D.A.: Model Checking. MIT Press, Cambridge (1999)

    Google Scholar 

  7. Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of POPL 1977. ACM Press (1977)

    Google Scholar 

  8. Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: Proceedings of POPL 1979. ACM Press (1979)

    Google Scholar 

  9. Cousot, P., Cousot, R.: Abstract interpretation: past, present and future. In: Proceedings of CSL-LICS 2014. ACM (2014)

    Google Scholar 

  10. Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Commun. ACM 20(7), 504–513 (1977)

    Article  Google Scholar 

  11. Enck, W., et al.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. 32(2), 5 (2014)

    Article  Google Scholar 

  12. Ernst, M.D., Lovato, A., Macedonio, D., Spiridon, C., Spoto, F.: Boolean formulas for the static identification of injection attacks in Java. In: Davis, M., Fehnker, A., McIver, A., Voronkov, A. (eds.) LPAR 2015. LNCS, vol. 9450, pp. 130–145. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48899-7_10

    Chapter  MATH  Google Scholar 

  13. Ferrara, P.: Generic combination of heap and value analyses in abstract interpretation. In: McMillan, K.L., Rival, X. (eds.) VMCAI 2014. LNCS, vol. 8318, pp. 302–321. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54013-4_17

    Chapter  MATH  Google Scholar 

  14. Ferrara, P., Spoto, F.: Static analysis for GDPR compliance. In: Proceedings of ITASEC 2018 (2018)

    Google Scholar 

  15. Ferrara, P., Tripp, O., Pistoia, M.: Morphdroid: fine-grained privacy verification. In: Proceedings of ACSAC 2015. ACM (2015)

    Google Scholar 

  16. Grove, D., DeFouw, G., Dean, J., Chambers, C.: Call graph construction in object oriented languages. In: Proceedings of OOPSLA 1997. ACM (1997)

    Google Scholar 

  17. Hind, M.: Pointer analysis: haven’t we solved this problem yet? In: Proceedings of PASTE 2001. ACM (2001)

    Google Scholar 

  18. Kildall, G.A.: A unified approach to global program optimization. In: Proceedings of the 1st Annual ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages. POPL 1973. ACM, New York (1973)

    Google Scholar 

  19. Mathworks: Polyspace. https://www.mathworks.com/products/polyspace.html

  20. Myers, A.C.: JFlow: practical mostly-static information flow control. In: Proceedings of POPL 1999. ACM (1999)

    Google Scholar 

  21. Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer, New York (1999)

    Book  Google Scholar 

  22. OWASP: Top 10 project 2017, March 2018. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

  23. Pierce, B.C.: Types and Programming Languages, 1st edn. The MIT Press, Cambridge (2002)

    MATH  Google Scholar 

  24. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. A. Commun. 21(1), 5–19 (2006)

    Article  Google Scholar 

  25. Spoto, F.: The Julia static analyzer for Java. In: Rival, X. (ed.) SAS 2016. LNCS, vol. 9837, pp. 39–57. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53413-7_3

    Chapter  Google Scholar 

  26. Tip, F., Palsberg, J.: Scalable propagation-based call graph construction algorithms. In: Proceedings of OOPSLA 2000. ACM, New York (2000)

    Article  Google Scholar 

  27. Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: TAJ: effective taint analysis of web applications. In: Proceedings of PLDI 2009. ACM (2009)

    Google Scholar 

  28. Wikipedia: Static program analysis. https://en.wikipedia.org/wiki/Static_program_analysis

Download references

Author information

Authors and Affiliations

  1. JuliaSoft SRL, Verona, Italy

    Pietro Ferrara & Luca Olivieri

  2. Università di Verona, Verona, Italy

    Fausto Spoto

Authors
  1. Pietro Ferrara
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Luca Olivieri
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Fausto Spoto
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Pietro Ferrara .

Editor information

Editors and Affiliations

  1. Universitat Politècnica de Catalunya, Barcelona, Spain

    Manel Medina

  2. ENISA, Maroussi, Greece

    Andreas Mitrakas

  3. Goethe University Frankfurt, Frankfurt am Main, Germany

    Kai Rannenberg

  4. University of Vienna, Vienna, Austria

    Erich Schweighofer

  5. Telefónica, Madrid, Spain

    Nikolaos Tsouroulas

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ferrara, P., Olivieri, L., Spoto, F. (2018). Tailoring Taint Analysis to GDPR. In: Medina, M., Mitrakas, A., Rannenberg, K., Schweighofer, E., Tsouroulas, N. (eds) Privacy Technologies and Policy. APF 2018. Lecture Notes in Computer Science(), vol 11079. Springer, Cham. https://doi.org/10.1007/978-3-030-02547-2_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-02547-2_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-02546-5

  • Online ISBN: 978-3-030-02547-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation