SlideShare a Scribd company logo

Phosphor: Illuminating Dynamic Data Flow in Commodity JVMs

J
jon_bell

Dynamic taint analysis is a well-known information flow analysis problem with many possible applications. Taint tracking allows for analysis of application data flow by assigning labels to data, and then propagating those labels through data flow. Taint tracking systems traditionally compromise among performance, precision, soundness, and portability. Performance can be critical, as these systems are often intended to be deployed to production environments, and hence must have low overhead. To be deployed in security-conscious settings, taint tracking must also be sound and precise. Dynamic taint tracking must be portable in order to be easily deployed and adopted for real world purposes, without requiring recompilation of the operating system or language interpreter, and without requiring access to application source code. We present Phosphor, a dynamic taint tracking system for the Java Virtual Machine (JVM) that simultaneously achieves our goals of performance, soundness, precision, and portability. Moreover, to our knowledge, it is the first portable general purpose taint tracking system for the JVM. We evaluated Phosphor's performance on two commonly used JVM languages (Java and Scala), on two successive revisions of two commonly used JVMs (Oracle's HotSpot and OpenJDK's IcedTea) and on Android's Dalvik Virtual Machine, finding its performance to be impressive: as low as 3% (53% on average; 220% at worst) using the DaCapo macro benchmark suite.

Science
1 of 38
Download to read offline
Phosphor: Illuminating Dynamic Data Flow in Commodity JVMs Jonathan Bell and Gail Kaiser Columbia University, New York, NY USA Fork me on Github OOPSLA 2014 @_jon_bell_ October 22, 2014
Dynamic Data Flow Analysis: Taint Tracking Output that is derived from tainted input Inputs Application Outputs Flagged (“Tainted”) Input OOPSLA 2014 @_jon_bell_ October 22, 2014
Taint Tracking: Applications • End-user privacy testing: Does this application send my personal data to remote servers? • SQL injection attack avoidance: Do SQL queries contain raw user input • Debugging: Which inputs are relevant to the current (crashed) application state? OOPSLA 2014 @_jon_bell_ October 22, 2014
Qualities of a Successful Analysis OOPSLA 2014 @_jon_bell_ October 22, 2014
Soundness No data leakage! OOPSLA 2014 @_jon_bell_ October 22, 2014
Precision Data is tracked with the right tag OOPSLA 2014 @_jon_bell_ October 22, 2014
Performance Minimal slowdowns OOPSLA 2014 @_jon_bell_ October 22, 2014
Portability No special hardware, OS, or JVM OOPSLA 2014 @_jon_bell_ October 22, 2014
“Normal” Taint Tracking • Associate tags with data, then propagate the tags • Approaches: • Operating System modifications [Vandebogart ’07], [Zeldovich ’06] • Language interpreter modifications [Chandra ’07], [Enck ’10], [Nair ’07], [Son ’13] • Source code modifications [Lam ‘06], [Xu ’06] • Binary instrumentation of applications [Clause ’07], [Cheng ’06], [Kemerlis ’12] Hard to be sound, precise, and performant Not portable OOPSLA 2014 @_jon_bell_ October 22, 2014
Phosphor • Leverages benefits of interpreter-based approaches (information about variables) but fully portably • Instruments all byte code that runs in the JVM (including the JRE API) to track taint tags • Add a variable for each variable • Adds propagation logic OOPSLA 2014 @_jon_bell_ October 22, 2014
Key contribution: How do we efficiently store meta-data for every variable without modifying the JVM itself? OOPSLA 2014 @_jon_bell_ October 22, 2014
JVM Type Organization • Primitive Types • int, long, char, byte, etc. • Reference Types • Arrays, instances of classes • All reference types are assignable to java.lang.Object OOPSLA 2014 @_jon_bell_ October 22, 2014
Phosphor’s taint tag storage Local variable Method argument Return value Operand stack Field Object Stored as a field of the object Object array Stored as a field of each object Primitive Primitive array Shadow variable Shadow array variable Shadow argument Shadow array argument "Boxed" "Boxed" Below the value on stack Array below value on stack Shadow field Shadow array field OOPSLA 2014 @_jon_bell_ October 22, 2014
Taint Propagation • Modify all byte code instructions to be taint-aware by adding extra instructions • Examples: • Arithmetic -> combine tags of inputs • Load variable to stack -> Also load taint tag to stack • Modify method calls to pass taint tags OOPSLA 2014 @_jon_bell_ October 22, 2014
Two big problems OOPSLA 2014 @_jon_bell_ October 22, 2014
Challenge 1: Type Mayhem java.lang.Object Primitive Types Sometimes has extra variable! instanceof instanceof Instances of classes (Objects) Primitive Arrays Always has extra variable! Always has extra variable Never has extra variable! OOPSLA 2014 @_jon_bell_ October 22, 2014
Challenge 1: Type Mayhem byte[] array = new byte[5]; Object ret = array; return ret; int[] array_tag = new int[5]; byte[] array = new byte[5]; Object ret = new TaintedByteArray(array_tag,array); Solution 1: Box taint tag with array when we lose type information OOPSLA 2014 @_jon_bell_ October 22, 2014
Challenge 2: Native Code We can’t instrument everything! OOPSLA 2014 @_jon_bell_ October 22, 2014
Challenge 2: Native Code public int hashCode() { return super.hashCode() * field.hashCode(); } public native int hashCode(); Solution: Wrappers. Rename every method, and leave a wrapper behind OOPSLA 2014 @_jon_bell_ October 22, 2014
Challenge 2: Native Code public int hashCode() { return super.hashCode() * field.hashCode(); } public native int hashCode(); Solution: Wrappers. Rename every method, and leave a wrapper behind public TaintedInt hashCode$$wrapper() { return new TaintedInt(0, hashCode()); } OOPSLA 2014 @_jon_bell_ October 22, 2014
Challenge 2: Native Code Wrappers work both ways: native code can still call a method with the old signature public int[] someMethod(byte in) OOPSLA 2014 @_jon_bell_ October 22, 2014
Challenge 2: Native Code Wrappers work both ways: native code can still call a method with the old signature public int[] someMethod(byte in) public TaintedIntArray someMethod$$wrapper(int in_tag, byte in) { //The original method "someMethod", but with taint tracking } OOPSLA 2014 @_jon_bell_ October 22, 2014
Challenge 2: Native Code Wrappers work both ways: native code can still call a method with the old signature public int[] someMethod(byte in) { return someMethod$$wrapper(0, in).val; } public TaintedIntArray someMethod$$wrapper(int in_tag, byte in) { //The original method "someMethod", but with taint tracking } OOPSLA 2014 @_jon_bell_ October 22, 2014
Challenge 2: Native Code Wrappers work both ways: native code can still call a method with the old signature public int[] someMethod(byte in) { return someMethod$$wrapper(0, in).val; } public TaintedIntArray someMethod$$wrapper(int in_tag, byte in) { //The original method "someMethod", but with taint tracking } OOPSLA 2014 @_jon_bell_ October 22, 2014
Design Limitations • Tracking through native code • Return value’s tag becomes combination of all parameters (heuristic); not found to be a problem in our evaluation • Tracks explicit data flow only (not through control flow) OOPSLA 2014 @_jon_bell_ October 22, 2014
Evaluation • Soundness & Precision • Performance • Portability OOPSLA 2014 @_jon_bell_ October 22, 2014
Soundness & Precision • DroidBench - series of unit tests for Java taint tracking • Passed all except for implicit flows (intended behavior) OOPSLA 2014 @_jon_bell_ October 22, 2014
Performance • Macrobenchmarks (DaCapo, Scalabench) • Microbenchmarks • Versus TaintDroid [Enck, 2010] on CaffeineMark • Versus Trishul [Nair, 2008] on JavaGrande OOPSLA 2014 @_jon_bell_ October 22, 2014
Macrobenchmarks Phosphor Relative Runtime Overhead (Hotspot 7) Average: 53.3% 0% 50% 100% 150% 200% 250% avrora batik eclipse fop h2 jython luindex lusearch pmd sunflow tomcat tradebeans tradesoap xalan actors apparat factorie kiama scaladoc scalap scalariform scalatest scalaxb specs tmt Relative Runtime Overhead scalabench dacapo OOPSLA 2014 @_jon_bell_ October 22, 2014
Macrobenchmarks Phosphor Relative Memory Overhead (Hotspot 7) Average: 270.9% 0% 100% 200% 300% 400% 500% 600% 700% 800% 900% avrora batik eclipse fop h2 jython luindex lusearch pmd sunflow tomcat tradebeans tradesoap xalan actors apparat factorie kiama scaladoc scalap scalariform scalatest scalaxb specs tmt Relative Memory Overhead scalabench dacapo OOPSLA 2014 @_jon_bell_ October 22, 2014
Microbenchmarks Phosphor (Hotspot 7) and Trishul Relative Overhead 0% 20% 40% 60% 80% 100% 120% Arithmetic Assign Cast Create Exception Loop Math Method Serial Relative Runtime Overhead Phoshpor Trishul OOPSLA 2014 @_jon_bell_ October 22, 2014
Microbenchmarks Phosphor (Hotspot 7) and Trishul Relative Overhead 0% 20% 40% 60% 80% 100% 120% Arithmetic Assign Cast Create Exception Loop Math Method Serial Relative Runtime Overhead Phoshpor Phoshpor Trishul Trishul Kaffe OOPSLA 2014 @_jon_bell_ October 22, 2014
Microbenchmarks: Taintdroid • Taintdroid: Taint tracking for Android’s Dalvik VM [Enck, 2010] • Not very precise: one tag per array (not per array element!) • Applied Phosphor to Android! OOPSLA 2014 @_jon_bell_ October 22, 2014
Microbenchmarks Phosphor and Taintdroid Relative Overhead Array-heavy benchmarks 0% 50% 100% 150% 200% String Buffer Sieve Method Loop Logic Float Relative Runtime Overhead Taintdroid 4.3 Phosphor (Android 4.3) OOPSLA 2014 @_jon_bell_ October 22, 2014
Portability JVM Version(s) Success? Oracle (Hotspot) 1.7.0_45, 1.8.0_0 Yes OpenJDK 1.7.0_45, 1.8.0_0 Yes Android Dalvik 4.3.1 Yes Apache Harmony 6.0M3 Yes Kaffe VM 1.1.9 Yes Jikes RVM 3.1.3 No, but may be possible with more work OOPSLA 2014 @_jon_bell_ October 22, 2014
Future Work & Extension • This is a general approach for tracking metadata with variables in unmodified JVMs • Could track any sort of data in principle • We have already extended this approach to track path constraints on inputs OOPSLA 2014 @_jon_bell_ October 22, 2014
OOPSLA 2014 @_jon_bell_ October 22, 2014
Fork me on Github Phosphor: Illuminating Dynamic Data Flow in Commodity JVMs Jonathan Bell and Gail Kaiser Columbia University jbell@cs.columbia.edu @_jon_bell_ https://github.com/Programming-Systems-Lab/Phosphor Artifact * Consistent * Complete * SLA * Well AEC OOP* Reuse Documented * * to asy EEvalua* ted

Recommended

Python Tools for Visual Studio: Python na Microsoftovom .NET-u
Python Tools for Visual Studio: Python na Microsoftovom .NET-uPython Tools for Visual Studio: Python na Microsoftovom .NET-u
Python Tools for Visual Studio: Python na Microsoftovom .NET-uNikola Plejic
 
String handling(string buffer class)
String handling(string buffer class)String handling(string buffer class)
String handling(string buffer class)Ravi Kant Sahu
 
Functional Java 8 - Introduction
Functional Java 8 - IntroductionFunctional Java 8 - Introduction
Functional Java 8 - IntroductionŁukasz Biały
 
BenG Update on automatic labelling
BenG Update on automatic labellingBenG Update on automatic labelling
BenG Update on automatic labellingVictor de Boer
 
How Green are Java Best Coding Practices? - GreenDays @ Rennes - 2014-07-01
How Green are Java Best Coding Practices? - GreenDays @ Rennes - 2014-07-01How Green are Java Best Coding Practices? - GreenDays @ Rennes - 2014-07-01
How Green are Java Best Coding Practices? - GreenDays @ Rennes - 2014-07-01Jérôme Rocheteau
 
Viva file
Viva fileViva file
Viva fileanupamasingh87
 
Cracking OCA and OCP Java 8 Exams
Cracking OCA and OCP Java 8 ExamsCracking OCA and OCP Java 8 Exams
Cracking OCA and OCP Java 8 ExamsGanesh Samarthyam
 
Code generating beans in Java
Code generating beans in JavaCode generating beans in Java
Code generating beans in JavaStephen Colebourne
 

Recommended

Python Tools for Visual Studio: Python na Microsoftovom .NET-u
Python Tools for Visual Studio: Python na Microsoftovom .NET-uPython Tools for Visual Studio: Python na Microsoftovom .NET-u
Python Tools for Visual Studio: Python na Microsoftovom .NET-uNikola Plejic
 
String handling(string buffer class)
String handling(string buffer class)String handling(string buffer class)
String handling(string buffer class)Ravi Kant Sahu
 
Functional Java 8 - Introduction
Functional Java 8 - IntroductionFunctional Java 8 - Introduction
Functional Java 8 - IntroductionŁukasz Biały
 
BenG Update on automatic labelling
BenG Update on automatic labellingBenG Update on automatic labelling
BenG Update on automatic labellingVictor de Boer
 
How Green are Java Best Coding Practices? - GreenDays @ Rennes - 2014-07-01
How Green are Java Best Coding Practices? - GreenDays @ Rennes - 2014-07-01How Green are Java Best Coding Practices? - GreenDays @ Rennes - 2014-07-01
How Green are Java Best Coding Practices? - GreenDays @ Rennes - 2014-07-01Jérôme Rocheteau
 
Viva file
Viva fileViva file
Viva fileanupamasingh87
 
Cracking OCA and OCP Java 8 Exams
Cracking OCA and OCP Java 8 ExamsCracking OCA and OCP Java 8 Exams
Cracking OCA and OCP Java 8 ExamsGanesh Samarthyam
 
Code generating beans in Java
Code generating beans in JavaCode generating beans in Java
Code generating beans in JavaStephen Colebourne
 
Developer testing 201: When to Mock and When to Integrate
Developer testing 201: When to Mock and When to IntegrateDeveloper testing 201: When to Mock and When to Integrate
Developer testing 201: When to Mock and When to IntegrateLB Denker
 
Functional programming principles and Java 8
Functional programming principles and Java 8Functional programming principles and Java 8
Functional programming principles and Java 8Dragos Balan
 
Javatraining
JavatrainingJavatraining
Javatrainingducat1989
 
Refactoring to Java 8 (Devoxx UK)
Refactoring to Java 8 (Devoxx UK)Refactoring to Java 8 (Devoxx UK)
Refactoring to Java 8 (Devoxx UK)Trisha Gee
 
Python for Science and Engineering: a presentation to A*STAR and the Singapor...
Python for Science and Engineering: a presentation to A*STAR and the Singapor...Python for Science and Engineering: a presentation to A*STAR and the Singapor...
Python for Science and Engineering: a presentation to A*STAR and the Singapor...pythoncharmers
 
Python indroduction
Python indroductionPython indroduction
Python indroductionFEG
 
Code Generation idioms with Xtend
Code Generation idioms with XtendCode Generation idioms with Xtend
Code Generation idioms with XtendHolger Schill
 
java 8 new features
java 8 new features java 8 new features
java 8 new features Rohit Verma
 
Serializing EMF models with Xtext
Serializing EMF models with XtextSerializing EMF models with Xtext
Serializing EMF models with Xtextmeysholdt
 
Ahead-Of-Time Compilation of Java Applications
Ahead-Of-Time Compilation of Java ApplicationsAhead-Of-Time Compilation of Java Applications
Ahead-Of-Time Compilation of Java ApplicationsNikita Lipsky
 
A Field Guide to DSL Design in Scala
A Field Guide to DSL Design in ScalaA Field Guide to DSL Design in Scala
A Field Guide to DSL Design in ScalaTomer Gabel
 
Python final ppt
Python final pptPython final ppt
Python final pptRipal Ranpara
 
Solr Cluster installation tool "Anuenue"
Solr Cluster installation tool "Anuenue"Solr Cluster installation tool "Anuenue"
Solr Cluster installation tool "Anuenue"Lucidworks (Archived)
 
Developer testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing FanaticDeveloper testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing FanaticLB Denker
 
Python made easy
Python made easy Python made easy
Python made easy Abhishek kumar
 
Anthony Molinaro, OpenX, Erlang LA Meetup Slides
Anthony Molinaro, OpenX, Erlang LA Meetup SlidesAnthony Molinaro, OpenX, Erlang LA Meetup Slides
Anthony Molinaro, OpenX, Erlang LA Meetup SlidesMatthew Sacks
 
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...Edureka!
 
Techorama 2017 - Testing the unit, and beyond.
Techorama 2017 - Testing the unit, and beyond.Techorama 2017 - Testing the unit, and beyond.
Techorama 2017 - Testing the unit, and beyond.Bert Brouns
 
The OCLforUML Profile
The OCLforUML ProfileThe OCLforUML Profile
The OCLforUML ProfileEdward Willink
 
GOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter SlidesGOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter SlidesAlexandra Masterson
 
Codemotion 2015 spock_workshop
Codemotion 2015 spock_workshopCodemotion 2015 spock_workshop
Codemotion 2015 spock_workshopFernando Redondo Ramírez
 
Implementing a JavaScript Engine
Implementing a JavaScript EngineImplementing a JavaScript Engine
Implementing a JavaScript EngineKris Mok
 

More Related Content

What's hot

Developer testing 201: When to Mock and When to Integrate
Developer testing 201: When to Mock and When to IntegrateDeveloper testing 201: When to Mock and When to Integrate
Developer testing 201: When to Mock and When to IntegrateLB Denker
 
Functional programming principles and Java 8
Functional programming principles and Java 8Functional programming principles and Java 8
Functional programming principles and Java 8Dragos Balan
 
Javatraining
JavatrainingJavatraining
Javatrainingducat1989
 
Refactoring to Java 8 (Devoxx UK)
Refactoring to Java 8 (Devoxx UK)Refactoring to Java 8 (Devoxx UK)
Refactoring to Java 8 (Devoxx UK)Trisha Gee
 
Python for Science and Engineering: a presentation to A*STAR and the Singapor...
Python for Science and Engineering: a presentation to A*STAR and the Singapor...Python for Science and Engineering: a presentation to A*STAR and the Singapor...
Python for Science and Engineering: a presentation to A*STAR and the Singapor...pythoncharmers
 
Python indroduction
Python indroductionPython indroduction
Python indroductionFEG
 
Code Generation idioms with Xtend
Code Generation idioms with XtendCode Generation idioms with Xtend
Code Generation idioms with XtendHolger Schill
 
java 8 new features
java 8 new features java 8 new features
java 8 new features Rohit Verma
 
Serializing EMF models with Xtext
Serializing EMF models with XtextSerializing EMF models with Xtext
Serializing EMF models with Xtextmeysholdt
 
Ahead-Of-Time Compilation of Java Applications
Ahead-Of-Time Compilation of Java ApplicationsAhead-Of-Time Compilation of Java Applications
Ahead-Of-Time Compilation of Java ApplicationsNikita Lipsky
 
A Field Guide to DSL Design in Scala
A Field Guide to DSL Design in ScalaA Field Guide to DSL Design in Scala
A Field Guide to DSL Design in ScalaTomer Gabel
 
Solr Cluster installation tool "Anuenue"
Solr Cluster installation tool "Anuenue"Solr Cluster installation tool "Anuenue"
Solr Cluster installation tool "Anuenue"Lucidworks (Archived)
 
Developer testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing FanaticDeveloper testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing FanaticLB Denker
 
Anthony Molinaro, OpenX, Erlang LA Meetup Slides
Anthony Molinaro, OpenX, Erlang LA Meetup SlidesAnthony Molinaro, OpenX, Erlang LA Meetup Slides
Anthony Molinaro, OpenX, Erlang LA Meetup SlidesMatthew Sacks
 
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...Edureka!
 
Techorama 2017 - Testing the unit, and beyond.
Techorama 2017 - Testing the unit, and beyond.Techorama 2017 - Testing the unit, and beyond.
Techorama 2017 - Testing the unit, and beyond.Bert Brouns
 

What's hot (19)

Developer testing 201: When to Mock and When to Integrate
Developer testing 201: When to Mock and When to IntegrateDeveloper testing 201: When to Mock and When to Integrate
Developer testing 201: When to Mock and When to Integrate
 
Functional programming principles and Java 8
Functional programming principles and Java 8Functional programming principles and Java 8
Functional programming principles and Java 8
 
Javatraining
JavatrainingJavatraining
Javatraining
 
Refactoring to Java 8 (Devoxx UK)
Refactoring to Java 8 (Devoxx UK)Refactoring to Java 8 (Devoxx UK)
Refactoring to Java 8 (Devoxx UK)
 
Python for Science and Engineering: a presentation to A*STAR and the Singapor...
Python for Science and Engineering: a presentation to A*STAR and the Singapor...Python for Science and Engineering: a presentation to A*STAR and the Singapor...
Python for Science and Engineering: a presentation to A*STAR and the Singapor...
 
Python indroduction
Python indroductionPython indroduction
Python indroduction
 
Code Generation idioms with Xtend
Code Generation idioms with XtendCode Generation idioms with Xtend
Code Generation idioms with Xtend
 
java 8 new features
java 8 new features java 8 new features
java 8 new features
 
Serializing EMF models with Xtext
Serializing EMF models with XtextSerializing EMF models with Xtext
Serializing EMF models with Xtext
 
Ahead-Of-Time Compilation of Java Applications
Ahead-Of-Time Compilation of Java ApplicationsAhead-Of-Time Compilation of Java Applications
Ahead-Of-Time Compilation of Java Applications
 
A Field Guide to DSL Design in Scala
A Field Guide to DSL Design in ScalaA Field Guide to DSL Design in Scala
A Field Guide to DSL Design in Scala
 
Python final ppt
Python final pptPython final ppt
Python final ppt
 
Solr Cluster installation tool "Anuenue"
Solr Cluster installation tool "Anuenue"Solr Cluster installation tool "Anuenue"
Solr Cluster installation tool "Anuenue"
 
Developer testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing FanaticDeveloper testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing Fanatic
 
Python made easy
Python made easy Python made easy
Python made easy
 
Anthony Molinaro, OpenX, Erlang LA Meetup Slides
Anthony Molinaro, OpenX, Erlang LA Meetup SlidesAnthony Molinaro, OpenX, Erlang LA Meetup Slides
Anthony Molinaro, OpenX, Erlang LA Meetup Slides
 
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
 
Techorama 2017 - Testing the unit, and beyond.
Techorama 2017 - Testing the unit, and beyond.Techorama 2017 - Testing the unit, and beyond.
Techorama 2017 - Testing the unit, and beyond.
 
The OCLforUML Profile
The OCLforUML ProfileThe OCLforUML Profile
The OCLforUML Profile
 

Similar to Phosphor: Illuminating Dynamic Data Flow in Commodity JVMs

GOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter SlidesGOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter SlidesAlexandra Masterson
 
Implementing a JavaScript Engine
Implementing a JavaScript EngineImplementing a JavaScript Engine
Implementing a JavaScript EngineKris Mok
 
Software Uni Conf October 2014
Software Uni Conf October 2014Software Uni Conf October 2014
Software Uni Conf October 2014Nayden Gochev
 
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4j
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4jRobotics, Search and AI with Solr, MyRobotLab, and Deeplearning4j
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4jKevin Watters
 
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...Lucidworks
 
Invoke dynamic your api to hotspot
Invoke dynamic your api to hotspotInvoke dynamic your api to hotspot
Invoke dynamic your api to hotspotBoundary
 
Slicing, Dicing, And Linting OpenAPI
Slicing, Dicing, And Linting OpenAPISlicing, Dicing, And Linting OpenAPI
Slicing, Dicing, And Linting OpenAPIlestrrat
 
Why GC is eating all my CPU?
Why GC is eating all my CPU?Why GC is eating all my CPU?
Why GC is eating all my CPU?Roman Elizarov
 
"Formal Verification in Java" by Shura Iline, Vladimir Ivanov @ JEEConf 2013,...
"Formal Verification in Java" by Shura Iline, Vladimir Ivanov @ JEEConf 2013,..."Formal Verification in Java" by Shura Iline, Vladimir Ivanov @ JEEConf 2013,...
"Formal Verification in Java" by Shura Iline, Vladimir Ivanov @ JEEConf 2013,...Vladimir Ivanov
 
Java Basics for selenium
Java Basics for seleniumJava Basics for selenium
Java Basics for seleniumapoorvams
 
Write code that writes code! A beginner's guide to Annotation Processing - Ja...
Write code that writes code! A beginner's guide to Annotation Processing - Ja...Write code that writes code! A beginner's guide to Annotation Processing - Ja...
Write code that writes code! A beginner's guide to Annotation Processing - Ja...DroidConTLV
 
Write code that writes code!
Write code that writes code!Write code that writes code!
Write code that writes code!Jason Feinstein
 
Perl5 meta programming
Perl5 meta programmingPerl5 meta programming
Perl5 meta programmingkarupanerura
 
Java 8 and beyond, a scala story
Java 8 and beyond, a scala storyJava 8 and beyond, a scala story
Java 8 and beyond, a scala storyittaiz
 
Unit 1 Core Java for Compter Science 3rd
Unit 1 Core Java for Compter Science 3rdUnit 1 Core Java for Compter Science 3rd
Unit 1 Core Java for Compter Science 3rdprat0ham
 

Similar to Phosphor: Illuminating Dynamic Data Flow in Commodity JVMs (20)

GOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter SlidesGOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter Slides
 
Codemotion 2015 spock_workshop
Codemotion 2015 spock_workshopCodemotion 2015 spock_workshop
Codemotion 2015 spock_workshop
 
Implementing a JavaScript Engine
Implementing a JavaScript EngineImplementing a JavaScript Engine
Implementing a JavaScript Engine
 
Software Uni Conf October 2014
Software Uni Conf October 2014Software Uni Conf October 2014
Software Uni Conf October 2014
 
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4j
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4jRobotics, Search and AI with Solr, MyRobotLab, and Deeplearning4j
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4j
 
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...
 
Invoke dynamic your api to hotspot
Invoke dynamic your api to hotspotInvoke dynamic your api to hotspot
Invoke dynamic your api to hotspot
 
C Sharp Crash Course
C Sharp Crash CourseC Sharp Crash Course
C Sharp Crash Course
 
Slicing, Dicing, And Linting OpenAPI
Slicing, Dicing, And Linting OpenAPISlicing, Dicing, And Linting OpenAPI
Slicing, Dicing, And Linting OpenAPI
 
Why GC is eating all my CPU?
Why GC is eating all my CPU?Why GC is eating all my CPU?
Why GC is eating all my CPU?
 
"Formal Verification in Java" by Shura Iline, Vladimir Ivanov @ JEEConf 2013,...
"Formal Verification in Java" by Shura Iline, Vladimir Ivanov @ JEEConf 2013,..."Formal Verification in Java" by Shura Iline, Vladimir Ivanov @ JEEConf 2013,...
"Formal Verification in Java" by Shura Iline, Vladimir Ivanov @ JEEConf 2013,...
 
Java Basics for selenium
Java Basics for seleniumJava Basics for selenium
Java Basics for selenium
 
C Sharp Course 101.5
C Sharp Course 101.5C Sharp Course 101.5
C Sharp Course 101.5
 
Write code that writes code! A beginner's guide to Annotation Processing - Ja...
Write code that writes code! A beginner's guide to Annotation Processing - Ja...Write code that writes code! A beginner's guide to Annotation Processing - Ja...
Write code that writes code! A beginner's guide to Annotation Processing - Ja...
 
Write code that writes code!
Write code that writes code!Write code that writes code!
Write code that writes code!
 
Scala Introduction
Scala IntroductionScala Introduction
Scala Introduction
 
Jvm2
Jvm2Jvm2
Jvm2
 
Perl5 meta programming
Perl5 meta programmingPerl5 meta programming
Perl5 meta programming
 
Java 8 and beyond, a scala story
Java 8 and beyond, a scala storyJava 8 and beyond, a scala story
Java 8 and beyond, a scala story
 
Unit 1 Core Java for Compter Science 3rd
Unit 1 Core Java for Compter Science 3rdUnit 1 Core Java for Compter Science 3rd
Unit 1 Core Java for Compter Science 3rd
 

More from jon_bell

Replay without Recording of Production Bugs for Service Oriented Applications
Replay without Recording of Production Bugs for Service Oriented ApplicationsReplay without Recording of Production Bugs for Service Oriented Applications
Replay without Recording of Production Bugs for Service Oriented Applicationsjon_bell
 
A Large-Scale Study of Test Coverage Evolution
A Large-Scale Study of Test Coverage EvolutionA Large-Scale Study of Test Coverage Evolution
A Large-Scale Study of Test Coverage Evolutionjon_bell
 
CROCHET - Checkpoint Rollback in JVM (ECOOP 2018)
CROCHET - Checkpoint Rollback in JVM (ECOOP 2018)CROCHET - Checkpoint Rollback in JVM (ECOOP 2018)
CROCHET - Checkpoint Rollback in JVM (ECOOP 2018)jon_bell
 
Efficient Dependency Detection for Safe Java Test Acceleration
Efficient Dependency Detection for Safe Java Test AccelerationEfficient Dependency Detection for Safe Java Test Acceleration
Efficient Dependency Detection for Safe Java Test Accelerationjon_bell
 
ICSE 2014: Unit Test Virtualization with VMVM
ICSE 2014: Unit Test Virtualization with VMVMICSE 2014: Unit Test Virtualization with VMVM
ICSE 2014: Unit Test Virtualization with VMVMjon_bell
 
Unit Test Virtualization: Optimizing Testing Time
Unit Test Virtualization: Optimizing Testing TimeUnit Test Virtualization: Optimizing Testing Time
Unit Test Virtualization: Optimizing Testing Timejon_bell
 
Chronicler: Lightweight Recording to Reproduce Field Failures (Presented at I...
Chronicler: Lightweight Recording to Reproduce Field Failures (Presented at I...Chronicler: Lightweight Recording to Reproduce Field Failures (Presented at I...
Chronicler: Lightweight Recording to Reproduce Field Failures (Presented at I...jon_bell
 
A Large-Scale, Longitudinal Study of User Profiles in World of Warcraft
A Large-Scale, Longitudinal Study of User Profiles in World of WarcraftA Large-Scale, Longitudinal Study of User Profiles in World of Warcraft
A Large-Scale, Longitudinal Study of User Profiles in World of Warcraftjon_bell
 

More from jon_bell (8)

Replay without Recording of Production Bugs for Service Oriented Applications
Replay without Recording of Production Bugs for Service Oriented ApplicationsReplay without Recording of Production Bugs for Service Oriented Applications
Replay without Recording of Production Bugs for Service Oriented Applications
 
A Large-Scale Study of Test Coverage Evolution
A Large-Scale Study of Test Coverage EvolutionA Large-Scale Study of Test Coverage Evolution
A Large-Scale Study of Test Coverage Evolution
 
CROCHET - Checkpoint Rollback in JVM (ECOOP 2018)
CROCHET - Checkpoint Rollback in JVM (ECOOP 2018)CROCHET - Checkpoint Rollback in JVM (ECOOP 2018)
CROCHET - Checkpoint Rollback in JVM (ECOOP 2018)
 
Efficient Dependency Detection for Safe Java Test Acceleration
Efficient Dependency Detection for Safe Java Test AccelerationEfficient Dependency Detection for Safe Java Test Acceleration
Efficient Dependency Detection for Safe Java Test Acceleration
 
ICSE 2014: Unit Test Virtualization with VMVM
ICSE 2014: Unit Test Virtualization with VMVMICSE 2014: Unit Test Virtualization with VMVM
ICSE 2014: Unit Test Virtualization with VMVM
 
Unit Test Virtualization: Optimizing Testing Time
Unit Test Virtualization: Optimizing Testing TimeUnit Test Virtualization: Optimizing Testing Time
Unit Test Virtualization: Optimizing Testing Time
 
Chronicler: Lightweight Recording to Reproduce Field Failures (Presented at I...
Chronicler: Lightweight Recording to Reproduce Field Failures (Presented at I...Chronicler: Lightweight Recording to Reproduce Field Failures (Presented at I...
Chronicler: Lightweight Recording to Reproduce Field Failures (Presented at I...
 
A Large-Scale, Longitudinal Study of User Profiles in World of Warcraft
A Large-Scale, Longitudinal Study of User Profiles in World of WarcraftA Large-Scale, Longitudinal Study of User Profiles in World of Warcraft
A Large-Scale, Longitudinal Study of User Profiles in World of Warcraft
 

Recently uploaded

Hire 💕 9907093804 Hooghly Call Girls Service Call Girls Agency
Hire 💕 9907093804 Hooghly Call Girls Service Call Girls AgencyHire 💕 9907093804 Hooghly Call Girls Service Call Girls Agency
Hire 💕 9907093804 Hooghly Call Girls Service Call Girls AgencySheetal Arora
 
Green chemistry and Sustainable development.pptx
Green chemistry and Sustainable development.pptxGreen chemistry and Sustainable development.pptx
Green chemistry and Sustainable development.pptxRajatChauhan518211
 
High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...
High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...
High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...chandars293
 
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRDelhi Call girls
 
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bNightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bSérgio Sacani
 
Kochi ❤CALL GIRL 84099*07087 ❤CALL GIRLS IN Kochi ESCORT SERVICE❤CALL GIRL
Kochi ❤CALL GIRL 84099*07087 ❤CALL GIRLS IN Kochi ESCORT SERVICE❤CALL GIRLKochi ❤CALL GIRL 84099*07087 ❤CALL GIRLS IN Kochi ESCORT SERVICE❤CALL GIRL
Kochi ❤CALL GIRL 84099*07087 ❤CALL GIRLS IN Kochi ESCORT SERVICE❤CALL GIRLkantirani197
 
GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...Lokesh Kothari
 
Chemical Tests; flame test, positive and negative ions test Edexcel Internati...
Chemical Tests; flame test, positive and negative ions test Edexcel Internati...Chemical Tests; flame test, positive and negative ions test Edexcel Internati...
Chemical Tests; flame test, positive and negative ions test Edexcel Internati...ssuser79fe74
 
Pulmonary drug delivery system M.pharm -2nd sem P'ceutics
Pulmonary drug delivery system M.pharm -2nd sem P'ceuticsPulmonary drug delivery system M.pharm -2nd sem P'ceutics
Pulmonary drug delivery system M.pharm -2nd sem P'ceuticssakshisoni2385
 
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...Sérgio Sacani
 
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsHubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsSérgio Sacani
 
COST ESTIMATION FOR A RESEARCH PROJECT.pptx
COST ESTIMATION FOR A RESEARCH PROJECT.pptxCOST ESTIMATION FOR A RESEARCH PROJECT.pptx
COST ESTIMATION FOR A RESEARCH PROJECT.pptxFarihaAbdulRasheed
 
Presentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxPresentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxgindu3009
 
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICESAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICEayushi9330
 
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksFormation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksSérgio Sacani
 
Animal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptxAnimal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptxUmerFayaz5
 
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptxSCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptxRizalinePalanog2
 
GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)Areesha Ahmad
 
Biological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdfBiological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdfmuntazimhurra
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Sérgio Sacani
 

Recently uploaded (20)

Hire 💕 9907093804 Hooghly Call Girls Service Call Girls Agency
Hire 💕 9907093804 Hooghly Call Girls Service Call Girls AgencyHire 💕 9907093804 Hooghly Call Girls Service Call Girls Agency
Hire 💕 9907093804 Hooghly Call Girls Service Call Girls Agency
 
Green chemistry and Sustainable development.pptx
Green chemistry and Sustainable development.pptxGreen chemistry and Sustainable development.pptx
Green chemistry and Sustainable development.pptx
 
High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...
High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...
High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...
 
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
 
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bNightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
 
Kochi ❤CALL GIRL 84099*07087 ❤CALL GIRLS IN Kochi ESCORT SERVICE❤CALL GIRL
Kochi ❤CALL GIRL 84099*07087 ❤CALL GIRLS IN Kochi ESCORT SERVICE❤CALL GIRLKochi ❤CALL GIRL 84099*07087 ❤CALL GIRLS IN Kochi ESCORT SERVICE❤CALL GIRL
Kochi ❤CALL GIRL 84099*07087 ❤CALL GIRLS IN Kochi ESCORT SERVICE❤CALL GIRL
 
GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
GUIDELINES ON SIMILAR BIOLOGICS Regulatory Requirements for Marketing Authori...
 
Chemical Tests; flame test, positive and negative ions test Edexcel Internati...
Chemical Tests; flame test, positive and negative ions test Edexcel Internati...Chemical Tests; flame test, positive and negative ions test Edexcel Internati...
Chemical Tests; flame test, positive and negative ions test Edexcel Internati...
 
Pulmonary drug delivery system M.pharm -2nd sem P'ceutics
Pulmonary drug delivery system M.pharm -2nd sem P'ceuticsPulmonary drug delivery system M.pharm -2nd sem P'ceutics
Pulmonary drug delivery system M.pharm -2nd sem P'ceutics
 
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
 
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsHubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
 
COST ESTIMATION FOR A RESEARCH PROJECT.pptx
COST ESTIMATION FOR A RESEARCH PROJECT.pptxCOST ESTIMATION FOR A RESEARCH PROJECT.pptx
COST ESTIMATION FOR A RESEARCH PROJECT.pptx
 
Presentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxPresentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptx
 
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICESAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
 
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksFormation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disks
 
Animal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptxAnimal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptx
 
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptxSCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
 
GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)
 
Biological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdfBiological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdf
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
 

Phosphor: Illuminating Dynamic Data Flow in Commodity JVMs

  • 1. Phosphor: Illuminating Dynamic Data Flow in Commodity JVMs Jonathan Bell and Gail Kaiser Columbia University, New York, NY USA Fork me on Github OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 2. Dynamic Data Flow Analysis: Taint Tracking Output that is derived from tainted input Inputs Application Outputs Flagged (“Tainted”) Input OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 3. Taint Tracking: Applications • End-user privacy testing: Does this application send my personal data to remote servers? • SQL injection attack avoidance: Do SQL queries contain raw user input • Debugging: Which inputs are relevant to the current (crashed) application state? OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 4. Qualities of a Successful Analysis OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 5. Soundness No data leakage! OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 6. Precision Data is tracked with the right tag OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 7. Performance Minimal slowdowns OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 8. Portability No special hardware, OS, or JVM OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 9. “Normal” Taint Tracking • Associate tags with data, then propagate the tags • Approaches: • Operating System modifications [Vandebogart ’07], [Zeldovich ’06] • Language interpreter modifications [Chandra ’07], [Enck ’10], [Nair ’07], [Son ’13] • Source code modifications [Lam ‘06], [Xu ’06] • Binary instrumentation of applications [Clause ’07], [Cheng ’06], [Kemerlis ’12] Hard to be sound, precise, and performant Not portable OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 10. Phosphor • Leverages benefits of interpreter-based approaches (information about variables) but fully portably • Instruments all byte code that runs in the JVM (including the JRE API) to track taint tags • Add a variable for each variable • Adds propagation logic OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 11. Key contribution: How do we efficiently store meta-data for every variable without modifying the JVM itself? OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 12. JVM Type Organization • Primitive Types • int, long, char, byte, etc. • Reference Types • Arrays, instances of classes • All reference types are assignable to java.lang.Object OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 13. Phosphor’s taint tag storage Local variable Method argument Return value Operand stack Field Object Stored as a field of the object Object array Stored as a field of each object Primitive Primitive array Shadow variable Shadow array variable Shadow argument Shadow array argument "Boxed" "Boxed" Below the value on stack Array below value on stack Shadow field Shadow array field OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 14. Taint Propagation • Modify all byte code instructions to be taint-aware by adding extra instructions • Examples: • Arithmetic -> combine tags of inputs • Load variable to stack -> Also load taint tag to stack • Modify method calls to pass taint tags OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 15. Two big problems OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 16. Challenge 1: Type Mayhem java.lang.Object Primitive Types Sometimes has extra variable! instanceof instanceof Instances of classes (Objects) Primitive Arrays Always has extra variable! Always has extra variable Never has extra variable! OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 17. Challenge 1: Type Mayhem byte[] array = new byte[5]; Object ret = array; return ret; int[] array_tag = new int[5]; byte[] array = new byte[5]; Object ret = new TaintedByteArray(array_tag,array); Solution 1: Box taint tag with array when we lose type information OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 18. Challenge 2: Native Code We can’t instrument everything! OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 19. Challenge 2: Native Code public int hashCode() { return super.hashCode() * field.hashCode(); } public native int hashCode(); Solution: Wrappers. Rename every method, and leave a wrapper behind OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 20. Challenge 2: Native Code public int hashCode() { return super.hashCode() * field.hashCode(); } public native int hashCode(); Solution: Wrappers. Rename every method, and leave a wrapper behind public TaintedInt hashCode$$wrapper() { return new TaintedInt(0, hashCode()); } OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 21. Challenge 2: Native Code Wrappers work both ways: native code can still call a method with the old signature public int[] someMethod(byte in) OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 22. Challenge 2: Native Code Wrappers work both ways: native code can still call a method with the old signature public int[] someMethod(byte in) public TaintedIntArray someMethod$$wrapper(int in_tag, byte in) { //The original method "someMethod", but with taint tracking } OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 23. Challenge 2: Native Code Wrappers work both ways: native code can still call a method with the old signature public int[] someMethod(byte in) { return someMethod$$wrapper(0, in).val; } public TaintedIntArray someMethod$$wrapper(int in_tag, byte in) { //The original method "someMethod", but with taint tracking } OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 24. Challenge 2: Native Code Wrappers work both ways: native code can still call a method with the old signature public int[] someMethod(byte in) { return someMethod$$wrapper(0, in).val; } public TaintedIntArray someMethod$$wrapper(int in_tag, byte in) { //The original method "someMethod", but with taint tracking } OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 25. Design Limitations • Tracking through native code • Return value’s tag becomes combination of all parameters (heuristic); not found to be a problem in our evaluation • Tracks explicit data flow only (not through control flow) OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 26. Evaluation • Soundness & Precision • Performance • Portability OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 27. Soundness & Precision • DroidBench - series of unit tests for Java taint tracking • Passed all except for implicit flows (intended behavior) OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 28. Performance • Macrobenchmarks (DaCapo, Scalabench) • Microbenchmarks • Versus TaintDroid [Enck, 2010] on CaffeineMark • Versus Trishul [Nair, 2008] on JavaGrande OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 29. Macrobenchmarks Phosphor Relative Runtime Overhead (Hotspot 7) Average: 53.3% 0% 50% 100% 150% 200% 250% avrora batik eclipse fop h2 jython luindex lusearch pmd sunflow tomcat tradebeans tradesoap xalan actors apparat factorie kiama scaladoc scalap scalariform scalatest scalaxb specs tmt Relative Runtime Overhead scalabench dacapo OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 30. Macrobenchmarks Phosphor Relative Memory Overhead (Hotspot 7) Average: 270.9% 0% 100% 200% 300% 400% 500% 600% 700% 800% 900% avrora batik eclipse fop h2 jython luindex lusearch pmd sunflow tomcat tradebeans tradesoap xalan actors apparat factorie kiama scaladoc scalap scalariform scalatest scalaxb specs tmt Relative Memory Overhead scalabench dacapo OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 31. Microbenchmarks Phosphor (Hotspot 7) and Trishul Relative Overhead 0% 20% 40% 60% 80% 100% 120% Arithmetic Assign Cast Create Exception Loop Math Method Serial Relative Runtime Overhead Phoshpor Trishul OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 32. Microbenchmarks Phosphor (Hotspot 7) and Trishul Relative Overhead 0% 20% 40% 60% 80% 100% 120% Arithmetic Assign Cast Create Exception Loop Math Method Serial Relative Runtime Overhead Phoshpor Phoshpor Trishul Trishul Kaffe OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 33. Microbenchmarks: Taintdroid • Taintdroid: Taint tracking for Android’s Dalvik VM [Enck, 2010] • Not very precise: one tag per array (not per array element!) • Applied Phosphor to Android! OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 34. Microbenchmarks Phosphor and Taintdroid Relative Overhead Array-heavy benchmarks 0% 50% 100% 150% 200% String Buffer Sieve Method Loop Logic Float Relative Runtime Overhead Taintdroid 4.3 Phosphor (Android 4.3) OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 35. Portability JVM Version(s) Success? Oracle (Hotspot) 1.7.0_45, 1.8.0_0 Yes OpenJDK 1.7.0_45, 1.8.0_0 Yes Android Dalvik 4.3.1 Yes Apache Harmony 6.0M3 Yes Kaffe VM 1.1.9 Yes Jikes RVM 3.1.3 No, but may be possible with more work OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 36. Future Work & Extension • This is a general approach for tracking metadata with variables in unmodified JVMs • Could track any sort of data in principle • We have already extended this approach to track path constraints on inputs OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 37. OOPSLA 2014 @_jon_bell_ October 22, 2014
  • 38. Fork me on Github Phosphor: Illuminating Dynamic Data Flow in Commodity JVMs Jonathan Bell and Gail Kaiser Columbia University jbell@cs.columbia.edu @_jon_bell_ https://github.com/Programming-Systems-Lab/Phosphor Artifact * Consistent * Complete * SLA * Well AEC OOP* Reuse Documented * * to asy EEvalua* ted