ABSTRACT
Event-based communication is a major source of power and flexibility for today's applications. For example, in the context of a web browser, the dynamism of user experience is driven by events: fine-grained interaction of the user with a web application triggers events reactively handled by JavaScript code. This paper explores channels for leaking sensitive information through constructs in a reactive language. We propose a general and realizable security framework for preventing information leaks in a reactive setting with such features as new handler creation and hierarchical event structures. While prior work largely takes an all-or-nothing approach to information flows due to intermediate output, our framework tightly regulates the bandwidth of such flows: at most log(n + 1) bits are allowed to be released, where n is the number of public inputs to the program. We gain flexibility from distinguishing between the security levels of message existence and content. A combination of flow-sensitive analysis and buffering output enables us to enforce security without being overly restrictive.
- A. Askarov, D. Hedin, and A. Sabelfeld. Cryptographically-masked flows. Theoretical Computer Science, 402:82--101, August 2008. Google ScholarDigital Library
- A. Askarov, S. Hunt, A. Sabelfeld, and D. Sands. Termination-insensitive noninterference leaks more than just a bit. In Proc. European Symp. on Research in Computer Security, volume 5283 of LNCS, pages 333--348. Springer-Verlag, October 2008. Google ScholarDigital Library
- A. Askarov and A. Sabelfeld. Tight enforcement of information-release policies for dynamic languages. In Proc. IEEE Computer Security Foundations Symposium, July 2009. Google ScholarDigital Library
- T. H. Austin and C. Flanagan. Efficient purely-dynamic information flow analysis. In Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), June 2009. Google ScholarDigital Library
- T. H. Austin and C. Flanagan. Permissive dynamic information flow analysis. In Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), June 2010. Google ScholarDigital Library
- J. Barnes and JG Barnes. High Integrity Software: The SPARK Approach to Safety and Security. Addison-Wesley Longman Publishing Co., Inc. Boston, MA, USA, 2003. Google ScholarDigital Library
- Aaron Bohannon, Benjamin C. Pierce, Vilhelm Sjöberg, Stephanie Weirich, and Steve Zdancewic. Reactive noninterference. In ACM Conference on Computer and Communications Security, pages 79--90, November 2009. Google ScholarDigital Library
- R. Chapman and A. Hilton. Enforcing security and safety models with an information flow analysis tool. ACM SIGAda Ada Letters, 24(4):39--46, 2004. Google ScholarDigital Library
- D. Clark and S. Hunt. Noninterference for deterministic interactive programs. In Workshop on Formal Aspects in Security and Trust (FAST'08), October 2008.Google Scholar
- E. S. Cohen. Information transmission in sequential programs. In R. A. DeMillo, D. P. Dobkin, A. K. Jones, and R. J. Lipton, editors, Foundations of Secure Computation, pages 297--335. Academic Press, 1978.Google Scholar
- P. Cousot and R. Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proc. ACM Symp. on Principles of Programming Languages, pages 238--252, January 1977. Google ScholarDigital Library
- D. Crockford. Making javascript safe for advertising. ad-safe.org, 2009.Google Scholar
- D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Comm. of the ACM, 20(7):504--513, July 1977. Google ScholarDigital Library
- D. Devriese and F. Piessens. Non-interference through secure multi-execution. In Proc. IEEE Symp. on Security and Privacy, May 2010. Google ScholarDigital Library
- B. Eich. Flowsafe: Information flow security for the browser. https://wiki.mozilla.org/FlowSafe, October 2009.Google Scholar
- Facebook. FBJS. http://wiki.developers.facebook.com/index.php/FBJS, 2009.Google Scholar
- R. Focardi and R. Gorrieri. A classification of security properties for process algebras. J. Computer Security, 3(1):5--33, 1995.Google ScholarDigital Library
- R. Focardi, S. Rossi, and A. Sabelfeld. Bridging language-based and process calculi security. In Proc. Foundations of Software Science and Computation Structure, volume 3441 of LNCS, pages 299--315. Springer-Verlag, April 2005. Google ScholarDigital Library
- J. A. Goguen and J. Meseguer. Security policies and security models. In Proc. IEEE Symp. on Security and Privacy, pages 11--20, April 1982.Google ScholarCross Ref
- K. Honda, V. Vasconcelos, and N. Yoshida. Secure information flow as typed process behaviour. In Proc. European Symp. on Programming, volume 1782 of LNCS, pages 180--199. Springer-Verlag, 2000. Google ScholarDigital Library
- K. Honda and N. Yoshida. A uniform type structure for secure information flow. In Proc. ACM Symp. on Principles of Programming Languages, pages 81--92, January 2002. Google ScholarDigital Library
- Arnaud Le Hors and Philippe Le Hegaret. Document Object Model Level 3 Core Specification. Technical report, The World Wide Web Consortium, 2004.Google Scholar
- Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proc. International Conference on World Wide Web, pages 40--52, May 2004. Google ScholarDigital Library
- S. Hunt and D. Sands. On flow-sensitive security types. In Proc. ACM Symp. on Principles of Programming Languages, pages 79--90, 2006. Google ScholarDigital Library
- N. Kobayashi. Type-based information flow analysis for the pi-calculus. Technical Report TR03-0007, Tokyo Institute of Technology, October 2003.Google Scholar
- G. Le Guernic, Anindya Banerjee, Thomas Jensen, and David Schmidt. Automata-based confidentiality monitoring. In Proc. Asian Computing Science Conference (ASIAN'06), volume 4435 of LNCS. Springer-Verlag, 2006. Google ScholarDigital Library
- G. Lowe. Quantifying information flow. In Proc. IEEE Computer Security Foundations Workshop, pages 18--31, June 2002. Google ScholarDigital Library
- S. Maffeis, J. C. Mitchell, and A. Taly. Isolating javascript with filters, rewriting, and wrappers. In Proc. of ESORICS'09. LNCS, 2009. Google ScholarDigital Library
- S. Maffeis and A. Taly. Language-based isolation of untrusted Javascript. In Proc. of CSF'09, IEEE, 2009. See also: Dep. of Computing, Imperial College London, Technical Report DTR09-3, 2009. Google ScholarDigital Library
- J. Magazinius, A. Askarov, and A. Sabelfeld. A lattice-based approach to mashup security. In Proc. ACM Symposium on Information, Computer and Communications Security (ASIACCS), April 2010. Google ScholarDigital Library
- H. Mantel. Possibilistic definitions of security -- An assembly kit --. In Proc. IEEE Computer Security Foundations Workshop, pages 185--199, July 2000. Google ScholarDigital Library
- H. Mantel. Information flow control and applications---Bridging a gap. In Proc. Formal Methods Europe, volume 2021 of LNCS, pages 153--172. Springer-Verlag, March 2001. Google ScholarDigital Library
- H. Mantel and A. Sabelfeld. A unifying approach to the security of distributed and multi-threaded programs. J. Computer Security, 11(4):615--676, September 2003. Google ScholarDigital Library
- A. Almeida Matos, G. Boudol, and I. Castellani. Typing non-interference for reactive programs. Journal of Logic and Algebraic Programming, 72:124--156, 2007.Google ScholarCross Ref
- M. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja: Safe active content in sanitized javascript, 2008.Google Scholar
- A. C. Myers. JFlow: Practical mostly-static information flow control. In Proc. ACM Symp. on Principles of Programming Languages, pages 228--241, January 1999. Google ScholarDigital Library
- A. C. Myers, L. Zheng, S. Zdancewic, S. Chong, and N. Nystrom. Jif: Java information flow. Software release. Located at http://www.cs.cornell.edu/jif, July 2001.Google Scholar
- K. O'Neill, M. Clarkson, and S. Chong. Information-flow security for interactive programs. In Proc. IEEE Computer Security Foundations Workshop, pages 190--201, July 2006. Google ScholarDigital Library
- F. Pottier. A simple view of type-secure information flow in the pi-calculus. In Proc. IEEE Computer Security Foundations Workshop, pages 320--330, June 2002. Google ScholarDigital Library
- W. Rafnsson and A. Sabelfeld. Limiting information leakage in event-based communication: Extended version. Technical report, Chalmers University of Technology, 2011. Located at http://www.cse.chalmers.se/~rafnsson/2011plas.Google Scholar
- A. Russo and A. Sabelfeld. Securing timeout instructions in web applications. In Proc. IEEE Computer Security Foundations Symposium, July 2009. Google ScholarDigital Library
- A. Russo and A. Sabelfeld. Dynamic vs. static flow-sensitive security analysis. In Proc. IEEE Computer Security Foundations Symposium, July 2010. Google ScholarDigital Library
- A. Russo, A. Sabelfeld, and A. Chudnov. Tracking information flow in dynamic tree structures. In Proc. European Symp. on Research in Computer Security, LNCS. Springer-Verlag, September 2009. Google ScholarDigital Library
- P. Ryan. Mathematical models of computer security---tutorial lectures. In R. Focardi and R. Gorrieri, editors, Foundations of Security Analysis and Design, volume 2171 of LNCS, pages 1--62. Springer-Verlag, 2001. Google ScholarDigital Library
- P. Ryan and S. Schneider. Process algebra and noninterference. In Proc. IEEE Computer Security Foundations Workshop, pages 214--227, June 1999. Google ScholarDigital Library
- A. Sabelfeld and H. Mantel. Static confidentiality enforcement for distributed programs. In Proc. Symp. on Static Analysis, volume 2477 of LNCS, pages 376--394. Springer-Verlag, September 2002. Google ScholarDigital Library
- A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE J. Selected Areas in Communications, 21(1):5--19, January 2003. Google ScholarDigital Library
- A. Sabelfeld and A. Russo. From dynamic to static and back: Riding the roller coaster of information-flow control research. In Proc. Andrei Ershov International Conference on Perspectives of System Informatics, LNCS. Springer-Verlag, June 2009. Google ScholarDigital Library
- P. Shroff, S. Smith, and M. Thober. Dynamic dependency monitoring to secure information flow. In Proc. IEEE Computer Security Foundations Symposium, pages 203--217, July 2007. Google ScholarDigital Library
- V. Simonet. The Flow Caml system. Software release. Located at http://cristal.inria.fr/~simonet/soft/flowcaml, July 2003.Google Scholar
- G. Smith. On the foundations of quantitative information flow. In Proc. Foundations of Software Science and Computation Structure, volume 5504 of LNCS, pages 288--302, March 2009. Google ScholarDigital Library
- P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-site scripting prevention with dynamic data tainting and static analysis. In Proc. Network and Distributed System Security Symposium, February 2007.Google Scholar
- D. Volpano and G. Smith. Eliminating covert flows with minimum typings. Proc. IEEE Computer Security Foundations Workshop, pages 156--168, June 1997. Google ScholarDigital Library
- D. Volpano, G. Smith, and C. Irvine. A sound type system for secure flow analysis. J. Computer Security, 4(3):167--187, 1996. Google ScholarDigital Library
Index Terms
- Limiting information leakage in event-based communication
Recommendations
Reactive noninterference
CCS '09: Proceedings of the 16th ACM conference on Computer and communications securityMany programs operate reactively--patiently waiting for user input, running for a while producing output, and eventually returning to a state where they are ready to accept another input (or occasionally diverging). When a reactive program communicates ...
Privacy leakage analysis in online social networks
Online Social Networks (OSNs) have become one of the major platforms for social interactions, such as building up relationship, sharing personal experiences, and providing other services. The wide adoption of OSNs raises privacy concerns due to personal ...
Study on Complex Event Processing for CPS: An Event Model Perspective
UIC-ATC-SCALCOM '14: Proceedings of the 2014 IEEE 11th Intl Conf on Ubiquitous Intelligence and Computing and 2014 IEEE 11th Intl Conf on Autonomic and Trusted Computing and 2014 IEEE 14th Intl Conf on Scalable Computing and Communications and Its Associated Workshops (UIC-ATC-ScalCom)As an emerging technology approved in areas of database and business processing, CEP (Complex Event Process) faced challenges when applied in critical areas like CPS. Based on analysis such challenges from three aspects: event model definition, event ...
Comments