Permissive dynamic information flow analysis

Austin, Thomas H.; Flanagan, Cormac

doi:10.1145/1814217.1814220

Cited by 106 publications

(138 citation statements)

References 38 publications

Supporting

Mentioning

138

Contrasting

Order By: Relevance

“…Having both is impossible: a purely dynamic flow-sensitive monitor (as, e.g., [5], [6]) will inevitably reject programs that are typable by HuntSands-style type system. To the best of our knowledge, there are no prior impossibility results on permissive purely dynamic monitoring of information-flow policies.…”

Section: Discussionmentioning

confidence: 99%

“…For flow-sensitive monitoring [5], [6], we believe Properties 1-3 hold, but, as we discuss in Section VIII, Property 4 does not hold because it is not allowed to first relabel a public variable in high context and then branch on it. This is consistent with our result that having all of Properties 1-4 is impossible in a flow-sensitive setting.…”

Section: Dynamic Flow-sensitive Monitoringmentioning

confidence: 99%

“…Austin and Flanagan [5], [6] suggest a purely dynamic monitor for information flow with a limited form of flow sensitivity. They discuss two disciplines: no sensitive-upgrade, where the execution gets stuck on an attempt to assign to a public variable in secret context, and permissive-upgrade, where on an attempt to assign to a public variable in secret context, the public variable is marked as one that cannot be branched on later in the execution.…”

Section: Related Workmentioning

confidence: 99%

“…Recently, it has been shown (e.g., [43], [5], [4], [39], [6]) that purely dynamic monitors can enforce the same security policy as Denning-style static analysis: terminationinsensitive noninterference. In addition, Sabelfeld and Russo [43] prove that sound purely dynamic information-flow enforcement is more permissive than static analysis in the flow-insensitive case (where variables are assigned security levels at the beginning of the execution and this assignment is kept unchanged during the execution).…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Dynamic vs. Static Flow-Sensitive Security Analysis

Russo

Sabelfeld

2010

2010 23rd IEEE Computer Security Foundations Symposium

155

216

View full text Add to dashboard Cite

Abstract-This paper seeks to answer fundamental questions about trade-offs between static and dynamic security analysis. It has been previously shown that flow-sensitive static information-flow analysis is a natural generalization of flowinsensitive static analysis, which allows accepting more secure programs. It has been also shown that sound purely dynamic information-flow enforcement is more permissive than static analysis in the flow-insensitive case. We argue that the step from flow-insensitive to flow-sensitive is fundamentally limited for purely dynamic information-flow controls. We prove impossibility of a sound purely dynamic information-flow monitor that accepts programs certified by a classical flow-sensitive static analysis. A side implication is impossibility of permissive dynamic instrumented security semantics for information flow, which guides us to uncover an unsound semantics from the literature. We present a general framework for hybrid mechanisms that is parameterized in the static part and in the reaction method of the enforcement (stop, suppress, or rewrite) and give security guarantees with respect to terminationinsensitive noninterference for a simple language with output.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Dynamic Flow-sensitive Monitoringmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Dynamic vs. Static Flow-Sensitive Security Analysis

Russo

Sabelfeld

2010

2010 23rd IEEE Computer Security Foundations Symposium

155

216

View full text Add to dashboard Cite

show abstract

“…Mozilla's ongoing project FlowSafe [9] aims at empowering Firefox with runtime information-flow tracking, where dynamic information-flow reference monitoring [2,3] lies at its core. The driving force for using the dynamic techniques is expressiveness: as more information is available at runtime, it is possible to use it and accept secure runs of programs that might be otherwise rejected by static analysis.…”

Section: Introductionmentioning

confidence: 99%

On-the-fly inlining of dynamic security monitors

Magazinius

Russo

Sabelfeld

2012

Computers & Security

View full text Add to dashboard Cite

Abstract. Language-based information-flow security considers programs that manipulate pieces of data at different sensitivity levels. Securing information flow in such programs remains an open challenge. Recently, considerable progress has been made on understanding dynamic monitoring for secure information flow. This paper presents a framework for inlining dynamic information-flow monitors. A novel feature of our framework is the ability to perform inlining on the fly. We consider a source language that includes dynamic code evaluation of strings whose content might not be known until runtime. To secure this construct, our inlining is done on the fly, at the string evaluation time, and, just like conventional offline inlining, requires no modification of the hosting runtime environment. We present a formalization for a simple language to show that the inlined code is secure: it satisfies a noninterference property. We also discuss practical considerations and preliminary experimental results.

show abstract

Practical Information Flow Control for Web Applications

Pupo

Christophe

Nicolay

et al. 2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Current browser-level security solutions do not provide a mechanism for information flow control (IFC) policies. As such, they need to be combined with language-based security approaches. Practical implementations for ICF enforcement remains a challenge when the full spectrum of web applications features is taken into account (i.e JavaScript features, web APIs, DOM, portability, performance, etc.). In this work we develop Gifc, a permissive-upgrade-based inlined monitoring mechanism to detect unwanted information flow in web applications. Gifc covers a wide range of JavaScript features that give rise to implicit flows. In contrast to related work, Gifc also handles dynamic code evaluation online, and it features an API function model mechanism that enables information tracking through APIs calls. As a result, Gifc can handle information flows that use DOM nodes as channels of information. We validate Gifc by means of a benchmark suite from literature specifically designed for information flow verification, which we also extend. We compare Gifc qualitatively with respect to closest related work and show that Gifc performs better at detecting unwanted implicit flows.

show abstract

Permissive dynamic information flow analysis

Cited by 106 publications

References 38 publications

Dynamic vs. Static Flow-Sensitive Security Analysis

Dynamic vs. Static Flow-Sensitive Security Analysis

On-the-fly inlining of dynamic security monitors

Practical Information Flow Control for Web Applications

Contact Info

Product

Resources

About