USENIX Security '21 - FlowDist: Multi-Staged Refinement-Based Dynamic Information Flow Analysis for Distributed Software Systems
Xiaoqin Fu and Haipeng Cai, Washington State University, Pullman, WA
Dynamic information flow analysis (DIFA) supports various security applications such as malware analysis and vulnerability discovery. Yet traditional DIFA approaches have limited utility for distributed software due to applicability, portability, and scalability barriers. We present FlowDist, a DIFA for common distributed software that overcomes these challenges. FlowDist works at purely application level to avoid platform customizations hence achieve high portability. It infers implicit, interprocess dependencies from global partially ordered execution events to address applicability to distributed software. Most of all, it introduces a multi-staged refinement-based scheme for application-level DIFA, where an otherwise expensive data flow analysis is reduced by method-level results from a cheap pre-analysis, to achieve high scalability while remaining effective. Our evaluation of FlowDist on 12 real-world distributed systems against two peer tools revealed its superior effectiveness with practical efficiency and scalability. It has found 18 known and 24 new vulnerabilities, with 17 confirmed and 2 fixed. We also present and evaluate two alternative designs of FlowDist for both design justification and diverse subject accommodations.
View the full USENIX Security '21 Program at https://www.usenix.org/conference/usenixsecurity21/technical-sessions