Inference of Expressive Declassification Policies

Vaughan, Jeffrey A.; Chong, Stephen

doi:10.1109/sp.2011.20

Cited by 27 publications

(19 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Vaughan and Chong [57] use a data-flow analysis to infer expressive information security policies that describe what sensitive information may be revealed by a program. King et al [29], Pottier and Conchon [43], Smith and Thober [51], and the Jif compiler [40,41] all perform various forms of type inference for security-typed languages.…”

Section: Related Workmentioning

confidence: 99%

Exploring and enforcing security guarantees via program dependence graphs

et al. 2015

Self Cite

View full text Add to dashboard Cite

We present PIDGIN, a program analysis and understanding tool that enables the specification and enforcement of precise applicationspecific information security guarantees. PIDGIN also allows developers to interactively explore the information flows in their applications to develop policies and investigate counter-examples.PIDGIN combines program dependence graphs (PDGs), which precisely capture the information flows in a whole application, with a custom PDG query language. Queries express properties about the paths in the PDG; because paths in the PDG correspond to information flows in the application, queries can be used to specify global security policies.PIDGIN is scalable. Generating a PDG for a 330k line Java application takes 90 seconds, and checking a policy on that PDG takes under 14 seconds. The query language is expressive, supporting a large class of precise, application-specific security guarantees. Policies are separate from the code and do not interfere with testing or development, and can be used for security regression testing.We describe the design and implementation of PIDGIN and report on using it: (1) to explore information security guarantees in legacy programs; (2) to develop and modify security policies concurrently with application development; and (3) to develop policies based on known vulnerabilities.

show abstract

Section: Related Workmentioning

confidence: 99%

Exploring and enforcing security guarantees via program dependence graphs

et al. 2015

Self Cite

View full text Add to dashboard Cite

show abstract

“…In [25], leaks are inferred automatically and expressed in a human-readable security policy language helping programmers to decide whether the program is secure or not, however it can not give concrete counterexamples that could suggest further corrections. Counterexamples can be used not only to generate executable exploits as in our approach, but also to refine declassification policies quantifying the leakage [3,1].…”

Section: Related Workmentioning

confidence: 99%

Exploit Generation for Information Flow Leaks in Object-Oriented Programs

Huy

Bubel

Hähnle

2015

ICT Systems Security and Privacy Protection

View full text Add to dashboard Cite

Abstract. We present a method to generate automatically exploits for information flow leaks in object-oriented programs. Our approach combines self-composition and symbolic execution to compose an insecurity formula for a given information flow policy and a specification of the security level of the program locations. The insecurity formula gives then rise to a model which is used to generate input data for the exploit. A prototype tool called KEG implementing the described approach for Java programs has been developed, which generates exploits as executable JUnit tests.

show abstract

“…Askarov and Sabelfeld [4] study a declassification framework specifying what and where data is released. Vaughan and Chong [46] infer declassification policies for Java programs.…”

Section: Related Workmentioning

confidence: 99%

Faceted execution of policy-agnostic programs

Austin

Yang

Flanagan

et al. 2013

Proceedings of the Eighth ACM SIGPLAN Workshop on Programming Languages and Analysis for Security

View full text Add to dashboard Cite

It is important for applications to protect sensitive data. Even for simple confidentiality and integrity policies, it is often difficult for programmers to reason about how the policies should interact and how to enforce policies across the program. A promising approach is policy-agnostic programming, a model that allows the programmer to implement policies separately from core functionality. Yang et al. describe Jeeves [48], a programming language that supports information flow policies describing how to reveal sensitive values in different output channels. Jeeves uses symbolic evaluation and constraint-solving to produce outputs adhering to the policies. This strategy provides strong confidentiality guarantees but limits expressiveness and implementation feasibility.We extend Jeeves with faceted values [6], which exploit the structure of sensitive values to yield both greater expressiveness and to facilitate reasoning about runtime behavior. We present a faceted semantics for Jeeves and describe a model for propagating multiple views of sensitive information through a program. We provide a proof of termination-insensitive non-interference and describe how the semantics facilitate reasoning about program behavior.

show abstract

Inference of Expressive Declassification Policies

Cited by 27 publications

References 32 publications

Exploring and enforcing security guarantees via program dependence graphs

Exploring and enforcing security guarantees via program dependence graphs

Exploit Generation for Information Flow Leaks in Object-Oriented Programs

Faceted execution of policy-agnostic programs

Contact Info

Product

Resources

About