Computability classes for enforcement mechanisms

Hamlen, Kevin W.; Morrisett, Greg; Schneider, Fred B.

doi:10.1145/1111596.1111601

Cited by 168 publications

(163 citation statements)

References 28 publications

Supporting

Mentioning

162

Contrasting

Order By: Relevance

“…Precise characterizations of what can be enforced by monitoring have been studied in the literature (e.g., [44], [22]). Noninterference is a typical example of a policy that cannot be enforced precisely by dynamic mechanisms.…”

Section: Related Workmentioning

confidence: 99%

Dynamic vs. Static Flow-Sensitive Security Analysis

Russo

Sabelfeld

2010

2010 23rd IEEE Computer Security Foundations Symposium

155

216

View full text Add to dashboard Cite

Abstract-This paper seeks to answer fundamental questions about trade-offs between static and dynamic security analysis. It has been previously shown that flow-sensitive static information-flow analysis is a natural generalization of flowinsensitive static analysis, which allows accepting more secure programs. It has been also shown that sound purely dynamic information-flow enforcement is more permissive than static analysis in the flow-insensitive case. We argue that the step from flow-insensitive to flow-sensitive is fundamentally limited for purely dynamic information-flow controls. We prove impossibility of a sound purely dynamic information-flow monitor that accepts programs certified by a classical flow-sensitive static analysis. A side implication is impossibility of permissive dynamic instrumented security semantics for information flow, which guides us to uncover an unsound semantics from the literature. We present a general framework for hybrid mechanisms that is parameterized in the static part and in the reaction method of the enforcement (stop, suppress, or rewrite) and give security guarantees with respect to terminationinsensitive noninterference for a simple language with output.

show abstract

Section: Related Workmentioning

confidence: 99%

Dynamic vs. Static Flow-Sensitive Security Analysis

Russo

Sabelfeld

2010

2010 23rd IEEE Computer Security Foundations Symposium

155

216

View full text Add to dashboard Cite

show abstract

“…In this work the monitors watch the current execution sequence and halt the underlying program whenever it deviates from the desired property. Such security automata are able to enforce the class of safety properties [2], stating that something bad can never happen. Later, Viswanathan [3] noticed that the class of enforceable properties is impacted by the computational power of the enforcement monitor: since the enforcement mechanism cannot implement more than computable functions, only decidable properties can be enforced.…”

Section: Synthesizing Enforcement Monitors Wrt the Safety-progress Cmentioning

confidence: 99%

“…(1) stipulates that the sequence σ is transformed by A ↓ into a sequence o, (2) states that o satisfies the property ϕ, (3) ensures transparency of A ↓ , i.e. if σ satisfied already the property then it is not transformed, and (4) ensures in the case where σ does not satisfy ϕ that o is the longest prefix of σ satisfying the property.…”

Section: Definition 6 (Sequence Transformation) We Say Thatmentioning

confidence: 99%

Synthesizing Enforcement Monitors wrt. the Safety-Progress Classification of Properties

Falcone

Fernandez

Mounier

2008

Lecture Notes in Computer Science

View full text Add to dashboard Cite

“…Precise characterizations of what can be enforced by monitoring have been studied in the literature (e.g., [35,14]), where noninterference is discussed as an example of a policy that cannot be enforced precisely by dynamic mechanisms. However, the focus of this paper is on enforcing permissive yet safe approximations of noninterference.…”

Section: Introductionmentioning

confidence: 99%

On-the-fly inlining of dynamic security monitors

Magazinius

Russo

Sabelfeld

2012

Computers & Security

View full text Add to dashboard Cite

Abstract. Language-based information-flow security considers programs that manipulate pieces of data at different sensitivity levels. Securing information flow in such programs remains an open challenge. Recently, considerable progress has been made on understanding dynamic monitoring for secure information flow. This paper presents a framework for inlining dynamic information-flow monitors. A novel feature of our framework is the ability to perform inlining on the fly. We consider a source language that includes dynamic code evaluation of strings whose content might not be known until runtime. To secure this construct, our inlining is done on the fly, at the string evaluation time, and, just like conventional offline inlining, requires no modification of the hosting runtime environment. We present a formalization for a simple language to show that the inlined code is secure: it satisfies a noninterference property. We also discuss practical considerations and preliminary experimental results.

show abstract

Computability classes for enforcement mechanisms

Cited by 168 publications

References 28 publications

Dynamic vs. Static Flow-Sensitive Security Analysis

Dynamic vs. Static Flow-Sensitive Security Analysis

Synthesizing Enforcement Monitors wrt. the Safety-Progress Classification of Properties

On-the-fly inlining of dynamic security monitors

Contact Info

Product

Resources

About