Tracking information flow in dynamic tree structures

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 5789 LNCS, Issue , 2009, Pages 86-103

  Russo, Alejandro ^a   Sabelfeld, Andrei ^a   Chudnov, Andrey ^b  

^a CHALMERS UNIVERSITY OF TECHNOLOGY   (Sweden)

^b STEVENS INSTITUTE OF TECHNOLOGY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

DOCUMENT OBJECT MODEL; DYNAMIC NATURE; DYNAMIC TREES; ENFORCEMENT MECHANISMS; INFORMATION FLOWS; RUNTIMES; SENSITIVE INFORMATIONS; TREE OPERATIONS; TREE STRUCTURES;

BIOLOGICAL MATERIALS; SECURITY SYSTEMS;

SECURITY OF DATA;

EID: 70350355123     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-04444-1_6     Document Type: Conference Paper

References (39)

1. Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-insensitive noninterference leaks more than just a bit. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 333-348. Springer, Heidelberg (2008)
2. Askarov, A., Sabelfeld, A.: Tight enforcement of information-release policies for dynamic languages. In: Proc. IEEE Computer Security Foundations Symposium (July 2009)
3. Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS) (June 2009)
4. Boudol, G.: Secure information flow as a safety property. In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 20-34. Springer, Heidelberg (2009)
5. Cavallaro, L., Saxena, P., Sekar, R.: On the limits of information flow techniques for malware analysis and containment. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 143-163. Springer, Heidelberg (2008)
6. Chandra, D., Franz, M.: Fine-grained information flow analysis and enforcement in a java virtual machine. In: Proc. Annual Computer Security Applications Conference, December 2007, pp. 463-475 (2007)
7. Chong, S., Liu, J., Myers, A.C., Qi, X., Vikram, K., Zheng, L., Zheng, X.: Secure web applications via automatic partitioning. In: Proc. ACM Symp. on Operating System Principles, October 2007, pp. 31-44 (2007)
8. Chong, S., Vikram, K., Myers, A.C.: Sif: Enforcing confidentiality and integrity in web applications. In: Proc. USENIX Security Symposium, August 2007, pp. 1-16 (2007)
9. Cooper, E., Lindley, S., Wadler, P., Yallop, J.: Links web-programming language. Software release (2006-2008), http://groups.inf.ed.ac.uk/links/
10. Crockford, D.: Making javascript safe for advertising. adsafe.org (2009)
11. Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Comm. of the ACM 20(7), 504-513 (1977)
12. Facebook. FBJS (2009), http://wiki.developers.facebook.com/index.php/FBJS
13. Fenton, J.S.: Memoryless subsystems. Computing J. 17(2), 143-147 (1974)
14. Google. Google Chrome (2009), http://www.google.com/chrome/
15. Google. Google Web Toolkit (2009), http://code.google.com/webtoolkit
16. Heintze, N., Riecke, J.G.: The SLam calculus: programming with secrecy and integrity. In: Proc. ACM Symp. on Principles of Programming Languages, January 1998, pp. 365-377 (1998)
17. Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., Kuo, S.-Y.: Securing web application code by static analysis and runtime protection. In: Proc. International Conference on World Wide Web, May 2004, pp. 40-52 (2004)
18. Johns, M.: On JavaScript malware and related threats. Journal in Computer Virology 4(3), 161-178 (2008)
19. Kikuchi, H., Yu, D., Chander, A., Inamura, H., Serikov, I.: Javascript instrumentation in practice. In: APLAS, pp. 326-341 (2008)
20. Le Guernic, G.: Automaton-based confidentiality monitoring of concurrent programs. In: Proc. IEEE Computer Security Foundations Symposium, July 2007, pp. 218-232 (2007)
21. Le Guernic, G., Banerjee, A., Jensen, T., Schmidt, D.A.: Automata-based confidentiality monitoring. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435, pp. 75-89. Springer, Heidelberg (2008)
22. McCamant, S., Ernst,M.D.: Quantitative information flow as network flow capacity. In: Proc. ACM SIGPLAN Conference on Programming language Design and Implementation, pp. 193-205 (2008)
23. Miller, M., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja: Safe active content in sanitized javascript (2008)
24. Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow. Software release (July 2001-2009), http://www.cs.cornell.edu/ jif
25. Netscape. Using data tainting for security (2006), http://wp.netscape. com/eng/mozilla/3.0/handbook/javascript/advtopic.htm
26. Pottier, F., Simonet, V.: Information flow inference for ML. In: Proc. ACM Symp. on Principles of Programming Languages, January 2002, pp. 319-330 (2002)
27. Russo, A., Claessen, K., Hughes, J.: A library for light-weight information-flow security in Haskell. In: Proc. ACM SIGPLAN Symposium on Haskell, pp. 13-24. ACM Press, New York (2008)
28. Russo, A., Sabelfeld, A.: Securing timeout instructions in web applications. In: Proc. IEEE Computer Security Foundations Symposium (July 2009)
29. Russo, A., Sabelfeld, A., Chudnov, A.: Tracking information flow in dynamic tree structures (2009), http://www.cse.chalmers.se/̃russo/domsec/
30. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1), 5-19 (2003)
31. Sabelfeld, A., Russo, A.: From dynamic to static and back: Riding the roller coaster of information-flow control research. In: PSI 2009. LNCS. Springer, Heidelberg (to appear)
32. Shroff, P., Smith, S., Thober, M.: Dynamic dependency monitoring to secure information flow. In: Proc. IEEE Computer Security Foundations Symposium, July 2007, pp. 203-217 (2007)
33. Simonet, V.: The Flow Caml system. Software release (July 2003), http://cristal.inria.fr/̃simonet/soft/flowcaml
34. Swamy, N., Corcoran, B.J., Hicks, M.: Fable: A language for enforcing user-defined security policies. In: Proc. IEEE Symp. on Security and Privacy, May 2008, pp. 369-383 (2008)
35. Venkatakrishnan, V.N., Xu,W., DuVarney, D.C., Sekar, R.: Provably correct runtime enforcement of non-interference properties. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 332-351. Springer, Heidelberg (2006)
36. Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross-site scripting prevention with dynamic data tainting and static analysis. In: Proc. Network and Distributed System Security Symposium (February 2007)
37. Volpano, D.: Safety versus secrecy. In: Cortesi, A., File, G. (eds.) SAS 1999. LNCS, vol. 1694, pp. 303-311. Springer, Heidelberg (1999)
38. Wood, L.: Document Object Model (DOM) Level 1 Specification (1998), http://www.w3.org/TR/REC-DOM-Level-1/
39. Yu, D., Chander, A., Islam, N., Serikov, I.: JavaScript instrumentation for browser security. In: Proc. ACM Symp. on Principles of Programming Languages, pp. 237-249. ACM Press, New York (2007)