On-the-fly Inlining of Dynamic Security Monitors

2010 23rd IEEE Computer Security Foundations Symposium

2010

Self Cite

155

216

Abstract-This paper seeks to answer fundamental questions about trade-offs between static and dynamic security analysis. It has been previously shown that flow-sensitive static information-flow analysis is a natural generalization of flowinsensitive static analysis, which allows accepting more secure programs. It has been also shown that sound purely dynamic information-flow enforcement is more permissive than static analysis in the flow-insensitive case. We argue that the step from flow-insensitive to flow-sensitive is fundamentally limited for purely dynamic information-flow controls. We prove impossibility of a sound purely dynamic information-flow monitor that accepts programs certified by a classical flow-sensitive static analysis. A side implication is impossibility of permissive dynamic instrumented security semantics for information flow, which guides us to uncover an unsound semantics from the literature. We present a general framework for hybrid mechanisms that is parameterized in the static part and in the reaction method of the enforcement (stop, suppress, or rewrite) and give security guarantees with respect to terminationinsensitive noninterference for a simple language with output.

Section: Related Workmentioning

confidence: 99%

Dynamic vs. Static Flow-Sensitive Security Analysis

Russo

2010 23rd IEEE Computer Security Foundations Symposium

2010

Self Cite

155

216

“…Some perform static pre-analyzes, i.e., before the execution [13,21,25], or code inlining [12,6,23,29]. In other cases, the static analysis is triggered at runtime by the monitor [22,32,27,19].…”

Section: S-ifmentioning

confidence: 99%

“…There are several approaches to hybrid enforcement: inlining monitors [12,6,23,29], selective tracking [13,25], and the application of a static analysis at branch points [22,32,27,19]. Value sensitivity is particularly suitable for the latter to reduce the number of upgrades and increase precision (cf.…”

Section: Related Workmentioning

confidence: 99%

Value Sensitivity and Observable Abstract Values for Information Flow Control

Bello

Hedin

Logic for Programming, Artificial Intelligence, and Reasoning

2015

Self Cite

Abstract. Much progress has recently been made on information flow control, enabling the enforcement of increasingly rich policies for increasingly expressive programming languages. This has resulted in tools for mainstream programming languages as JavaScript, Java, Caml, and Ada that enforce versatile security policies. However, a roadblock on the way to wider adoption of these tools has been their limited permissiveness (high number of false positives). Flow-, context-, and object-sensitive techniques have been suggested to improve the precision of static information flow control and dynamic monitors have been explored to leverage the knowledge about the current run for precision. This paper explores value sensitivity to boost the permissiveness of information flow control. We show that both dynamic and hybrid information flow mechanisms benefit from value sensitivity. Further, we introduce the concept of observable abstract values to generalize and leverage the power of value sensitivity to richer programming languages. We demonstrate the usefulness of the approach by comparing it to known disciplines for dealing with information flow in dynamic and hybrid settings.

“…Magazinius et al [28] cope with dynamic code evaluation instructions by inlining on-the-fly. Dynamic code evaluation instructions are rewritten to make use of auxiliary functions that, when invoked at runtime, inject security checks into the available string.…”

Section: Related Workmentioning

confidence: 99%

Architectures for Inlining Security Monitors in Web Applications

Magazinius

Hedin

Lecture Notes in Computer Science

2014

Self Cite

Abstract. Securing JavaScript in the browser is an open and challenging problem. Code from pervasive third-party JavaScript libraries exacerbates the problem because it is executed with the same privileges as the code that uses the libraries. An additional complication is that the different stakeholders have different interests in the security policies to be enforced in web applications. This paper focuses on securing JavaScript code by inlining security checks in the code before it is executed. We achieve great flexibility in the deployment options by considering security monitors implemented as security-enhanced JavaScript interpreters. We propose architectures for inlining security monitors for JavaScript: via browser extension, via web proxy, via suffix proxy (web service), and via integrator. Being parametric in the monitor itself, the architectures provide freedom in the choice of where the monitor is injected, allowing to serve the interests of the different stake holders: the users, code developers, code integrators, as well as the system and network administrators. We report on experiments that demonstrate successful deployment of a JavaScript information-flow monitor with the different architectures.