Thomas H. Austin
Cormac Flanagan
ABSTRACT
A key challenge in dynamic information flow analysis is handling implicit flows, where code conditional on a private variable updates a public variable x. The naive approach of upgrading x to private results in x being partially leaked, where its value contains private data but its label might remain public on an alternative execution (where the conditional update was not performed). Prior work proposed the no-sensitive-upgrade check, which handles implicit flows by prohibiting partially leaked data, but attempts to update a public variable from a private context causes execution to get stuck.
To overcome this limitation, we develop a sound yet flexible permissive-upgrade strategy. To prevent information leaks, partially leaked data is permitted but carefully tracked to ensure that it is never totally leaked. This permissive-upgrade strategy is more flexible than the prior approaches such as the no-sensitive-upgrade check.
Under the permissive-upgrade strategy, partially leaked data must be marked as private before being used in a conditional test, thereby ensuring that it is private for both the current execution as well as alternate execution paths. This paper also presents a dynamic analysis technique for inferring these privatization operations and inserting them into the program source code. The combination of these techniques allows more programs to run to completion, while still guaranteeing termination-insensitive non-interference in a purely dynamic manner.
- A. Askarov, S. Hunt, A. Sabelfeld, and D. Sands. Termination-insensitive noninterference leaks more than just a bit. In ESORICS '08: Proceedings of the 13th European Symposium on Research in Computer Security, pages 333--348, Berlin, Heidelberg, 2008. Springer-Verlag. Google Scholar
Digital Library
- A. Askarov and A. Sabelfeld. Catch me if you can: permissive yet secure error handling. In PLAS '09: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, pages 45--57, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- A. Askarov and A. Sabelfeld. Tight enforcement of information-release policies for dynamic languages. In IEEE Computer Security Foundations Symposium, pages 43--59, Washington, DC, USA, 2009. IEEE Computer Society. Google ScholarDigital Library
- T. H. Austin and C. Flanagan. Efficient purely-dynamic information flow analysis. In PLAS '09: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, pages 113--124, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- T. H. Austin and C. Flanagan. Permissive dynamic information flow analysis. Technical Report UCSC-SOE-09-34, The University of California at Santa Cruz, 2009.Google Scholar
- A. Banerjee and D. A. Naumann. Secure information flow and pointer confinement in a java-like language. In IEEE Computer Security Foundations Workshop, pages 253--267. IEEE Computer Society, 2002. Google ScholarDigital Library
- D. Chandra and M. Franz. Fine-grained information flow analysis and enforcement in a java virtual machine. In ACSAC, pages 463--475. IEEE Computer Society, 2007.Google ScholarCross Ref
- A. Chaudhuri, P. Naldurg, and S. K. Rajamani. A type system for data-flow integrity on windows vista. In Ú. Erlingsson and M. Pistoia, editors, PLAS, pages 89--100. ACM, 2008. Google ScholarDigital Library
- S. Chong and A. C. Myers. Security policies for downgrading. In CCS '04: Proceedings of the 11th ACM conference on Computer and communications security, pages 198--209, New York, NY, USA, 2004. ACM. Google ScholarDigital Library
- A. Chudnov and D. A. Naumann. Information flow monitor inlining. In IEEE Computer Security Foundations Symposium. IEEE Computer Society, 2010. Google ScholarDigital Library
- R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged information flow for javascript. In PLDI '09: Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation, pages 50--62, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236--243, 1976. Google ScholarDigital Library
- D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Communications of the ACM, 20(7):504--513, 1977. Google ScholarDigital Library
- B. Eich. Mozilla FlowSafe: Information flow security for the browser. https://wiki.mozilla.org/FlowSafe, accessed October 2009.Google Scholar
- Developer's wiki: FBJS. http://wiki.developers.facebook.com/index.php/FBJS, accessed January 2010.Google Scholar
- C. Fournet and T. Rezk. Cryptographically sound implementations for typed information-flow security. In Symposium on Principles of Programming Languages, pages 323--335, 2008. Google ScholarDigital Library
- A. Gal, B. Eich, M. Shaver, D. Anderson, B. Kaplan, G. Hoare, D. Mandelin, B. Zbarsky, J. Orendorff, M. Bebenita, M. Chang, M. Franz, E. Smith, R. Reitmaier, and M. Haghighat. Trace-based just-in-time type specialization for dynamic languages. In Conference on Programming Language Design and Implementation, 2009. Google ScholarDigital Library
- Caja. http://code.google.com/p/google-caja/, accessed December 2009.Google Scholar
- C. Hammer and G. Snelting. Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. International Journal of Information Security, 2009. Google ScholarDigital Library
- N. Heintze and J. G. Riecke. The slam calculus: Programming with secrecy and integrity. In Symposium on Principles of Programming Languages, pages 365--377, 1998. Google ScholarDigital Library
- S. Hunt and D. Sands. On flow-sensitive security types. In J. G. Morrisett and S. L. P. Jones, editors, POPL, pages 79--90. ACM, 2006. Google ScholarDigital Library
- Jif homepage. http://www.cs.cornell.edu/jif/, accessed October 2009.Google Scholar
- D. King, B. Hicks, M. Hicks, and T. Jaeger. Implicit flows: Can't live with 'em, can't live without 'em. In International Conference on Information Systems Security, pages 56--70, 2008. Google ScholarDigital Library
- G. Le Guernic, A. Banerjee, T. P. Jensen, and D. A. Schmidt. Automata-based confidentiality monitoring. In M. Okada and I. Satoh, editors, ASIAN, volume 4435 of Lecture Notes in Computer Science, pages 75--89. Springer, 2006. Google ScholarDigital Library
- V. B. Livshits, A. V. Nori, S. K. Rajamani, and A. Banerjee. Merlin: specification inference for explicit information flow problems. In M. Hind and A. Diwan, editors, PLDI, pages 75--86. ACM, 2009. Google ScholarDigital Library
- J. Magazinius, A. Askarov, and A. Sabelfeld. A lattice-based approach to mashup security. In Proceedings of the ACM Symposium on Information Computer and Communications Security, 2010. Google ScholarDigital Library
- Internet explorer security zones. http://technet.microsoft.com/en-us/library/dd361896.aspx, accessed December 2009.Google Scholar
- JavaScript security in Mozilla. http://www.mozilla.org/projects/security/components/jssec.html, accessed January 2009.Google Scholar
- Same origin policy for JavaScript. https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript, accessed January 2010.Google Scholar
- A. C. Myers. Jflow: Practical mostly-static information flow control. In Symposium on Principles of Programming Languages, pages 228--241, 1999. Google ScholarDigital Library
- F. Pottier and V. Simonet. Information flow inference for ML. Transactions on Programming Languages and Systems, 25(1):117--158, 2003. Google ScholarDigital Library
- A. Russo and A. Sabelfeld. Securing timeout instructions in web applications. In IEEE Computer Security Foundations Symposium, 2009. Google ScholarDigital Library
- A. Russo and A. Sabelfeld. Dynamic vs. static flow-sensitive security analysis. In IEEE Computer Security Foundations Symposium. IEEE Computer Society, 2010. Google ScholarDigital Library
- A. Russo, A. Sabelfeld, and A. Chudnov. Tracking information flow in dynamic tree structures. In M. Backes and P. Ning, editors, ESORICS, volume 5789 of Lecture Notes in Computer Science, pages 86--103. Springer, 2009. Google ScholarDigital Library
- A. Sabelfeld and A. C. Myers. Language-based information-flow security. Selected Areas in Communications, IEEE Journal on, 21(1):5--19, Jan 2003. Google ScholarDigital Library
- A. Sabelfeld and A. Russo. From dynamic to static and back: Riding the roller coaster of information-flow control research. In Perspectives of System Informatics, 2009. Google ScholarDigital Library
- A. Shinnar, M. Pistoia, and A. Banerjee. A language for information flow: dynamic tracking in multiple interdependent dimensions. In S. Chong and D. A. Naumann, editors, PLAS, pages 125--131. ACM, 2009. Google ScholarDigital Library
- P. Shroff, S. F. Smith, and M. Thober. Dynamic dependency monitoring to secure information flow. In CSF, pages 203--217. IEEE Computer Society, 2007. Google ScholarDigital Library
- V. N. Venkatakrishnan, W. Xu, D. C. DuVarney, and R. Sekar. Provably correct runtime enforcement of non-interference properties. In Information and Communications Security, pages 332--351, 2006. Google ScholarDigital Library
- P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Krügel, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In NDSS. The Internet Society, 2007.Google Scholar
- D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. Journal of Computer Security, 4(2--3):167--187, 1996. Google ScholarDigital Library
- S. A. Zdancewic. Programming languages for information security. PhD thesis, Cornell University, Ithaca, NY, USA, 2002. Chair-Myers, Andrew. Google ScholarDigital Library
Index Terms
- Permissive dynamic information flow analysis
Recommendations
Efficient purely-dynamic information flow analysis
PLAS '09: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for SecurityWe present a novel approach for efficiently tracking information flow in a dynamically-typed language such as JavaScript. Our approach is purely dynamic, and it detects problems with implicit paths via a dynamic check that avoids the need for an ...
A Host Based Method for Data Leak Protection by Tracking Sensitive Data Flow
ECBS '12: Proceedings of the 2012 IEEE 19th International Conference and Workshops on Engineering of Computer-Based SystemsThis paper describes a method for data leak protection (DLP) based on tracking sensitive information as it flows inside file system on a host. The method is based on the idea that every flow from sensitive to non-sensitive object increases the security ...
Information Flow Control with Minimal Tag Disclosure
ICC '16: Proceedings of the International Conference on Internet of things and Cloud ComputingInformation Flow Control (IFC) extends conventional access control beyond application boundaries, and allows control of data flows after a point of authorised data disclosure. In a deployment of IFC within a cloud operating system (OS), the IFC ...
Comments