Multiple Facets for Dynamic Information Flow with Exceptions

Authors:
Thomas H. Austin

San José State University, San Jose, CA

San José State University, San Jose, CA
View Profile

,
Tommy Schmitz

University of California, Santa Cruz, CA

University of California, Santa Cruz, CA
View Profile

,
Cormac Flanagan

University of California, Santa Cruz, CA

University of California, Santa Cruz, CA
View Profile

ACM Transactions on Programming Languages and Systems Volume 39 Issue 3Article No.: 10pp 1–56https://doi.org/10.1145/3024086

Published:10 May 2017Publication History

ACM Transactions on Programming Languages and Systems

Abstract

JavaScript is the source of many security problems, including cross-site scripting attacks and malicious advertising code. Central to these problems is the fact that code from untrusted sources runs with full privileges. Information flow controls help prevent violations of data confidentiality and integrity.

This article explores faceted values, a mechanism for providing information flow security in a dynamic manner that avoids the stuck executions of some prior approaches, such as the no-sensitive-upgrade technique. Faceted values simultaneously simulate multiple executions for different security levels to guarantee termination-insensitive noninterference. We also explore the interaction of faceted values with exceptions, declassification, and clearance.

References

Aslan Askarov, Sebastian Hunt, Andrei Sabelfeld, and David Sands. 2008. Termination-insensitive noninterference leaks more than just a bit. In Proceedings of the European Symposium on Research in Computer Security (ESORICS’08). Springer-Verlag, 333--348. Google ScholarDigital Library
Aslan Askarov and Andrew Myers. 2010. A semantic framework for declassification and endorsement. In Proceedings of the European Symposium on Programming. 64--84. Google ScholarDigital Library
Aslan Askarov and Andrei Sabelfeld. 2009a. Catch me if you can: Permissive yet secure error handling. In Proceedings of the ACM SIGPLAN 4th Workshop on Programming Languages and Analysis for Security (PLAS’09). ACM, New York, NY, 45--57. Google ScholarDigital Library
Aslan Askarov and Andrei Sabelfeld. 2009b. Tight enforcement of information-release policies for dynamic languages. In Proceedings of the IEEE Computer Security Foundations Symposium. IEEE Computer Society, Washington, DC, 43--59. Google ScholarDigital Library
Thomas H. Austin. 2011. ZaphodFacetes github page. Retreived from https://github.com/taustin/ZaphodFacets.Google Scholar
Thomas H. Austin and Cormac Flanagan. 2009. Efficient purely-dynamic information flow analysis. In Proceedings of the Workshop on Programming Languages and Analysis for Security. Google ScholarDigital Library
Thomas H. Austin and Cormac Flanagan. 2010. Permissive dynamic information flow analysis. In Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security. ACM, 1--12. Google ScholarDigital Library
Thomas H. Austin and Cormac Flanagan. 2012. Multiple facets for dynamic information flow, See Field and Hicks {2012}, 165--178. Google ScholarDigital Library
Thomas H. Austin, Jean Yang, Cormac Flanagan, and Armando Solar-Lezama. 2013. Faceted execution of policy-agnostic programs. In Proceedings of the Workshop on Programming Languages and Analysis for Security. Google ScholarDigital Library
Anindya Banerjee and David A. Naumann. 2002. Secure information flow and pointer confinement in a Java-like language. In Proceedings of the IEEE Computer Security Foundations Workshop. 253--267. Google ScholarDigital Library
Abhishek Bichhawat, Vineet Rajani, Deepak Garg, and Christian Hammer. 2014. Generalizing permissive-upgrade in dynamic information flow analysis. In Proceedings of the Workshop on Programming Languages and Analysis for Security. Google ScholarDigital Library
Arnar Birgisson, Alejandro Russo, and Andrei Sabelfeld. 2011. Capabilities for information flow. In Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security (PLAS’11). ACM. Google ScholarDigital Library
Aaron Bohannon, Benjamin C. Pierce, Vilhelm Sjöberg, Stephanie Weirich, and Steve Zdancewic. 2009. Reactive noninterference. In Proceedings of the ACM Conference on Computer and Communications Security. 79--90. Google ScholarDigital Library
R. Capizzi, A. Longo, V. N. Venkatakrishnan, and A. P. Sistla. 2008. Preventing information leaks through shadow executions. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’08). 322--331. Google ScholarDigital Library
Stephen Chong and Andrew C. Myers. 2004. Security policies for downgrading. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS’04). ACM, New York, NY, 198--209. Google ScholarDigital Library
Ravi Chugh, Jeffrey A. Meister, Ranjit Jhala, and Sorin Lerner. 2009. Staged information flow for JavaScript. In Proceedings of the Conference on Programming Language Design and Implementation. Google ScholarDigital Library
Willem De Groef, Dominique Devriese, Nick Nikiforakis, and Frank Piessens. 2012. FlowFox: A web browser with flexible and precise information flow control. In Proceedings of the ACM Conference on Computer and Communications Security, Ting Yu, George Danezis, and Virgil D. Gligor (Eds.). ACM, 748--759. Google ScholarDigital Library
Dorothy E. Denning. 1976. A lattice model of secure information flow. Commun. ACM 19, 5 (1976), 236--243. Google ScholarDigital Library
Dominique Devriese and Frank Piessens. 2010. Noninterference through secure multi-execution. Proceedings of the IEEE Symposium on Security and Privacy. 109--124. Google ScholarDigital Library
Mohan Dhawan and Vinod Ganapathy. 2009. Analyzing information flow in JavaScript-based browser extensions. In Proceedings of the Annual Computer Security Applications Conference. Google ScholarDigital Library
Brendan Eich. 2004. Narcissus--JS implemented in JS. (2004). Retrieved from https://github.com/mozilla/narcissus/.Google Scholar
J. S. Fenton. 1974. Memoryless subsystems. Comput. J. 17, 2 (1974), 143--147. Google ScholarCross Ref
John Field and Michael Hicks (Eds.). 2012. Proceedings of the 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’12). ACM. Google ScholarCross Ref
Andreas Gal, David Flanagan, and Donovon Preston. 2011. dom.js github page. Retrieved October 2011 from https://github.com/andreasgal/dom.js.Google Scholar
Andreas Gampe and Jeffery von Ronne. 2011. Information flow control with errors. In Proceedings of the International Workshop on Foundations of Object-Oriented Languages (FOOL’11).Google Scholar
Gurvan Le Guernic, Anindya Banerjee, Thomas P. Jensen, and David A. Schmidt. 2006. Automata-based confidentiality monitoring. In Proceedings of the Asian Computing Science Conference on Secure Software. Google ScholarDigital Library
Christian Hammer and Gregor Snelting. 2009. Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. Int. J. Inf. Sec. 8, 6 (2009), 399--422. Google ScholarDigital Library
Daniel Hedin, Luciano Bello, and Andrei Sabelfeld. 2015. Value-sensitive hybrid information flow control for a JavaScript-like language. In Proceedings of the IEEE 28th Computer Security Foundations Symposium (CSF 2015). IEEE, 351--365. Google ScholarDigital Library
Daniel Hedin and Andrei Sabelfeld. 2012. Information-flow security for a core of JavaScript. In Proceedings of the Computer Security Foundations Symposium. Google ScholarDigital Library
Nevin Heintze and Jon G. Riecke. 1998. The SLam calculus: Programming with secrecy and integrity. In Proceedings of the Symposium on Principles of Programming Languages. Google ScholarDigital Library
Catalin Hritcu, Michael Greenberg, Ben Karel, Benjamin C. Pierce, and Greg Morrisett. 2013. All your IFCException are belong to us. In Proceedings of the IEEE Symposium on Security and Privacy. 3--17. Google ScholarDigital Library
Sebastian Hunt and David Sands. 2006. On flow-sensitive security types. In Proceedings of the Principles of Programming Languages (POPL’06). 79--90. Google ScholarDigital Library
Dongseok Jang, Ranjit Jhala, Sorin Lerner, and Hovav Shacham. 2010. An empirical study of privacy-violating information flows in JavaScript web applications. In Proceedings of the ACM Conference on Computer and Communications Security. 270--283. Google ScholarDigital Library
Jif 2010. Jif homepage. Retrieved October 2010 from http://www.cs.cornell.edu/jif/.Google Scholar
Seth Just, Alan Cleary, Brandon Shirley, and Christian Hammer. 2011. Information flow analysis for javascript. In Proceedings of the Programming Language and Systems Technologies for Internet Clients. ACM, New York, NY, 9--18. Google ScholarDigital Library
Vineeth Kashyap, Ben Wiedermann, and Ben Hardekopf. 2011. Timing- and termination-sensitive secure information flow: Exploring a new approach. In Proceedings of IEEE Security and Privacy. Google ScholarDigital Library
Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, and Michael Franz. 2013b. Information Flow Tracking meets Just-In-Time Compilation. (2013). (submitted)Google Scholar
Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, and Michael Franz. 2013a. Towards precise and efficient information flow control in web browsers. In Proceedings of Trust and Trustworthy Computing. 187--195. Google ScholarCross Ref
Dave King, Boniface Hicks, Michael Hicks, and Trent Jaeger. 2008. Implicit flows: Can’t live with’em, can’t live without’em. In Proceedings of the International Conference on Information Systems Security. 56--70. Google ScholarDigital Library
James C. King. 1976. Symbolic execution and program testing. Commun. ACM 19, 7 (1976), 385--394. Google ScholarDigital Library
Clemens Kolbitsch, Benjamin Livshits, Benjamin Zorn, and Christian Seifert. 2011. Rozzle: De-Cloaking Internet Malware. Technical Report MSR-TR-2011-94. Microsoft Research Technical Report.Google Scholar
Scott Moore, Aslan Askarov, and Stephen Chong. 2012. Precise enforcement of progress-sensitive security. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’12). ACM, 881--893. Google ScholarDigital Library
Mozilla Labs Zaphod 2010. Mozilla Labs: Zaphod add-on for the Firefox browser. Retrieved October 2010 from http://mozillalabs.com/zaphod.Google Scholar
Andrew C. Myers. 1999. JFlow: Practical mostly-static information flow control. In Proceedings of the Symposium on Principles of Programming Languages. Google ScholarDigital Library
Andrew C. Myers, Andrei Sabelfeld, and Steve Zdancewic. 2004. Enforcing robust declassification. In Proceedings of the IEEE Computer Security Foundations Workshop. 172--186. Google ScholarDigital Library
François Pottier and Vincent Simonet. 2003. Information flow inference for ML. Trans. Program. Lang. Syst. 25, 1 (2003), 117--158. Google ScholarDigital Library
Willard Rafnsson and Andrei Sabelfeld. 2011. Limiting information leakage in event-based communication. In Proceedings of the ACM SIGPLAN 4th Workshop on Programming Languages and Analysis for Security (PLAS’11). ACM. Google ScholarDigital Library
Willard Rafnsson and Andrei Sabelfeld. 2013. Secure multi-execution: Fine-grained, declassification-aware, and transparent. In Proceedings of the IEEE Computer Security Foundations Symposium. IEEE Computer Society. Google ScholarDigital Library
V. Rajani, A. Bichhawat, D. Garg, and C. Hammer. 2015. Information flow control for event handling and the DOM in web browsers. In Proceedings of the 2015 IEEE 28th Computer Security Foundations Symposium (CSF’15). 366--379. Google ScholarDigital Library
Martin Rinard, Cristian Cadar, Daniel Dumitran, Daniel M. Roy, Tudor Leu, and William S. Beebee. 2004. Enhancing server availability and security through failure-oblivious computing. In Proceedings of the Symposium on Operating Systems Design and Implementation (OSDI’04). 303--316. Google ScholarDigital Library
Alejandro Russo and Andrei Sabelfeld. 2009. Securing timeout instructions in web applications. In Proceedings of the IEEE Computer Security Foundations Symposium. Google ScholarDigital Library
Alejandro Russo and Andrei Sabelfeld. 2010. Dynamic vs. static flow-sensitive security analysis. In Proceedings of the IEEE Computer Security Foundations Symposium. IEEE Computer Society. Google ScholarDigital Library
Alejandro Russo, Andrei Sabelfeld, and Andrey Chudnov. 2009. Tracking information flow in dynamic tree structures. In Proceedings of the European Symposium on Research in Computer Security (ESORICS’09). 86--103. Google ScholarDigital Library
Andrei Sabelfeld and Andrew C. Myers. 2003. Language-based information-flow security. J. Select. Areas Commun. 21, 1 (2003), 5--19. Google ScholarDigital Library
Paritosh Shroff, Scott F. Smith, and Mark Thober. 2007. Dynamic dependency monitoring to secure information flow. In Proceedings of the Computer Security Foundations Symposium. Google ScholarDigital Library
Deian Stefan, Alejandro Russo, John C. Mitchell, and David Mazières. 2011. Flexible dynamic information flow control in Haskell. In Proceedings of the 4th ACM Symposium on Haskell (Haskell’11). ACM, New York, NY, 95--106. Google ScholarDigital Library
M. Vanhoef, W. De Groef, D. Devriese, F. Piessens, and T. Rezk. 2014. Stateful declassification policies for event-driven programs. In Proceedings of the 2014 IEEE 27th Computer Security Foundations Symposium (CSF’14). 293--307. Google ScholarDigital Library
Jeffrey Vaughan and Stephen Chong. 2011. Inference of expressive declassification policies. In Proceedings of IEEE Security and Privacy. Google ScholarDigital Library
Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Krügel, and Giovanni Vigna. 2007. Cross-site scripting prevention with dynamic data tainting and static analysis.Google Scholar
Dennis Volpano, Cynthia Irvine, and Geoffrey Smith. 1996. A sound type system for secure flow analysis. J. Comput. Secur. 4, 2--3 (1996), 167--187. Google ScholarDigital Library
Webkit.org. 2011. SunSpider JavaScript Benchmark. Retrieved October 2011 from http://www.webkit.org/perf/sunspider/sunspider.html.Google Scholar
Jean Yang, Kuat Yessenov, and Armando Solar-Lezama. 2012. A language for automatically enforcing privacy policies, See Field and Hicks {2012}, 85--96. Google ScholarDigital Library
Alexander Yip, Xi Wang, Nickolai Zeldovich, and M. Frans Kaashoek. 2009. Improving application security with data flow assertions. In Proceedings of the Symposium on Operating Systems Principles (SOSP’09), Jeanna Neefe Matthews and Thomas E. Anderson (Eds.). ACM, 291--304. Google ScholarDigital Library
Dante Zanarini, Mauro Jaskelioff, and Alejandro Russo. 2013. Precise enforcement of confidentiality for reactive systems. In Proceedings of the Computer Security Foundations Symposium. Google ScholarDigital Library
Steve Zdancewic. 2003. A type system for robust declassification. In Proceedings of the 19th Mathematical Foundations of Programming Semantics Conference. Google ScholarDigital Library
Stephan Arthur Zdancewic. 2002. Programming Languages for Information Security. Ph.D. Dissertation. Cornell University.Google ScholarDigital Library

Index Terms

Multiple Facets for Dynamic Information Flow with Exceptions
1. Security and privacy
  1. Systems security
    1. Information flow control
    2. Operating systems security
2. Software and its engineering
  1. Software notations and tools
    1. General programming languages
      1. Language features

Recommendations

Multiple facets for dynamic information flow
POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages

JavaScript has become a central technology of the web, but it is also the source of many security problems, including cross-site scripting attacks and malicious advertising code. Central to these problems is the fact that code from untrusted sources ...
Read More
Multiple facets for dynamic information flow
POPL '12

JavaScript has become a central technology of the web, but it is also the source of many security problems, including cross-site scripting attacks and malicious advertising code. Central to these problems is the fact that code from untrusted sources ...
Read More
Nonmalleable Information Flow Control
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Noninterference is a popular semantic security condition because it offers strong end-to-end guarantees, it is inherently compositional, and it can be enforced using a simple security type system. Unfortunately, it is too restrictive for real systems. ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Programming Languages and Systems Volume 39, Issue 3
September 2017
196 pages
ISSN:0164-0925
EISSN:1558-4593
DOI:10.1145/3092741
Editor:
Andrew Myers
Cornell University, USA
Issue’s Table of Contents
Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 10 May 2017
- Accepted: 1 December 2016
- Revised: 1 November 2016
- Received: 1 October 2015
Published in toplas Volume 39, Issue 3

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Information flow control
JavaScript
dynamic analysis
web security
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 8
  Total Citations
  View Citations
- 410
  Total Downloads
- Downloads (Last 12 months)34
- Downloads (Last 6 weeks)7
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.