Anomalous Taint Detection

Software security has become an increasing necessity for guaranteeing, as much as possible, the correctness of computer systems. A number of techniques have been developed over the past two decades to mitigate software vulnerabilities. Learning-based anomaly detection techniques have been pursued for many years due to their ability to detect a broad range of attacks, including novel attacks. More recently, taint-tracking techniques (also known as information-flow techniques) have become popular due to their high accuracy and the ability to detect a broad range of attacks. We believe that the discriminating power of anomaly detectors can be improved by combining them with fine-grained taint analysis. To this end, we propose anomalous taint detection, an approach which couples taint analysis and learning-based anomaly detection approaches to automatically infer taint-enhanced security policies, while keeping false positives low and increasing the accuracy of the underlying models. The intuitive justification for this is that an attack involves a combination of a vulnerability, and an attackers ability to exercise this vulnerability. Anomaly detection techniques detect behavioral deviations that occur when a vulnerability (targeted by an attack) is exercised. Fine-grained taint information provides clues about the ability of the attacker to exercise this vulnerability. We developed a prototype implementation of our approach which showed that is effective to provide protection from data attacks as well as memory errors which corrupt code pointers. False positives rate are discussed as well.