Scalable Compositional Static Taint Analysis for Sensitive Data Tracing on Industrial Micro-Services

Zhong, Z; Liu, J; Wu, D; Di, P; Sui, Y; Liu, AX; Lui, JCS

Scalable Compositional Static Taint Analysis for Sensitive Data Tracing on Industrial Micro-Services

Zhong, Z Liu, J Wu, D Di, P Sui, Y

Liu, AX Lui, JCS

Permalink

Publisher:: IEEE
Publication Type:: Conference Proceeding
Citation:: 2023 IEEE/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP), 2023, pp. 110-121
Issue Date:: 2023-07-11

Recently Added

	Filename	Description	Size
	Scalable_Compositional_Static_Taint_Analysis_for_Sensitive_Data_Tracing_on_Industrial_Micro-Services.pdf	Published version	860.23 kB	Adobe PDF	View/Open

Copyright Clearance Process

Recently Added
In Progress
Open Access

This item is new to OPUS and is not currently available.

Full metadata record

Field	Value	Language
dc.contributor.author	Zhong, Z
dc.contributor.author	Liu, J
dc.contributor.author	Wu, D
dc.contributor.author	Di, P
dc.contributor.author	Sui, Y https://orcid.org/0000-0002-9510-6574
dc.contributor.author	Liu, AX
dc.contributor.author	Lui, JCS
dc.date	2023-05-14
dc.date.accessioned	2024-06-25T03:05:56Z
dc.date.available	2024-06-25T03:05:56Z
dc.date.issued	2023-07-11
dc.identifier.citation	2023 IEEE/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP), 2023, pp. 110-121
dc.identifier.isbn	979-8-3503-0037-6
dc.identifier.issn	2832-7640
dc.identifier.issn	2832-7659
dc.identifier.uri	http://hdl.handle.net/10453/179640
dc.description.abstract	In recent years there has been an increasing demand for sensitive data tracing for industrial microservices these include change of governance data breach detection to data consistency validation As an information tracking technique Taint analysis is widely used to address these demands This paper aims to share our experience in developing a scalable static taint analyzer on sensitive data tracing for large scale industrial microservices Although several taint analyzers have been proposed for Java applications our experiments show that existing approaches are inefficient and or ineffective in terms of low recall precision rates for analyzing large scale industrial microservices Instead we present CFTaint a compositional field based taint analyzer to address the challenges for popular microservices running on industrial Fintech applications CFTaint improves scalability by using a fast compositional function summary which summarizes the data propagation of each function during the on the fly taint analysis CFTaint also uses a novel filed based algorithm to analyze the taint propagation based on specified sensitive fields to reduce false negatives Our field based algorithm maximizes the soundness of our approach even when the taint tracking is performed on an unsound call graph Furthermore we also propose an efficient code transformation method to model the behaviours of the containers which allows our analysis to trace data propagation in a container environment Experiments on numerous production microservices demonstrate the high recall 96 09 rates and precision 93 51 for tracing sensitive data of CFTaint with low time complexity 121 73 seconds
dc.language	en
dc.publisher	IEEE
dc.relation.ispartof	2023 IEEE/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)
dc.relation.ispartof	IEEE/ACM International Conference on Software Engineering: Software Engineering in Practice
dc.relation.ispartofseries	International Conference on Software Engineering-Software Engineering in Practice Track
dc.relation.isbasedon	10.1109/icse-seip58684.2023.00015
dc.rights	info:eu-repo/semantics/restrictedAccess
dc.title	Scalable Compositional Static Taint Analysis for Sensitive Data Tracing on Industrial Micro-Services
dc.type	Conference Proceeding
utslib.location.activity	Melbourne, Australia
pubs.organisational-group	University of Technology Sydney
pubs.organisational-group	University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	University of Technology Sydney/Strength - AAII - Australian Artificial Intelligence Institute
pubs.organisational-group	University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
utslib.copyright.status	recently_added	*
pubs.consider-herdc	false
dc.date.updated	2024-06-25T03:05:54Z
pubs.finish-date	2023-05-20
pubs.place-of-publication	Piscataway, USA
pubs.publication-status	Published
pubs.start-date	2023-05-14
dc.location	Piscataway, USA

Abstract:

In recent years there has been an increasing demand for sensitive data tracing for industrial microservices these include change of governance data breach detection to data consistency validation As an information tracking technique Taint analysis is widely used to address these demands This paper aims to share our experience in developing a scalable static taint analyzer on sensitive data tracing for large scale industrial microservices Although several taint analyzers have been proposed for Java applications our experiments show that existing approaches are inefficient and or ineffective in terms of low recall precision rates for analyzing large scale industrial microservices Instead we present CFTaint a compositional field based taint analyzer to address the challenges for popular microservices running on industrial Fintech applications CFTaint improves scalability by using a fast compositional function summary which summarizes the data propagation of each function during the on the fly taint analysis CFTaint also uses a novel filed based algorithm to analyze the taint propagation based on specified sensitive fields to reduce false negatives Our field based algorithm maximizes the soundness of our approach even when the taint tracking is performed on an unsound call graph Furthermore we also propose an efficient code transformation method to model the behaviours of the containers which allows our analysis to trace data propagation in a container environment Experiments on numerous production microservices demonstrate the high recall 96 09 rates and precision 93 51 for tracing sensitive data of CFTaint with low time complexity 121 73 seconds

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/179640