JP2016040698A - Taint analysis device, taint analysis method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technology that can control the operation of an application along a privacy policy.SOLUTION: A specification part 10 specifies, on the basis of a privacy policy PP including the type of user information and a transmission destination of the user information used in a service, the type and transmission destination of the user information. A taint analysis part 200 applies a taint tag to the user information when an application executes processing of acquiring the user information of the type specified by the specification part 10, and determines whether or not the taint tag is applied to information to be transmitted when the application executes processing of transmitting the information. A control part 201 performs, when the taint tag is determined to have been applied, control to permit or refuse the transmission according to whether or not the transmission destination of the information to be transmitted and the transmission destination specified by the specification part 10 coincide with each other.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a taint analysis technique used for verifying vulnerability of an application or detecting information leakage.

  A service provider that provides a service such as a Web service obtains user information regarding the user of the service from the user terminal, and provides the service using the user information. The service provider has established a privacy policy indicating how to handle user information. The privacy policy needs to include three basic elements: the type of user information, the purpose of use, and the entity (service provider) that uses the user information. By confirming this privacy policy, the user of the service can grasp how his / her information is handled, and can determine whether or not to use the service.

  On the other hand, the mobile OS defines an API (Application Programming Interface), which is a set of functions for acquiring personal information of users, so that applications can acquire personal information of users using APIs. is there. In order to restrict API functions, there is an API restriction function called permission. Unless the information or function used by the application is declared as permission and the user's permission is obtained, API functions cannot be executed.

  Further, as a method of analyzing what information is handled by the application program, there is a method called Taint (contamination) analysis. In taint analysis, a tag that uniquely identifies a property (taint tag) is attached to information with a specific property, and the information is used by propagating the tag when that information is used. It is a method to analyze whether or not. In general, a taint analysis includes three elements: an information source Source to which a taint tag is attached, a mechanism Propagation for propagating the taint tag, and a sink indicating a point for monitoring the propagated taint tag.

  There are mainly two methods for using the taint analysis. One method is vulnerability verification. The cause of the program error is that the input information reaches an output that should not be reached. In order to detect this, a method has been proposed in which a taint tag is assigned to input information, and the vulnerability is verified by determining whether or not the information to which the taint tag is attached reaches the output. .

  Another method is information leakage detection. There has been proposed a method for detecting information leakage by assigning a taint tag to important information acquired by the program and determining whether the information to which the taint tag is attached reaches the output related to external transmission. Yes. Non-Patent Document 1 discloses a method for realizing leakage of personal information in a system in which Android (registered trademark) is implemented by taint analysis.

William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones”, In Proc. Of the USENIX Symposium on Operating Systems Design and Implementation (OSDI), October 2010 in Vancouver

  In determining the safety of an application, it is important whether the application is operating according to the privacy policy. For example, in the privacy policy of an application that sends an address book and an ID that identifies an individual at the same time, “What information: address information”, “For what: Searching for your friends in the service provided”, “ If "Where: To our management server" is specified, the application is not an unauthorized application that leaks information.

  The API restriction function can control the acquisition of information, but cannot track where the information is sent by tracking the flow of information acquired by the application. Therefore, the information used by the application cannot be restricted according to the privacy policy.

  In the taint analysis, each time an application requests execution of a function for acquiring information (corresponding to a source) or a function for outputting information (corresponding to a sink), a taint tag is assigned or determined. In other words, the processing related to taint analysis is executed at the time of execution of all applications that execute a function that acquires information or a function that outputs information. Since uniform taint analysis is performed for all applications, different taint analysis cannot be performed for each application. That is, the operation of the application cannot be controlled according to the privacy policy of each application.

  The present invention provides a technique capable of controlling the operation of an application in accordance with a privacy policy.

  The present invention provides, based on a privacy policy including a type of user information used by a service and a destination of the user information, a specifying unit for specifying the type of the user information and the destination, and the specification When a process for acquiring the user information of the type specified by the section is executed by an application, a taint tag is given to the user information, and when a process for transmitting information by the application is executed, A taint analysis unit that determines whether or not the taint tag is attached to the information, and when it is determined that the taint tag is attached, the transmission destination of the information to be transmitted and the identification unit specified by the specifying unit A control unit that performs control to permit or deny transmission according to whether or not the destination matches. It is a door analyzer.

  In the taint analysis device of the present invention, the specifying unit further specifies a permission related to acquisition of user information on the basis of a manifest file including permission information used by the application, and corresponds to the specified permission. The type of user information is specified by determining whether or not the type of user information to be included is included in the privacy policy.

  In the taint analysis device of the present invention, the privacy policy further includes processing information for processing the user information, and the specifying unit further performs processing for processing the user information based on the privacy policy. The taint analysis device is further specified by the specifying unit with respect to the user information when a process of acquiring the user information of the type specified by the specifying unit is executed by an application. And a processing unit for executing the processing.

  In addition, the present invention is based on a privacy policy including a type of user information used by a service and a transmission destination of the user information, and a specifying step of specifying the type of the user information and the transmission destination; A taint tag is added to the user information when the process of acquiring the user information of the type specified in the specifying step is executed by the application, and the process is transmitted when the process of transmitting information is executed by the application The taint analysis step for determining whether or not the taint tag is attached to the target information, and the transmission destination of the information to be transmitted and the identification step are determined when it is determined that the taint tag is attached. And a control step for performing control to permit or deny transmission according to whether or not the destination matches. It is tainted analyzing method comprising Rukoto.

  In addition, the present invention is based on a privacy policy including a type of user information used by a service and a transmission destination of the user information, and a specifying step of specifying the type of the user information and the transmission destination; A taint tag is added to the user information when the process of acquiring the user information of the type specified in the specifying step is executed by the application, and the process is transmitted when the process of transmitting information is executed by the application The taint analysis step for determining whether or not the taint tag is attached to the target information, and the transmission destination of the information to be transmitted and the identification step are determined when it is determined that the taint tag is attached. A control step for performing control to permit or deny transmission according to whether or not the destination matches. Is a program to be executed by a computer.

  According to the present invention, when a taint tag is attached to the type of user information specified in the privacy policy, and the user information to which the taint tag is attached is transmitted to the destination specified in the privacy policy. Depending on the transmission, it is permitted or denied. Thereby, the operation of the application can be controlled in accordance with the privacy policy.

It is a block diagram which shows the structure of the taint analyzer by the 1st Embodiment of this invention. It is a reference figure which shows the content of the privacy policy in the 1st Embodiment of this invention. It is a reference figure which shows the content of the privacy policy in the 1st Embodiment of this invention. It is a flowchart which shows the procedure of operation | movement of the taint analyzer by the 1st Embodiment of this invention. It is a block diagram which shows the structure of the taint analyzer by the 2nd Embodiment of this invention. It is a flowchart which shows the procedure of operation | movement of the taint analysis apparatus by the 2nd Embodiment of this invention. It is a block diagram which shows the structure of the taint analyzer by the 3rd Embodiment of this invention. It is a flowchart which shows the procedure of operation | movement of the taint analysis apparatus by the 3rd Embodiment of this invention. It is a reference figure which shows the content of the privacy policy in the 3rd Embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

(First embodiment)
First, a first embodiment of the present invention will be described. FIG. 1 shows the configuration of a taint analyzer 1 according to this embodiment. For example, the taint analysis device 1 is a part of a user terminal (a mobile terminal such as a smartphone) possessed by the user. As shown in FIG. 1, the taint analysis device 1 includes a specifying unit 10 and an execution unit 20.

  For example, when the user terminal downloads an application from the marketplace, the user terminal reads a web page including a link to the privacy policy PP. The user terminal connects to the Web server indicated by the link and downloads the privacy policy PP. The acquired privacy policy PP is held in the taint analysis apparatus 1.

  The specifying unit 10 specifies the type of user information and the transmission destination based on the privacy policy PP including the type of user information used by the service and the transmission destination of the user information. The specifying unit 10 includes a user information specifying unit 100 and a transmission destination specifying unit 101. The user information specifying unit 100 specifies the type of user information based on the privacy policy PP. The transmission destination specifying unit 101 specifies a transmission destination based on the privacy policy PP.

  The execution unit 20 is a subject that executes an application. For example, the execution unit 20 is an application execution engine. The execution unit 20 may perform processing related to so-called propagation that propagates the taint tag. For example, when a calculation using information with a taint tag is performed, the execution unit 20 adds a taint tag to the calculation result.

  The execution unit 20 further performs taint analysis and control according to the analysis result. The execution unit 20 includes a taint analysis unit 200 and a control unit 201. The taint analysis unit 200 adds a taint tag to the user information when the process of acquiring the type of user information specified by the specifying unit 10 is executed by the application, and the process of transmitting information by the application is executed. Sometimes it is determined whether or not a taint tag is added to the information to be transmitted. When it is determined that the taint tag is assigned, the control unit 201 permits or rejects transmission according to whether the transmission destination of the information to be transmitted matches the transmission destination specified by the specifying unit 10 or not. Control.

  The functions of the specifying unit 10 and the execution unit 20 can be realized as a software function by, for example, a computer reading and executing a program including instructions that define the operation of each unit. The program may be provided by a “computer-readable recording medium” such as a flash memory. Further, the above-described program is input to the taint analysis device 1 by being transmitted to the taint analysis device 1 through a transmission medium or by a transmission wave in the transmission medium from a computer storing the program in a storage device or the like. May be. Here, the “transmission medium” for transmitting the program is a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. Further, the above-described program may realize a part of the functions described above. Furthermore, the above-described program may be a so-called difference file (difference program) that can realize the above-described function in combination with a program already recorded in the computer.

  FIG. 2 shows the contents of a privacy policy PP1, which is a first example of the privacy policy PP. The privacy policy PP1 is an example of a simple privacy policy.

  As shown in FIG. 2, the privacy policy PP1 includes a user information type 110, a purpose of use 120, and an entity 130 that uses the user information. The user information type 110 includes location information 111, contact information 112, and music data 113. The main body 130 using the user information indicates the transmission destination of the user information.

  FIG. 3 shows the contents of a privacy policy PP2, which is a second example of the privacy policy PP. The privacy policy PP2 is an example of a detailed privacy policy.

  As shown in FIG. 3, the privacy policy PP2 includes user information types 140, 141, 142, purposes of use 150, 151, 152, and entities 160, 161, 162 that use the user information. Each piece of information is associated with each piece of user information.

  The user information type 140 indicates position information. The purpose of use 150 and the main body 160 that uses the user information are associated with the user information type 140. The user information type 141 indicates a contact information. A purpose 151 of use and a subject 161 that uses the user information are associated with the type 141 of user information. The user information type 142 indicates music data. A purpose of use 152 and a subject 162 that uses the user information are associated with the user information type 142. The entities 160, 161, and 162 that use user information indicate transmission destinations of user information.

  FIG. 4 shows an operation procedure of the taint analysis apparatus 1. The operation of the taint analysis apparatus 1 will be described with reference to FIG.

  When the process is started, the user information specifying unit 100 specifies the type of user information based on the privacy policy PP (step S100). For example, user information acquired by an application for Firefox (registered trademark), which is one of the OSs, includes contact information, location information, cookies, and content information (images, sounds, etc.).

  After the type of user information is specified, the transmission destination specifying unit 101 specifies the transmission destination based on the privacy policy PP (step S110). When the destination information is the name of the service provider, the following may be performed. For example, the transmission destination specifying unit 101 receives a list from a server that manages a list in which service provider names and domain information are associated with each other, and the domain corresponding to the service provider name is received from the received list. Information may be acquired. Or the transmission destination specific | specification part 101 may transmit the name of a service provider to the server which manages said list | wrist, and may receive the domain information corresponding to the name of a service provider from a server.

  The process of step S100 and step S110 may be performed in the reverse order. The specifying unit 10 notifies the execution unit 20 of information indicating the type of user information specified in step S100 and information indicating the transmission destination specified in step S110.

  When the privacy policy PP is described in a certain format, it is easy to identify the type of user information and the transmission destination. When the privacy policy PP is described in a free format, the type of user information and the transmission destination may be identified using a natural language processing technique such as morphological analysis.

  After the transmission destination is specified, the execution unit 20 executes the application (step S120). During execution of the application, the taint analysis unit 200 determines whether or not the type of user information specified by the specifying unit 10 has been acquired (step S130). If the type of user information specified by the specifying unit 10 has not been acquired, the taint analysis unit 200 continues the determination in step S130. When the type of user information specified by the specifying unit 10 is acquired, the taint analysis unit 200 adds a taint tag to the user information (step S140).

  After the taint tag is assigned, the taint analysis unit 200 determines whether an API for transmitting information is called from the application (step S150). If the API that sends information is not called from the application, the information is not sent. In this case, the determination in step S130 is performed.

  When an API for transmitting information is called from an application, processing for transmitting information is executed. In this case, the taint analysis unit 200 determines whether or not a taint tag is added to the transmission target information designated by the application (step S160). When the taint tag is not added to the information to be transmitted, the information to be transmitted is not the information to be controlled. In this case, the control unit 201 permits transmission of information based on the determination result (step S180). If transmission of information is permitted, the execution unit 20 executes an API for transmitting information and returns an execution result to the application.

  When a taint tag is added to the transmission target information, the transmission target information is control target information. In this case, the control unit 201 determines whether or not the transmission destination of the information to be transmitted matches the transmission destination specified by the specifying unit 10 (step S170). For example, the control unit 201 determines whether or not the domain information included in the URL specified as the transmission destination of the information to be transmitted matches the domain information specified by the specifying unit 10. For example, when the URL specified as the transmission destination of the information to be transmitted is www.XXXX.com, the domain information is XXXX.com.

  When the transmission destinations match, the control unit 201 permits transmission of information (step S180). If transmission of information is permitted, the execution unit 20 executes an API for transmitting information and returns an execution result to the application. After the transmission of information is permitted, the determination in step S130 is performed.

  When the transmission destinations do not match, the control unit 201 rejects transmission of information (step S190). When the transmission of information is rejected, the execution unit 20 does not execute the API for transmitting information and returns the execution result to the application. After the transmission of information is rejected, the determination in step S130 is performed.

  The control unit 201 may output the determination result in step S170 to a log or the like. Thereby, it is possible to notify the analyst whether or not the application is operating in accordance with the privacy policy PP.

  As described above, according to the present embodiment, when a taint tag is assigned to the type of user information specified in the privacy policy PP, and the user information with the taint tag is transmitted, the privacy policy PP The transmission is permitted or denied depending on the destination specified in. As a result, the operation of the application can be controlled in accordance with the privacy policy PP. Further, information leakage can be prevented by performing control to permit or deny transmission according to the information transmission destination.

(Second Embodiment)
Next, a second embodiment of the present invention will be described. FIG. 5 shows the configuration of the taint analyzer 1a according to the present embodiment. As shown in FIG. 5, the taint analysis device 1 a includes a specifying unit 10 a and an execution unit 20. The execution unit 20 is the same as the execution unit 20 in the taint analysis apparatus 1 shown in FIG.

  The specifying unit 10 a includes a user information specifying unit 100, a transmission destination specifying unit 101, and a permission specifying unit 102. The permission specifying unit 102 specifies a permission related to acquisition of user information based on a manifest file MF including information on permission used by the application. The user information specifying unit 100 specifies the type of user information by determining whether or not the type of user information corresponding to the permission specified by the permission specifying unit 102 is included in the privacy policy PP. The transmission destination specifying unit 101 is the same as the transmission destination specifying unit 101 in the taint analysis apparatus 1 shown in FIG.

  FIG. 6 shows an operation procedure of the taint analyzing apparatus 1a. With reference to FIG. 6, the operation of the taint analyzer 1a will be described. Hereinafter, differences from the operation shown in FIG. 4 will be described.

  When the process is started, the permission specifying unit 102 analyzes the manifest file MF and specifies a permission related to acquisition of user information (step S200). On platforms that are configured to restrict API functions by permissions, there is a manifest file that contains information about the permissions used by the application. For example, in an application for Firefox (registered trademark), manifest.webapp, which is a file in an application package, is a manifest file.

  In Firefox (registered trademark), geolocation, contacts, device-storage: music, and device-storage: pictures are prepared as permissions for obtaining user information. geolocation is a permission related to acquisition of location information. contacts is a permission related to obtaining a contact. device-storage: music is a permission related to acquisition of music data. device-storage: pictures is a permission related to acquisition of image data.

  After the permission related to the acquisition of the user information is specified, the user information specifying unit 100 specifies the type of user information based on the privacy policy PP (step S101). At this time, the user information specifying unit 100 specifies the type of user information by determining whether or not the type of user information corresponding to the permission specified by the permission specifying unit 102 is included in the privacy policy PP. To do.

  For example, the user information specifying unit 100 has a list in which permission information is associated with types of user information related to the permission. The user information specifying unit 100 specifies the type of user information corresponding to the permission specified by the permission specifying unit 102 from the list. The user information specifying unit 100 determines whether or not the specified type of user information is included in the privacy policy PP. That is, the user information specifying unit 100 searches the privacy policy PP for the type of the specified user information. Further, since there is no permission corresponding to the cookie, the user information specifying unit 100 determines whether or not the cookie is acquired based on the privacy policy PP regardless of the permission specified by the permission specifying unit 102.

  After the user information is specified, the transmission destination is specified in step S110. The processing of step S101 and step S110 may be performed in the reverse order.

  According to the present embodiment, by searching the privacy policy PP for the type of user information corresponding to the permission specified by the permission specifying unit 102, the type of user information can be efficiently specified.

(Third embodiment)
Next, a third embodiment of the present invention will be described. FIG. 7 shows the configuration of the taint analyzer 1b according to the present embodiment. As shown in FIG. 7, the taint analysis device 1b includes a specifying unit 10b and an execution unit 20b.

  The specifying unit 10 b includes a user information specifying unit 100, a transmission destination specifying unit 101, and a processing process specifying unit 103. The privacy policy PP of the present embodiment includes information on processing for processing user information, in addition to the type of user information used by the service and the transmission destination of the user information. The processing processing specifying unit 103 specifies processing for processing user information based on the privacy policy PP. The user information specifying unit 100 is the same as the user information specifying unit 100 in the taint analyzing apparatus 1 shown in FIG. The transmission destination specifying unit 101 is the same as the transmission destination specifying unit 101 in the taint analysis apparatus 1 shown in FIG.

  The execution unit 20 b includes a taint analysis unit 200, a control unit 201, and a processing unit 202. The processing unit 202 executes the process specified by the specifying unit 10 on the user information when a process for acquiring the type of user information specified by the specifying unit 10 is executed by the application. The taint analysis unit 200 is the same as the taint analysis unit 200 in the taint analysis apparatus 1 shown in FIG. The control unit 201 is the same as the control unit 201 in the taint analysis apparatus 1 shown in FIG.

  For example, processing for processing user information includes hashing and obscuring. These processes are performed on the user information by the application in order to protect the privacy of the user. Hashing is often performed on user identification information (ID). Obfuscation is often performed on location information. Because the privacy of detailed address information is high, it is obscured. The ambiguity with respect to address information is a process of blurring the range of address information so that it becomes regional information such as city, ward, town, and village.

  Usually, an application developer adds the above-described processing code to the program of his application. For this reason, it is unclear whether the application developer has really added the processing code to the application program. Therefore, the user may feel uneasy about whether or not the processing is performed. For application developers, there may be a disadvantage that their application is not trusted.

  For this reason, in this embodiment, after the processing is specified based on the privacy policy PP, the taint analysis apparatus 1b performs the processing on the user information. This eliminates the need for an application developer to add a processing code to the program of his application. In addition, application developers can gain trust from users.

  FIG. 8 shows an operation procedure of the taint analyzing apparatus 1b. With reference to FIG. 8, the operation of the taint analyzer 1b will be described. Hereinafter, differences from the operation shown in FIG. 4 will be described.

  After the transmission destination is specified in step S110, the processing process specifying unit 103 specifies the processing process based on the privacy policy PP (step S300). Information on the identified processing is notified to the execution unit 20b. After the processing process is specified, the application is executed in step S120. The process of step S100, step S110, and step S300 may be performed in any order.

  In addition, after the taint tag is assigned in step S140, the processing unit 202 performs the processing specified by the processing specification unit 103 on the user information to which the taint tag is assigned (step S310). After the processing is performed, the determination in step S150 is performed. The process of step S140 and step S310 may be performed in the reverse order.

  FIG. 9 shows the contents of a privacy policy PP3 that is a third example of the privacy policy PP. As shown in FIG. 9, the privacy policy PP3 includes a user information type 170, a purpose of use 175, an entity 180 that uses the user information, and an acquisition method 185.

  The acquisition method 185 includes “encryption conversion” that is a character string indicating the processing. The processing process specifying unit 103 specifies that the processing process is encryption conversion based on the privacy policy PP3. Cryptographic conversion is a process similar to hashing, and is a process of encrypting information. In this example, the processing unit 202 performs cryptographic conversion on the user information to which the taint tag is assigned.

  The taint analysis device 1b may have a permission specifying unit 102 in the taint analysis device 1a shown in FIG.

  According to the present embodiment, the processing defined by the privacy policy PP can be reliably performed.

  As described above, the embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the above-described embodiments, and includes design changes and the like without departing from the gist of the present invention. .

1, 1a, 1b Tint analysis device 10, 10a, 10b identification unit 20, 20b execution unit 100 user information identification unit 101 transmission destination identification unit 102 permission identification unit 103 processing processing identification unit 200 taint analysis unit 201 control unit 202 processing processing Part

Claims (5)

Based on a privacy policy that includes a type of user information used by a service and a destination of the user information, a specifying unit that specifies the type of user information and the destination,
A taint tag is added to the user information when the process of acquiring the user information of the type specified by the specifying unit is executed by the application, and the process is transmitted when the process of transmitting information is executed by the application A taint analysis unit for determining whether or not the taint tag is attached to target information;
When it is determined that the taint tag is assigned, control for permitting or rejecting transmission depending on whether or not the transmission destination of the information to be transmitted matches the transmission destination specified by the specifying unit A control unit for performing
A taint analysis device comprising:   The identifying unit further identifies a permission related to acquisition of user information based on a manifest file including permission information used by the application, and the type of user information corresponding to the identified permission is the privacy policy. The taint analysis apparatus according to claim 1, wherein the type of the user information is specified by determining whether or not the user information is included. The privacy policy further includes processing information for processing the user information,
The specifying unit further specifies a process for processing the user information based on the privacy policy,
The taint analysis device further executes a process specified by the specifying unit for the user information when a process for acquiring the user information of the type specified by the specifying unit is executed by an application. The taint analysis device according to claim 1, further comprising: a processing unit that performs processing. A specifying step of specifying the type of user information and the destination based on a privacy policy including the type of user information used by the service and the destination of the user information;
A taint tag is added to the user information when the process of acquiring the user information of the type specified in the specifying step is executed by the application, and the process is transmitted when the process of transmitting information is executed by the application A taint analysis step for determining whether or not the taint tag is attached to the target information; and
When it is determined that the taint tag is attached, control for permitting or rejecting transmission depending on whether or not the transmission destination of the information to be transmitted matches the transmission destination specified in the specifying step A control step for performing
A taint analysis method characterized by comprising: A specifying step of specifying the type of user information and the destination based on a privacy policy including the type of user information used by the service and the destination of the user information;
A taint tag is added to the user information when the process of acquiring the user information of the type specified in the specifying step is executed by the application, and the process is transmitted when the process of transmitting information is executed by the application A taint analysis step for determining whether or not the taint tag is attached to the target information; and
When it is determined that the taint tag is attached, control for permitting or rejecting transmission depending on whether or not the transmission destination of the information to be transmitted matches the transmission destination specified in the specifying step A control step for performing
A program that causes a computer to execute.

Images