Stateful Declassification Policies for Event-Driven Programs

Vanhoef, Mathy; Groef, Willem De; Devriese, Dominique; Piessens, Frank; Rezk, Tamara

doi:10.1109/csf.2014.28

Cited by 29 publications

(19 citation statements)

References 38 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Vanhoef et al [15] provide a similar notion of declassification which allows declassification of partial information using a project function for specification. Vanhoef et al additionally allow the declassification of aggregated information over a history of events, making the declassification policy stateful.…”

Section: Related Workmentioning

confidence: 99%

Non-interference with What-Declassification in Component-Based Systems

Greiner

Grahl

2016

2016 IEEE 29th Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

Abstract-Component-based design is a method for modular design of systems. The structure of component-based systems follows specific rules and single components make assumptions on the environment that they run in. In this paper, we provide a noninterference property for component-based systems that allows for a precise specification of what-declassification of information and takes assumptions on the environment into consideration in order to allow a modular, precise and re-usable information-flow analysis. For precise analysis, components can be analyzed by separately analysing services provided by a component, and from our compositionality theorem non-interference of components follows.

show abstract

Section: Related Workmentioning

confidence: 99%

Non-interference with What-Declassification in Component-Based Systems

Greiner

Grahl

2016

2016 IEEE 29th Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

show abstract

“…These scenarios can be handled in our approach by means of endorsement (the integrity variant of declassification [24,28]). …”

Section: Extensionsmentioning

confidence: 99%

Client Side Web Session Integrity as a Non-interference Property

Khan

Calzavara

Bugliesi

et al. 2014

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Sessions on the web are fragile. They have been attacked successfully in many ways, by network-level attacks, by direct attacks on session cookies (the main mechanism for implementing the session concept) and by application-level attacks where the integrity of sessions is violated by means of cross-site request forgery or malicious script inclusion. This paper defines a variant of non-interference -the classical security notion from information flow security -that can be used to formally define the notion of client-side application-level web session integrity. The paper also develops and proves correct an enforcement mechanism. Combined with state-of-the-art countermeasures for network-level and cookie-level attacks, this enforcement mechanism gives very strong assurance about the client-side preservation of session integrity for authenticated sessions.

show abstract

“…Intuitively, time-sensitive noninterference is stronger than termination-sensitive noninterference because it requires that two executions starting in low-equal memories must terminate within the same number of program execution steps. Other works [10,20,26] have proposed other information flow properties, declassification properties, for modified SME monitors. We do not study in this work SME-based monitors for declassification.…”

Section: Related Workmentioning

confidence: 99%

“…The new monitor, that we call MF-TSNI, is not semantically equivalent to MFd-TSNI, and is not TSNI transparent. Both SME [10,20,26], and MF [4] have been extended to handle declassification, a security property more versatile than noninterference. It is left as future work to understand if our results generalize to declassification properties in order to compare SME and MF.…”

Section: Soundnessmentioning

confidence: 99%

Spot the Difference: Secure Multi-execution and Multiple Facets

Bielova

Rezk

2016

Computer Security – ESORICS 2016

Self Cite

View full text Add to dashboard Cite

Abstract. We propose a rigorous comparison of two widely known dynamic information flow mechanisms: Secure Multi-Execution (SME) and Multiple Facets (MF). Informally, it is believed that MF simulates SME while providing better performance. Formally, it is well known that SME has stronger soundness guarantees than MF. Surprisingly, we discover that even if we approach them to enforce the same soundness guarantees, they are still different. While modeling them in the same language, we are able to precisely identify the features of the semantics that lead to their differences. In the process of comparing them, we also discovered four new mechanisms that share features of MF and SME. We prove that one of them simulates SME, which was falsely believed to be true for MF.

show abstract

Stateful Declassification Policies for Event-Driven Programs

Cited by 29 publications

References 38 publications

Non-interference with What-Declassification in Component-Based Systems

Non-interference with What-Declassification in Component-Based Systems

Client Side Web Session Integrity as a Non-interference Property

Spot the Difference: Secure Multi-execution and Multiple Facets

Contact Info

Product

Resources

About