Permissive dynamic information flow analysis

Proceedings of the ACM SIGPLAN 5th Workshop on Programming Languages and Analysis for Security, PLAS 2010

Volumn , Issue , 2010, Pages

  Austin, Thomas H ^a   Flanagan, Cormac ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Dynamic analysis; Information flow control

Indexed keywords

DYNAMIC ANALYSIS TECHNIQUES; DYNAMIC INFORMATION FLOW ANALYSIS; EXECUTION PATHS; INFORMATION FLOW CONTROL; NON INTERFERENCE; PRIVATE DATA; PROGRAM SOURCE CODES;

DYNAMIC ANALYSIS; FLOW CONTROL; LINGUISTICS; PRIVATIZATION;

DATA FLOW ANALYSIS;

EID: 77954893910     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1814217.1814220     Document Type: Conference Paper

References (42)

1. A. Askarov, S. Hunt, A. Sabelfeld, and D. Sands. Termination-insensitive noninterference leaks more than just a bit. In ESORICS '08: Proceedings of the 13th European Symposium on Research in Computer Security, pages 333-348, Berlin, Heidelberg, 2008. Springer-Verlag.
2. A. Askarov and A. Sabelfeld. Catch me if you can: permissive yet secure error handling. In PLAS '09: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, pages 45-57, New York, NY, USA, 2009. ACM.
3. A. Askarov and A. Sabelfeld. Tight enforcement of information-release policies for dynamic languages. In IEEE Computer Security Foundations Symposium, pages 43-59, Washington, DC, USA, 2009. IEEE Computer Society.
4. T. H. Austin and C. Flanagan. Efficient purely-dynamic information flow analysis. In PLAS '09: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, pages 113-124, New York, NY, USA, 2009. ACM.
5. T. H. Austin and C. Flanagan. Permissive dynamic information flow analysis. Technical Report UCSC-SOE- 09-34, The University of California at Santa Cruz, 2009.
6. A. Banerjee and D. A. Naumann. Secure information flow and pointer confinement in a java-like language. In IEEE Computer Security Foundations Workshop, pages 253-267. IEEE Computer Society, 2002.
7. D. Chandra and M. Franz. Fine-grained information flow analysis and enforcement in a java virtual machine. In ACSAC, pages 463-475. IEEE Computer Society, 2007.
8. A. Chaudhuri, P. Naldurg, and S. K. Rajamani. A type system for data-flow integrity on windows vista. In Ú. Erlingsson and M. Pistoia, editors, PLAS, pages 89-100. ACM, 2008.
9. S. Chong and A. C. Myers. Security policies for downgrading. In CCS '04: Proceedings of the 11th ACM conference on Computer and communications security, pages 198-209, New York, NY, USA, 2004. ACM.
10. A. Chudnov and D. A. Naumann. Information flow monitor inlining. In IEEE Computer Security Foundations Symposium. IEEE Computer Society, 2010.
11. R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged information flow for javascript. In PLDI '09: Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation, pages 50-62, New York, NY, USA, 2009. ACM.
12. D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236-243, 1976.
13. D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Communications of the ACM, 20(7):504-513, 1977.
14. B. Eich. Mozilla FlowSafe: Information flow security for the browser. https://wiki.mozilla.org/FlowSafe, accessed October 2009.
15. Developer's wiki: FBJS. http://wiki.developers.facebook.com/index.php/ FBJS, accessed January 2010.
16. C. Fournet and T. Rezk. Cryptographically sound implementations for typed information-flow security. In Symposium on Principles of Programming Languages, pages 323-335, 2008.
17. A. Gal, B. Eich, M. Shaver, D. Anderson, B. Kaplan, G. Hoare, D. Mandelin, B. Zbarsky, J. Orendorff, M. Bebenita, M. Chang, M. Franz, E. Smith, R. Reitmaier, and M. Haghighat. Trace-based just-in-time type specialization for dynamic languages. In Conference on Programming Language Design and Implementation, 2009.
18. Caja. http://code.google.com/p/google-caja/, accessed December 2009.
19. C. Hammer and G. Snelting. Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. International Journal of Information Security, 2009.
20. N. Heintze and J. G. Riecke. The slam calculus: Programming with secrecy and integrity. In Symposium on Principles of Programming Languages, pages 365-377, 1998.
21. S. Hunt and D. Sands. On flow-sensitive security types. In J. G. Morrisett and S. L. P. Jones, editors, POPL, pages 79-90. ACM, 2006.
22. Jif homepage. http://www.cs.cornell.edu/jif/accessed October 2009.
23. D. King, B. Hicks, M. Hicks, and T. Jaeger. Implicit flows: Can't live with 'em, can't live without 'em. In International Conference on Information Systems Security, pages 56-70, 2008.
24. G. Le Guernic, A. Banerjee, T. P. Jensen, and D. A. Schmidt. Automata-based confidentiality monitoring. In M. Okada and I. Satoh, editors, ASIAN, volume 4435 of Lecture Notes in Computer Science, pages 75-89. Springer, 2006.
25. V. B. Livshits, A. V. Nori, S. K. Rajamani, and A. Banerjee. Merlin: specification inference for explicit information flow problems. In M. Hind and A. Diwan, editors, PLDI, pages 75-86. ACM, 2009.
26. J. Magazinius, A. Askarov, and A. Sabelfeld. A latticebased approach to mashup security. In Proceedings of the ACM Symposium on Information Computer and Communications Security, 2010.
27. Internet explorer security zones. http://technet.microsoft.com/en-us/ library/dd361896.aspx, accessed December 2009.
28. JavaScript security in Mozilla. http://www.mozilla.org/projects/security/ components/jssec.html, accessed January 2009.
29. Same origin policy for JavaScript. https://developer.mozilla.org/En/Same- origin-policy-for-JavaScript, accessed January 2010.
30. A. C. Myers. Jflow: Practical mostly-static information flow control. In Symposium on Principles of Programming Languages, pages 228-241, 1999.
31. F. Pottier and V. Simonet. Information ow inference for ML. Transactions on Programming Languages and Systems, 25(1):117{158, 2003.
32. A. Russo and A. Sabelfeld. Securing timeout instructions in web applications. In IEEE Computer Security Foundations Symposium, 2009.
33. A. Russo and A. Sabelfeld. Dynamic vs. static flow-sensitive security analysis. In IEEE Computer Security Foundations Symposium. IEEE Computer Society, 2010.
34. A. Russo, A. Sabelfeld, and A. Chudnov. Tracking information flow in dynamic tree structures. In M. Backes and P. Ning, editors, ESORICS, volume 5789 of Lecture Notes in Computer Science, pages 86-103. Springer, 2009.
35. A. Sabelfeld and A. C. Myers. Language-based information-flow security. Selected Areas in Communications, IEEE Journal on, 21(1):5-19, Jan 2003.
36. A. Sabelfeld and A. Russo. From dynamic to static and back: Riding the roller coaster of information-flow control research. In Perspectives of System Informatics, 2009.
37. A. Shinnar, M. Pistoia, and A. Banerjee. A language for information flow: dynamic tracking in multiple interdependent dimensions. In S. Chong and D. A. Naumann, editors, PLAS, pages 125-131. ACM, 2009.
38. P. Shroff, S. F. Smith, and M. Thober. Dynamic dependency monitoring to secure information flow. In CSF, pages 203-217. IEEE Computer Society, 2007.
39. V. N. Venkatakrishnan, W. Xu, D. C. DuVarney, and R. Sekar. Provably correct runtime enforcement of noninterference properties. In Information and Communications Security, pages 332-351, 2006.
40. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Krügel, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In NDSS. The Internet Society, 2007.
41. D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. Journal of Computer Security, 4(2-3):167-187, 1996.
42. S. A. Zdancewic. Programming languages for information security. PhD thesis, Cornell University, Ithaca, NY, USA, 2002. Chair-Myers, Andrew.