Tight enforcement of information-release policies for dynamic languages

Proceedings - IEEE Computer Security Foundations Symposium

Volumn , Issue , 2009, Pages 43-59

  Askarov, Aslan ^a   Sabelfeld, Andrei ^b  

^a Department of Obstetrics Gynecology   (United States)

^b CHALMERS UNIVERSITY OF TECHNOLOGY   (Sweden)

Author keywords

[No Author keywords available]

Indexed keywords

CODE EVALUATION; COMMUNICATION PRIMITIVES; DYNAMIC LANGUAGES; ENFORCEMENT MECHANISMS; HYBRID MECHANISMS; ON-THE-FLY; POLICY FRAMEWORK; SECURITY POLICY;

QUERY LANGUAGES; SECURITY SYSTEMS;

LINGUISTICS;

EID: 70350542799     PISSN: 19401434     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/CSF.2009.22     Document Type: Conference Paper

References (46)

1. Auction Sniper. http://www.auctionsniper.com.
2. Google Maps API. http://code.google.com/apis/maps.
3. A. Askarov and S. Hunt and A. Sabelfeld and D. Sands. Termination-insensitive noninterference leaks more than just a bit. In Proc. European Symp. on Research in Computer Security, pages 333-348, October 2008.
4. A. Askarov and A. Sabelfeld. Gradual release: Unifying declassification, encryption and key release policies. In Proc. IEEE Symp. on Security and Privacy, pages 207-221, May 2007.
5. A. Askarov and A. Sabelfeld. Localized delimited release: Combining the what and where dimensions of information release. In Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), pages 53-60, June 2007.
6. A. Askarov and A. Sabelfeld. Tight enforcement of information-release policies for dynamic languages. Technical report, 2009. Located at http://www.cs. cornell.edu/~aslan/csf09-full.pdf.
7. A. Banerjee, D. Naumann, and S. Rosenberg. Expressive declassification policies and modular static enforcement. In roc. IEEE Symp. on Security and Privacy, pages 339-353, May 2008.
8. G. Barthe, S. Cavadini, and T. Rezk. Tractable enforcement of declassification policies. In Proc. IEEE Computer Security Foundations Symposium, June 2008.
9. G. Boudol. Secure information flow as a safety property. In Formal Aspects in Security and Trust, Third International Workshop (FAST'08), LNCS, pages 20-34. Springer-Verlag, March 2009.
10. D. Chandra and M. Franz. Fine-grained information flow analysis and enforcement in a java virtual machine. In Proc. Annual Computer Security Applications Conference, pages 463-475, December 2007.
11. S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, and X. Zheng. Secure web applications via automatic partitioning. In Proc. ACM Symp. on Operating System Principles, pages 31-44, October 2007.
12. S. Chong, K. Vikram, and A. C. Myers. Sif: Enforcing confidentiality and integrity in web applications. In Proc. USENIX Security Symposium, pages 1-16, August 2007.
13. D. Clark and S. Hunt. Noninterference for deterministic interactive programs. In Workshop on Formal Aspects in Security and Trust (FAST'08), October 2008.
14. E. Cooper, S. Lindley, P. Wadler, and J. Yallop. Links web-programming language. Software release. Located at http://groups.inf.ed.ac.uk/links/, 2006-2008.
15. M. Dam and P. Giambiagi. Confidentiality for mobile code: The case of a simple payment protocol. In Proc. IEEE Computer Security Foundations Workshop, pages 233-244, July 2000.
16. D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Comm. of the ACM, 20(7):504-513, July 1977.
17. C. Dima, C. Enea, and R. Gramatovici. Nondeterminis-tic nointerference and deducible information flow. Technical Report 2006-01, University of Paris 12, LACL, 2006.
18. R. Fagin, J.Y. Halpern, Y. Moses, and M.Y. Vardi. Reasoning About Knowledge. MIT Press, 1995.
19. J. S. Fenton. Memoryless subsystems. Computing J., 17(2):143-147, May 1974.
20. J. A. Goguen and J. Meseguer. Security policies and security models. In Proc. IEEE Symp. on Security and Privacy, pages 11-20, April 1982.
21. B. Hicks, D. King, P. McDaniel, and M. Hicks. Trusted declassification:: high-level policy for a security-typed language. In Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), pages 65-74, June 2006.
22. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proc. International Conference on World Wide Web, pages 40-52, May 2004.
23. G. Le Guernic. Automaton-based confidentiality monitoring of concurrent programs. In Proc. IEEE Computer Security Foundations Symposium, pages 218-232, July 2007.
24. G. Le Guernic, A. Banerjee, T. Jensen, and D. Schmidt. Automata-based confidentiality monitoring. In Proc. Asian Computing Science Conference (ASIAN'06), volume 4435 of LNCS. Springer-Verlag, 2006.
25. H. Mantel and A. Reinhard. Controlling the what and where of declassification in language-based security. In Proc. European Symp. on Programming, volume 4421 of LNCS, pages 141-156. Springer-Verlag, March 2007.
26. S. McCamant and M. D. Ernst. Quantitative information flow as network flow capacity. In Proc. ACM SIGPLAN Conference on Programming language Design and Implementation, pages 193-205, 2008.
27. A. C. Myers and B. Liskov. A decentralized model for information flow control. In Proc. ACM Symp. on Operating System Principles, pages 129-142, October 1997.
28. A. C. Myers, L. Zheng, S. Zdancewic, S. Chong, and N. Nystrom. Jif: Java information flow. Software release. Located at http://www.cs.cornell.edu/jif, July 2001-2006.
29. K. O'Neill, M. Clarkson, and S. Chong. Information-flow security for interactive programs. In Proc. IEEE Computer Security Foundations Workshop, pages 190-201, July 2006.
30. A. Russo and A. Sabelfeld. Securing timeout instructions in web applications. In Proc. IEEE Computer Security Foundations Symposium, July 2009.
31. A. Russo, A. Sabelfeld, and A. Chudnov. Tracking information flow in dynamic tree structures, April 2009. Draft.
32. A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE J. Selected Areas in Communications, 21(1):5-19, January 2003.
33. A. Sabelfeld and A. C. Myers. A model for delimited information release. In Proc. International Symp. on Software Security (ISSS'03), volume 3233 of LNCS, pages 174-191. Springer-Verlag, October 2004.
34. A. Sabelfeld and A. Russo. From dynamic to static and back: Riding the roller coaster of information-flow control research. In Proc. Andrei Ershov International Conference on Perspectives of System Informatics, LNCS. Springer-Verlag, June 2009.
35. A. Sabelfeld and D. Sands. Dimensions and principles of declassification. In Proc. IEEE Computer Security Foundations Workshop, pages 255-269, June 2005.
36. A. Sabelfeld and D. Sands. Declassification: Dimensions and principles. J. Computer Security, 2009. To appear.
37. P. Shroff, S. Smith, and M. Thober. Dynamic dependency monitoring to secure information flow. In Proc. IEEE Computer Security Foundations Symposium, pages 203-217, July 2007.
38. V. Simonet. The Flow Caml system. Software release. Located at http://cristal.inria.fr/~simonet/soft/flowcaml/, July 2003.
39. S. Smith and M. Thober. Refactoring programs to secure information flows. In Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), pages 75-84, June 2006.
40. N. Swamy, B. J. Corcoran, and M. Hicks. Fable: A language for enforcing user-defined security policies. In Proc. IEEE Symp. on Security and Privacy, pages 369-383, May 2008.
41. R. van der Meyden. What, indeed, is intransitive noninterference? In Proc. European Symp. on Research in Computer Security, pages 235-250. Springer-Verlag, September 2007.
42. V. N. Venkatakrishnan, W. Xu, D. C. DuVarney, and R. Sekar. Provably correct runtime enforcement of noninterference properties. In Proc. International Conference on Information and Communications Security, pages 332-351. Springer-Verlag, December 2006.
43. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In Proc. Network and Distributed System Security Symposium, February 2007.
44. D. Volpano. Safety versus secrecy. In Proc. Symp. on Static Analysis, volume 1694 of LNCS, pages 303-311. Springer-Verlag, September 1999.
45. D. Volpano and G. Smith. Eliminating covert flows with minimum typings. Proc. IEEE Computer Security Foundations Workshop, pages 156-168, June 1997.
46. D. Yu, A. Chander, N. Islam, and I. Serikov. Javascript instrumentation for browser security. In Proc. ACM Symp. on Principles of Programming Languages, pages 237-249. ACM, 2007.