Finding Application Data Leaks with Privacy Scope


Privacy Scope analyzes unmodified application binaries as they run to accerately track the movement of sensiive data. It can detect when and where applications reveal sensitive data to check that they respect security and privacy policies.

Privacy Scope graphics user interface illustratrates that it can track keyboard inputs, file reads/writes, and network activities (left). Privacy Scope tracks and updates the memory map as the sensitive input data is processed by the application. The highlighted region in the figure shows in real-time where the sensitive data is being stored in the applications' memory space (middle). It notifies the user immediately if any copies of the sensitive data are leaked to local files or sent to remote servers (right). The user can see the details of the leak in the last window.

Discoverying leaks is difficult because applications encrypt, compress, or transform data internally. Privacy Scope leverages dynamic taint analysis technique for precise information flow tracking:

Privacy Scope runs on Windows XP and is successfully tested with real applications including Windows Notepad, Internet Explorer, and Yahoo! Messenger. To build our system, we developed and integrated a set of techniqu3s that include: mixed instruction and function-level tainting; function summaries for efficiency and accuracy of applicaiton-only tainting; special semantics for corner-case instructions and kernel side-effects; and tainting on demand rather than at load time. The result is a comprehensive system that is efficient enough to track where sensitive information goes in large multi-threaded network applications. See our paper for detailed microbenchmarking results and an application study.


David Zhu