research-article

Limiting information leakage in event-based communication

Authors:
Willard Rafnsson

Chalmers

Chalmers
View Profile

,
Andrei Sabelfeld

Chalmers

Chalmers
View Profile

PLAS '11: Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for SecurityJune 2011Article No.: 4Pages 1–16https://doi.org/10.1145/2166956.2166960

Published:05 June 2011Publication History

PLAS '11: Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security

Pages 1–16

ABSTRACT

Event-based communication is a major source of power and flexibility for today's applications. For example, in the context of a web browser, the dynamism of user experience is driven by events: fine-grained interaction of the user with a web application triggers events reactively handled by JavaScript code. This paper explores channels for leaking sensitive information through constructs in a reactive language. We propose a general and realizable security framework for preventing information leaks in a reactive setting with such features as new handler creation and hierarchical event structures. While prior work largely takes an all-or-nothing approach to information flows due to intermediate output, our framework tightly regulates the bandwidth of such flows: at most log(n + 1) bits are allowed to be released, where n is the number of public inputs to the program. We gain flexibility from distinguishing between the security levels of message existence and content. A combination of flow-sensitive analysis and buffering output enables us to enforce security without being overly restrictive.

References

A. Askarov, D. Hedin, and A. Sabelfeld. Cryptographically-masked flows. Theoretical Computer Science, 402:82--101, August 2008. Google ScholarDigital Library
A. Askarov, S. Hunt, A. Sabelfeld, and D. Sands. Termination-insensitive noninterference leaks more than just a bit. In Proc. European Symp. on Research in Computer Security, volume 5283 of LNCS, pages 333--348. Springer-Verlag, October 2008. Google ScholarDigital Library
A. Askarov and A. Sabelfeld. Tight enforcement of information-release policies for dynamic languages. In Proc. IEEE Computer Security Foundations Symposium, July 2009. Google ScholarDigital Library
T. H. Austin and C. Flanagan. Efficient purely-dynamic information flow analysis. In Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), June 2009. Google ScholarDigital Library
T. H. Austin and C. Flanagan. Permissive dynamic information flow analysis. In Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), June 2010. Google ScholarDigital Library
J. Barnes and JG Barnes. High Integrity Software: The SPARK Approach to Safety and Security. Addison-Wesley Longman Publishing Co., Inc. Boston, MA, USA, 2003. Google ScholarDigital Library
Aaron Bohannon, Benjamin C. Pierce, Vilhelm Sjöberg, Stephanie Weirich, and Steve Zdancewic. Reactive noninterference. In ACM Conference on Computer and Communications Security, pages 79--90, November 2009. Google ScholarDigital Library
R. Chapman and A. Hilton. Enforcing security and safety models with an information flow analysis tool. ACM SIGAda Ada Letters, 24(4):39--46, 2004. Google ScholarDigital Library
D. Clark and S. Hunt. Noninterference for deterministic interactive programs. In Workshop on Formal Aspects in Security and Trust (FAST'08), October 2008.Google Scholar
E. S. Cohen. Information transmission in sequential programs. In R. A. DeMillo, D. P. Dobkin, A. K. Jones, and R. J. Lipton, editors, Foundations of Secure Computation, pages 297--335. Academic Press, 1978.Google Scholar
P. Cousot and R. Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proc. ACM Symp. on Principles of Programming Languages, pages 238--252, January 1977. Google ScholarDigital Library
D. Crockford. Making javascript safe for advertising. ad-safe.org, 2009.Google Scholar
D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Comm. of the ACM, 20(7):504--513, July 1977. Google ScholarDigital Library
D. Devriese and F. Piessens. Non-interference through secure multi-execution. In Proc. IEEE Symp. on Security and Privacy, May 2010. Google ScholarDigital Library
B. Eich. Flowsafe: Information flow security for the browser. https://wiki.mozilla.org/FlowSafe, October 2009.Google Scholar
Facebook. FBJS. http://wiki.developers.facebook.com/index.php/FBJS, 2009.Google Scholar
R. Focardi and R. Gorrieri. A classification of security properties for process algebras. J. Computer Security, 3(1):5--33, 1995.Google ScholarDigital Library
R. Focardi, S. Rossi, and A. Sabelfeld. Bridging language-based and process calculi security. In Proc. Foundations of Software Science and Computation Structure, volume 3441 of LNCS, pages 299--315. Springer-Verlag, April 2005. Google ScholarDigital Library
J. A. Goguen and J. Meseguer. Security policies and security models. In Proc. IEEE Symp. on Security and Privacy, pages 11--20, April 1982.Google ScholarCross Ref
K. Honda, V. Vasconcelos, and N. Yoshida. Secure information flow as typed process behaviour. In Proc. European Symp. on Programming, volume 1782 of LNCS, pages 180--199. Springer-Verlag, 2000. Google ScholarDigital Library
K. Honda and N. Yoshida. A uniform type structure for secure information flow. In Proc. ACM Symp. on Principles of Programming Languages, pages 81--92, January 2002. Google ScholarDigital Library
Arnaud Le Hors and Philippe Le Hegaret. Document Object Model Level 3 Core Specification. Technical report, The World Wide Web Consortium, 2004.Google Scholar
Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proc. International Conference on World Wide Web, pages 40--52, May 2004. Google ScholarDigital Library
S. Hunt and D. Sands. On flow-sensitive security types. In Proc. ACM Symp. on Principles of Programming Languages, pages 79--90, 2006. Google ScholarDigital Library
N. Kobayashi. Type-based information flow analysis for the pi-calculus. Technical Report TR03-0007, Tokyo Institute of Technology, October 2003.Google Scholar
G. Le Guernic, Anindya Banerjee, Thomas Jensen, and David Schmidt. Automata-based confidentiality monitoring. In Proc. Asian Computing Science Conference (ASIAN'06), volume 4435 of LNCS. Springer-Verlag, 2006. Google ScholarDigital Library
G. Lowe. Quantifying information flow. In Proc. IEEE Computer Security Foundations Workshop, pages 18--31, June 2002. Google ScholarDigital Library
S. Maffeis, J. C. Mitchell, and A. Taly. Isolating javascript with filters, rewriting, and wrappers. In Proc. of ESORICS'09. LNCS, 2009. Google ScholarDigital Library
S. Maffeis and A. Taly. Language-based isolation of untrusted Javascript. In Proc. of CSF'09, IEEE, 2009. See also: Dep. of Computing, Imperial College London, Technical Report DTR09-3, 2009. Google ScholarDigital Library
J. Magazinius, A. Askarov, and A. Sabelfeld. A lattice-based approach to mashup security. In Proc. ACM Symposium on Information, Computer and Communications Security (ASIACCS), April 2010. Google ScholarDigital Library
H. Mantel. Possibilistic definitions of security -- An assembly kit --. In Proc. IEEE Computer Security Foundations Workshop, pages 185--199, July 2000. Google ScholarDigital Library
H. Mantel. Information flow control and applications---Bridging a gap. In Proc. Formal Methods Europe, volume 2021 of LNCS, pages 153--172. Springer-Verlag, March 2001. Google ScholarDigital Library
H. Mantel and A. Sabelfeld. A unifying approach to the security of distributed and multi-threaded programs. J. Computer Security, 11(4):615--676, September 2003. Google ScholarDigital Library
A. Almeida Matos, G. Boudol, and I. Castellani. Typing non-interference for reactive programs. Journal of Logic and Algebraic Programming, 72:124--156, 2007.Google ScholarCross Ref
M. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja: Safe active content in sanitized javascript, 2008.Google Scholar
A. C. Myers. JFlow: Practical mostly-static information flow control. In Proc. ACM Symp. on Principles of Programming Languages, pages 228--241, January 1999. Google ScholarDigital Library
A. C. Myers, L. Zheng, S. Zdancewic, S. Chong, and N. Nystrom. Jif: Java information flow. Software release. Located at http://www.cs.cornell.edu/jif, July 2001.Google Scholar
K. O'Neill, M. Clarkson, and S. Chong. Information-flow security for interactive programs. In Proc. IEEE Computer Security Foundations Workshop, pages 190--201, July 2006. Google ScholarDigital Library
F. Pottier. A simple view of type-secure information flow in the pi-calculus. In Proc. IEEE Computer Security Foundations Workshop, pages 320--330, June 2002. Google ScholarDigital Library
W. Rafnsson and A. Sabelfeld. Limiting information leakage in event-based communication: Extended version. Technical report, Chalmers University of Technology, 2011. Located at http://www.cse.chalmers.se/~rafnsson/2011plas.Google Scholar
A. Russo and A. Sabelfeld. Securing timeout instructions in web applications. In Proc. IEEE Computer Security Foundations Symposium, July 2009. Google ScholarDigital Library
A. Russo and A. Sabelfeld. Dynamic vs. static flow-sensitive security analysis. In Proc. IEEE Computer Security Foundations Symposium, July 2010. Google ScholarDigital Library
A. Russo, A. Sabelfeld, and A. Chudnov. Tracking information flow in dynamic tree structures. In Proc. European Symp. on Research in Computer Security, LNCS. Springer-Verlag, September 2009. Google ScholarDigital Library
P. Ryan. Mathematical models of computer security---tutorial lectures. In R. Focardi and R. Gorrieri, editors, Foundations of Security Analysis and Design, volume 2171 of LNCS, pages 1--62. Springer-Verlag, 2001. Google ScholarDigital Library
P. Ryan and S. Schneider. Process algebra and noninterference. In Proc. IEEE Computer Security Foundations Workshop, pages 214--227, June 1999. Google ScholarDigital Library
A. Sabelfeld and H. Mantel. Static confidentiality enforcement for distributed programs. In Proc. Symp. on Static Analysis, volume 2477 of LNCS, pages 376--394. Springer-Verlag, September 2002. Google ScholarDigital Library
A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE J. Selected Areas in Communications, 21(1):5--19, January 2003. Google ScholarDigital Library
A. Sabelfeld and A. Russo. From dynamic to static and back: Riding the roller coaster of information-flow control research. In Proc. Andrei Ershov International Conference on Perspectives of System Informatics, LNCS. Springer-Verlag, June 2009. Google ScholarDigital Library
P. Shroff, S. Smith, and M. Thober. Dynamic dependency monitoring to secure information flow. In Proc. IEEE Computer Security Foundations Symposium, pages 203--217, July 2007. Google ScholarDigital Library
V. Simonet. The Flow Caml system. Software release. Located at http://cristal.inria.fr/~simonet/soft/flowcaml, July 2003.Google Scholar
G. Smith. On the foundations of quantitative information flow. In Proc. Foundations of Software Science and Computation Structure, volume 5504 of LNCS, pages 288--302, March 2009. Google ScholarDigital Library
P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-site scripting prevention with dynamic data tainting and static analysis. In Proc. Network and Distributed System Security Symposium, February 2007.Google Scholar
D. Volpano and G. Smith. Eliminating covert flows with minimum typings. Proc. IEEE Computer Security Foundations Workshop, pages 156--168, June 1997. Google ScholarDigital Library
D. Volpano, G. Smith, and C. Irvine. A sound type system for secure flow analysis. J. Computer Security, 4(3):167--187, 1996. Google ScholarDigital Library

Index Terms

Limiting information leakage in event-based communication
1. Security and privacy
  1. Systems security
    1. Information flow control
    2. Operating systems security
2. Software and its engineering
  1. Software notations and tools
    1. General programming languages
      1. Language features

Recommendations

Reactive noninterference
CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

Many programs operate reactively--patiently waiting for user input, running for a while producing output, and eventually returning to a state where they are ready to accept another input (or occasionally diverging). When a reactive program communicates ...
Read More
Privacy leakage analysis in online social networks

Online Social Networks (OSNs) have become one of the major platforms for social interactions, such as building up relationship, sharing personal experiences, and providing other services. The wide adoption of OSNs raises privacy concerns due to personal ...
Read More
Study on Complex Event Processing for CPS: An Event Model Perspective
UIC-ATC-SCALCOM '14: Proceedings of the 2014 IEEE 11th Intl Conf on Ubiquitous Intelligence and Computing and 2014 IEEE 11th Intl Conf on Autonomic and Trusted Computing and 2014 IEEE 14th Intl Conf on Scalable Computing and Communications and Its Associated Workshops (UIC-ATC-ScalCom)

As an emerging technology approved in areas of database and business processing, CEP (Complex Event Process) faced challenges when applied in critical areas like CPS. Based on analysis such challenges from three aspects: event model definition, event ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
PLAS '11: Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security
June 2011
89 pages
ISBN:9781450308304
DOI:10.1145/2166956
Conference Chairs:
Aslan Askarov
Cornell University
,
Joshua Guttman
Worcester Polytechnic Institute
Copyright © 2011 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 5 June 2011
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
event model
information flow
reactive programming
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate43of77submissions,56%
Upcoming Conference
PLDI '24

Sponsor:

sigplan

ACM SIGPLAN Conference on Programming Language Design and Implementation

June 24 - 28, 2024

Copenhagen , Denmark
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 15
  Total Citations
  View Citations
- 148
  Total Downloads
- Downloads (Last 12 months)1
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Limiting information leakage in event-based communication

PLAS '11: Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Reactive noninterference

Privacy leakage analysis in online social networks

Study on Complex Event Processing for CPS: An Event Model Perspective