Automated End-to-End Dynamic Taint Analysis for WhatsApp

被引：0

作者：

Cela, Sopot ^{[1
]}

Ciancone, Andrea ^{[1
]}

Gustafsson, Per ^{[1
]}

Hajdu, Akos ^{[1
]}

Jia, Yue ^{[1
]}

Kapus, Timotej ^{[1
]}

Koshtenko, Maksym ^{[1
]}

Lewis, Will ^{[1
]}

Mao, Ke ^{[1
]}

Martac, Dragos ^{[1
]}

机构：

[1] Meta, London, England

来源：

COMPANION PROCEEDINGS OF THE 32ND ACM INTERNATIONAL CONFERENCE ON THE FOUNDATIONS OF SOFTWARE ENGINEERING, FSE COMPANION 2024 | 2024年

关键词：

Taint analysis; simulation; testing;

D O I：

10.1145/3663529.3663824

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

Taint analysis aims to track data flows in systems, with potential use cases for security, privacy and performance. This paper describes an end-to-end dynamic taint analysis solution for WhatsApp. We use exploratory UI testing to generate realistic interactions and inputs, serving as data sources on the clients and then we track data propagation towards sinks on both client and server sides. Finally, a reporting pipeline localizes tainted flows in the source code, applies deduplication, fllters false positives based on production call sites, and files tasks to code owners. Applied to WhatsApp, our approach found 89 flows that were fixed by engineers, and caught 50% of all privacy-related flows that required escalation, including instances that would have been diffcult to uncover by conventional testing.

引用

页码：21 / 26

页数：6

共 50 条

[1] Security Analysis of the WhatsApp End-to-End Encrypted Backup Protocol
Davies, Gareth T.
Faller, Sebastian
Gellert, Kai
Handirk, Tobias
Hesse, Julia
Horvath, Mate
Jager, Tibor
ADVANCES IN CRYPTOLOGY - CRYPTO 2023, PT IV, 2023, 14084 : 330 - 361
[2] A secured, automated, and dynamic end-to-end service level negotiation
Chalouf, M. A.
Krief, F.
CONCURRENCY AND COMPUTATION-PRACTICE & EXPERIENCE, 2013, 25 (02): : 180 - 202
[3] aPEAch: Automated Pipeline for End-to-End Analysis of Epigenomic and Transcriptomic Data
Xiropotamos, Panagiotis
Papageorgiou, Foteini
Manousaki, Haris
Sinnis, Charalampos
Antonatos, Charalabos
Vasilopoulos, Yiannis
Georgakilas, Georgios K.
BIOLOGY-BASEL, 2024, 13 (07):
[4] Pipe(line) Dreams: Fully Automated End-to-End Analysis and Visualization
Beasley, Cole
Abouzied, Azza
WORKSHOP ON HUMAN-IN-THE-LOOP DATA ANALYTICS, HILDA 2024, 2024,
[5] An Automated End-to-End Side Channel Analysis Based on Probabilistic Model
Hwang, Jeonghwan
Yoon, Ji Won
APPLIED SCIENCES-BASEL, 2020, 10 (07):
[6] End-to-End Automated Guided Modular Vehicle
Curiel-Ramirez, Luis A.
Ramirez-Mendoza, Ricardo A.
Bautista-Montesano, Rolando
Rogelio Bustamante-Bello, M.
Gonzalez-Hernandez, Hugo G.
Reyes-Avedano, Jorge A.
Cortes Gallardo-Medina, Edgar
APPLIED SCIENCES-BASEL, 2020, 10 (12):
[7] Survey on Automated End-to-End Data Science?
Bouneffouf, Djallel
Aggarwal, Charu
Samulowitz, Horst
Buesser, Beat
Thanh Hoang
Khurana, Udayan
Liu, Sijia
Pedapati, Tejaswini
Ram, Parikshit
Rawat, Ambrish
Wistuba, Martin
Gray, Alexander
2020 INTERNATIONAL JOINT CONFERENCE ON NEURAL NETWORKS (IJCNN), 2020,
[8] SapFix: Automated End-to-End Repair at Scale
Marginean, A.
Bader, J.
Chandra, S.
Harman, M.
Jia, Y.
Mao, K.
Mols, A.
Scott, A.
2019 IEEE/ACM 41ST INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING: SOFTWARE ENGINEERING IN PRACTICE (ICSE-SEIP 2019), 2019, : 269 - 278
[9] End-to-End Automated Verification for OS Kernels
Ding, Jizheng
Zhu, Xiaoran
Guo, Jian
Li, Xin
Yan, Rongkun
2018 25TH ASIA-PACIFIC SOFTWARE ENGINEERING CONFERENCE (APSEC 2018), 2018, : 139 - 148
[10] More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema
Roesler, Paul
Mainka, Christian
Schwenk, Joerg
2018 3RD IEEE EUROPEAN SYMPOSIUM ON SECURITY AND PRIVACY (EUROS&P 2018), 2018, : 415 - 429

← 1 2 3 4 5 →