Landon Cox | Duke University

SpanDex at USENIX Security

We just posted our upcoming paper on SpanDex, which will be presented at USENIX Security ’14 in August.

SpanDex prevents malicious mobile apps from phishing users' passwords by ensuring that a password can only be forwarded to trusted servers. The primary technical challenge addressed by SpanDex is precise, sound, and efficient handling of implicit information flows (e.g., information transferred by a program’s control flow). The long-standing problem of implicit flows is one of my favorites in computer security. It’s an incredibly hard problem (probably impossible to solve in the general case), but I think we’ve made a nice little contribution with this paper. Prior approaches to tracking implicit flows either ignored these flows altogether (e.g., TaintDroid), allowing malicious code to easily leak sensitive information, or induced overtainting in non-malicious apps so that nearly all messages appeared to leak sensitive information.

The key observation underlying SpanDex is that most branching on sensitive data transfers very little secret information. For example, mobile apps typically only branch on password characters to perform simple formatting checks. The aggregate information revealed through these implicit flows is almost always that a password is well formatted, and disclosing that a password is well formatted poses no threat to a user.

Using this observation, SpanDex handles implicit flows by borrowing techniques from symbolic execution to precisely quantify the amount of information a process’ control flow reveals about a secret. So long as the information revealed by an execution path reveals a safe amount of information (e.g., that a password is well formatted), SpanDex does not track the influence of implicit flows on a program's state and thus avoids overtainting. At the same time, quantifying the amount of information revealed through implicit flows during execution allows SpanDex to prevent a malicious app from using control flow to leak passwords. To apply this techniques at runtime without sacrificing performance, SpanDex runs untrusted code in a data-flow sensitive sandbox that limits the mix of operations that an app can perform on sensitive data.

Experiments with a SpanDex prototype for Android using 50 popular apps and an analysis of a large list of leaked passwords predicts that for 90% of users, an attacker would need over 80 login attempts to guess their password. Today the same attacker would need only one attempt for all users.