Dynamic security labels and static information flow control

Zheng, Lantian; Myers, Andrew C.

doi:10.1007/s10207-007-0019-9

Cited by 84 publications

(57 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We would like to explore connections with other dynamic approaches-e.g., languages that propagate dynamic labels [44], [36] and provenance metadata. We hope that these languages will suggest mechanisms for enforcing security properties at finer levels of granularity than our current, static, approach can track.…”

Section: Future Workmentioning

confidence: 99%

Updatable Security Views

Foster

Pierce

Zdancewic

2009

2009 22nd IEEE Computer Security Foundations Symposium

View full text Add to dashboard Cite

Security views are a flexible and effective mechanism for controlling access to confidential information. Rather than allowing untrusted users to access source data directly, they are instead provided with are restricted view, from which all confidential information has been removed. The program that generates the view effectively embodies a confidentiality policy for the underlying source data. However, this approach has a significant drawback: it prevents users from updating the data in the view. To address the "view update problem" in general, a number of bidirectional languages have been proposed. Programs in these languages -often called lenses -can be run in two directions: read from left to right, they map sources to views; from right to left,they map updated views back to updated sources. However, existing bidirectional languages do not deal adequately with security. In particular, they do not provide a way to ensure the integrity of source data as it is manipulated by untrusted users of the view. We propose a novel framework of secure lenses that addresses these shortcomings. We enrich the types of basic lenses with equivalence relations capturing notions of confidentiality and integrity, and formulate the essential security conditions as non-interference properties. We then instantiate this framework in the domain of string transformations, developing syntax for bidirectional string combinators with security-annotated regular expressions as their types.Keywords authorisation, formal languages, access control, bidirectional language, bidirectional string combinator, confidential information, confidentiality policy, noninterference property, secure lenses, security views, security-annotated regular expression, source data access, view update problem, Security views, confidentiality, information flow, integrity, lenses, regular types, view update This material is posted here with permission of the IEEE. Such permission of the IEEE does not in any way imply IEEE endorsement of any of the University of Pennsylvania's products or services. Internal or personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution must be obtained from the IEEE by writing to pubs-permissions@ieee.org. By choosing to view this document, you agree to all provisions of the copyright laws protecting it. AbstractSecurity views are a flexible and effective mechanism for controlling access to confidential information. Rather than allowing untrusted users to access source data directly, they are instead provided with a restricted view, from which all confidential information has been removed. The program that generates the view effectively embodies a confidentiality policy for the underlying source data. However, this approach has a significant drawback: it prevents users from updating the data in the view.To address the "view update problem" in general, a number of bidirectional langu...

show abstract

Section: Future Workmentioning

confidence: 99%

Updatable Security Views

Foster

Pierce

Zdancewic

2009

2009 22nd IEEE Computer Security Foundations Symposium

View full text Add to dashboard Cite

show abstract

“…Because the object alias initialization is executed only once, we can assign the document object to any variable that would denote the same data location. This kind of programs is rejected by static analysis tools like JIF [3].…”

Section: Challengesmentioning

confidence: 99%

Preventing Client Side XSS with Rewrite Based Dynamic Information Flow

Xiao

Sun

Chen

et al. 2014

2014 Sixth International Symposium on Parallel Architectures, Algorithms and Programming

View full text Add to dashboard Cite

This paper presents the design and implementation of an information flow tracking framework based on code rewrite to prevent sensitive information leaks in browsers, combining the ideas of taint and information flow analysis. Our system has two main processes. First, it abstracts the semantic of JavaScript code and converts it to a general form of intermediate representation on the basis of JavaScript abstract syntax tree. Second, the abstract intermediate representation is implemented as a special taint engine to analyze tainted information flow. Our approach can ensure fine-grained isolation for both confidentiality and integrity of information. We have implemented a proof-of-concept prototype, named JSTFlow, and have deployed it as a browser proxy to rewrite web applications at runtime. The experiment results show that JSTFlow can guarantee the security of sensitive data and detect XSS attacks with about 3x performance overhead. Because it does not involve any modifications to the target system, our system is readily deployable in practice.

show abstract

“…RELATED WORK In recent papers security labels [10][20] [21] have been the most used concept in DLP. There is a difference between labels and tags from this work.…”

Section: Helper Command Implementationmentioning

confidence: 99%

A Host Based Method for Data Leak Protection by Tracking Sensitive Data Flow

Petković

Popović

Basicevic

et al. 2012

2012 IEEE 19th International Conference and Workshops on Engineering of Computer-Based Systems

View full text Add to dashboard Cite

This paper describes a method for data leak protection (DLP) based on tracking sensitive information as it flows inside file system on a host. The method is based on the idea that every flow from sensitive to non-sensitive object increases the security level of the target object to that of the source object. Any process which reads an object that contains sensitive data automatically itself becomes tagged as sensitive. When a process gets tagged, all subsequent write operations to any object make target objects also tagged. Any process created by a tagged process is also tagged. By spreading tags over all objects touched by a sensitive process, we have a guarantee that no one bit of sensitive information resides in a nonsensitive objects. Using any software tool to process a sensitive object results in a new sensitive object, this prevents bypassing security mechanisms. All objects tagged as sensitive are checked before being transferred out of the host according to security policy. The main goal of this method is to prevent covert channels for information leakage which use steganography, data modification, compression or encryption. It is implemented in Linux OS as a kernel module. It works with legacy applications, since all changes are on OS level.

show abstract

Dynamic security labels and static information flow control

Cited by 84 publications

References 32 publications

Updatable Security Views

Updatable Security Views

Preventing Client Side XSS with Rewrite Based Dynamic Information Flow

A Host Based Method for Data Leak Protection by Tracking Sensitive Data Flow

Contact Info

Product

Resources

About