Provably Correct Runtime Enforcement of Non-interference Properties

Venkatakrishnan, V.; Xu, Wei; DuVarney, Daniel C.; Sekar, R.

doi:10.1007/11935308_24

Cited by 29 publications

(26 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Mechanisms by Venkatakrishnan et al [48], Le Guernic et al [28], [27], and Shroff et al [45] combine dynamic and static checks. The mechanisms by Le Guernic et al for sequential [28] and concurrent [27] programs are flowsensitive.…”

Section: Related Workmentioning

confidence: 99%

Dynamic vs. Static Flow-Sensitive Security Analysis

Russo

Sabelfeld

2010

2010 23rd IEEE Computer Security Foundations Symposium

155

216

View full text Add to dashboard Cite

Abstract-This paper seeks to answer fundamental questions about trade-offs between static and dynamic security analysis. It has been previously shown that flow-sensitive static information-flow analysis is a natural generalization of flowinsensitive static analysis, which allows accepting more secure programs. It has been also shown that sound purely dynamic information-flow enforcement is more permissive than static analysis in the flow-insensitive case. We argue that the step from flow-insensitive to flow-sensitive is fundamentally limited for purely dynamic information-flow controls. We prove impossibility of a sound purely dynamic information-flow monitor that accepts programs certified by a classical flow-sensitive static analysis. A side implication is impossibility of permissive dynamic instrumented security semantics for information flow, which guides us to uncover an unsound semantics from the literature. We present a general framework for hybrid mechanisms that is parameterized in the static part and in the reaction method of the enforcement (stop, suppress, or rewrite) and give security guarantees with respect to terminationinsensitive noninterference for a simple language with output.

show abstract

Section: Related Workmentioning

confidence: 99%

Dynamic vs. Static Flow-Sensitive Security Analysis

Russo

Sabelfeld

2010

2010 23rd IEEE Computer Security Foundations Symposium

155

216

View full text Add to dashboard Cite

show abstract

“…Some perform static pre-analyzes, i.e., before the execution [13,21,25], or code inlining [12,6,23,29]. In other cases, the static analysis is triggered at runtime by the monitor [22,32,27,19]. A value sensitivity criterion can be applied in the static analysis of this second group.…”

Section: S-ifmentioning

confidence: 99%

“…However, a roadblock on the way to wider adoption of these tools has been their limited permissiveness i.e secure programs are falsely rejected due to over-approximations. Flow-, context-, and object-sensitive techniques [17] have been suggested to improve the precision of static information flow control, and dynamic and hybrid monitors [22,32,27,20,19] have been explored to leverage the knowledge about the current run for precision. Dynamic and hybrid techniques are particularly promising for highly dynamic languages such as JavaScript.…”

Section: Introductionmentioning

confidence: 99%

“…They aim to enhance the dynamic analysis with information that allows the label of write target to be changed before entering secret control, thus decoupling the label change from secret influence. For instance, a hybrid approach [22,32,27,19] is to apply a static analysis on the bodies of elevated contexts, e.g., secret conditionals, to find all potential write targets and upgrade them before the body is executed. This paper investigates an alternative approach that improves both pure and hybrid dynamic information flow control as well as other approaches relying on upgrading labels before elevated contexts.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Value Sensitivity and Observable Abstract Values for Information Flow Control

Bello

Hedin

Sabelfeld

2015

Logic for Programming, Artificial Intelligence, and Reasoning

View full text Add to dashboard Cite

Abstract. Much progress has recently been made on information flow control, enabling the enforcement of increasingly rich policies for increasingly expressive programming languages. This has resulted in tools for mainstream programming languages as JavaScript, Java, Caml, and Ada that enforce versatile security policies. However, a roadblock on the way to wider adoption of these tools has been their limited permissiveness (high number of false positives). Flow-, context-, and object-sensitive techniques have been suggested to improve the precision of static information flow control and dynamic monitors have been explored to leverage the knowledge about the current run for precision. This paper explores value sensitivity to boost the permissiveness of information flow control. We show that both dynamic and hybrid information flow mechanisms benefit from value sensitivity. Further, we introduce the concept of observable abstract values to generalize and leverage the power of value sensitivity to richer programming languages. We demonstrate the usefulness of the approach by comparing it to known disciplines for dealing with information flow in dynamic and hybrid settings.

show abstract

“…However, prior methods of detecting noninterference have typically required access to the program running the system in question. These analyses either used the program for directly analyzing its code (see [9] for a survey), for running an instrumented version of the system (e.g., [10][11][12][13]), or for simulating multiple executions of the system (e.g., [14][15][16]). Traditionally, the requirement of access to the program has not been problematic since the analysis has been motivated as a tool for software engineers securing a program that they have designed.…”

Section: Prior Workmentioning

confidence: 99%

Purpose Restrictions on Information Use

Tschantz

Datta

Wing

2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Privacy policies in sectors as diverse as Web services, finance and healthcare often place restrictions on the purposes for which a governed entity may use personal information. Thus, automated methods for enforcing privacy policies require a semantics of purpose restrictions to determine whether a governed agent used information for a purpose. We provide such a semantics using a formalism based on planning. We model planning using Partially Observable Markov Decision Processes (POMDPs), which supports an explicit model of information. We argue that information use is for a purpose if and only if the information is used while planning to optimize the satisfaction of that purpose under the POMDP model. We determine information use by simulating ignorance of the information prohibited by the purpose restriction, which we relate to noninterference. We use this semantics to develop a sound audit algorithm to automate the enforcement of purpose restrictions.

show abstract

Provably Correct Runtime Enforcement of Non-interference Properties

Cited by 29 publications

References 31 publications

Dynamic vs. Static Flow-Sensitive Security Analysis

Dynamic vs. Static Flow-Sensitive Security Analysis

Value Sensitivity and Observable Abstract Values for Information Flow Control

Purpose Restrictions on Information Use

Contact Info

Product

Resources

About