Dynamic vs. static flow-sensitive security analysis

Proceedings - IEEE Computer Security Foundations Symposium

Volumn , Issue , 2010, Pages 186-199

  Russo, Alejandro ^a   Sabelfeld, Andrei ^a  

^a CHALMERS UNIVERSITY OF TECHNOLOGY   (Sweden)

Author keywords

[No Author keywords available]

Indexed keywords

DYNAMIC INFORMATION; HYBRID MECHANISMS; INFORMATION FLOWS; NATURAL GENERALIZATION; PARAMETERIZED; REACTION METHOD; SECURITY ANALYSIS; STATIC AND DYNAMIC; STATIC FLOW; STATIC INFORMATION;

DYNAMIC ANALYSIS; SECURITY SYSTEMS; STATIC ANALYSIS;

SECURITY OF DATA;

EID: 77957586261     PISSN: 19401434     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/CSF.2010.20     Document Type: Conference Paper

References (53)

1. A. Askarov and S. Hunt and A. Sabelfeld and D. Sands. Termination-insensitive noninterference leaks more than just a bit. In Proc. European Symp. on Research in Computer Security, volume 5283 of LNCS, pages 333-348. Springer-Verlag, Oct. 2008.
2. G. R. Andrews and R. P. Reitman. An axiomatic approach to information flow in programs. ACM TOPLAS, 2(1):56-75, Jan. 1980.
3. A. Askarov and A. Sabelfeld. Security-typed languages for implementation of cryptographic protocols: A case study. In Proc. European Symp. on Research in Computer Security, volume 3679 of LNCS, pages 197-221. Springer-Verlag, Sept. 2005.
4. A. Askarov and A. Sabelfeld. Tight enforcement of information-release policies for dynamic languages. In Proc. IEEE Computer Security Foundations Symposium, July 2009.
5. T. H. Austin and C. Flanagan. Efficient purely-dynamic information flow analysis. In Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), June 2009.
6. T. H. Austin and C. Flanagan. Permissive dynamic information flow analysis. In Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), June 2010.
7. J.-P. Banâtre and C. Bryce. Information flow control in a parallel language framework. In Proc. IEEE Computer Security Foundations Workshop, pages 39-52, June 1993.
8. J. Barnes and J. Barnes. High Integrity Software: The SPARK Approach to Safety and Security. Addison-Wesley Longman Publishing Co., Inc. Boston, MA, USA, 2003.
9. G. Boudol. Secure information flow as a safety property. In Formal Aspects in Security and Trust, Third International Workshop (FAST'08), LNCS, pages 20-34. Springer-Verlag, Mar. 2009.
10. L. Cavallaro, P. Saxena, and R. Sekar. On the limits of information flow techniques for malware analysis and containment. In Proc. Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), July 2008.
11. R. Chapman and A. Hilton. Enforcing security and safety models with an information flow analysis tool. ACM SIGAda Ada Letters, 24(4):39-46, 2004.
12. S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, and X. Zheng. Secure web applications via automatic partitioning. In Proc. ACM Symp. on Operating System Principles, pages 31-44, Oct. 2007.
13. S. Chong, K. Vikram, and A. C. Myers. Sif: Enforcing confidentiality and integrity in web applications. In Proc. USENIX Security Symposium, pages 1-16, Aug. 2007.
14. A. Chudnov and D. A. Naumann. Information flow monitor inlining. In Proc. IEEE Computer Security Foundations Symposium, July 2010.
15. M. R. Clarkson, S. Chong, and A. C. Myers. Civitas: Toward a secure voting system. Security and Privacy, IEEE Symposium on, 0, 2008.
16. E. S. Cohen. Information transmission in sequential programs. In R. A. DeMillo, D. P. Dobkin, A. K. Jones, and R. J. Lipton, editors, Foundations of Secure Computation, pages 297-335. Academic Press, 1978.
17. D. E. Denning. Cryptography and Data Security. Addison-Wesley, Reading, MA, 1982.
18. D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Comm. of the ACM, 20(7):504- 513, July 1977.
19. B. Eich. Flowsafe: Information flow security for the browser. https://wiki.mozilla.org/FlowSafe, Oct. 2009.
20. J. S. Fenton. Memoryless subsystems. Computing J., 17(2):143-147, May 1974.
21. J. A. Goguen and J. Meseguer. Security policies and security models. In Proc. IEEE Symp. on Security and Privacy, pages 11-20, Apr. 1982.
22. K. W. Hamlen, G. Morrisett, and F. B. Schneider. Computability classes for enforcement mechanisms. ACM TOPLAS, 28(1):175-205, 2006.
23. B. Hicks, K. Ahmadizadeh, and P. McDaniel. Understanding practical application development in security-typed languages. In 22st Annual Computer Security Applications Conference (ACSAC), December 2006.
24. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proc. International Conference on World Wide Web, pages 40-52, May 2004.
25. S. Hunt and D. Sands. On flow-sensitive security types. In Proc. ACM Symp. on Principles of Programming Languages, pages 79-90, 2006.
26. B. W. Lampson. A note on the confinement problem. Commun. ACM, 16(10), 1973.
27. G. Le Guernic. Automaton-based confidentiality monitoring of concurrent programs. In Proc. IEEE Computer Security Foundations Symposium, pages 218-232, July 2007.
28. G. Le Guernic, A. Banerjee, T. Jensen, and D. Schmidt. Automata-based confidentiality monitoring. In Proc. Asian Computing Science Conference (ASIAN'06), volume 4435 of LNCS. Springer-Verlag, 2006.
29. J. Ligatti, L. Bauer, and D. Walker. Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security, 4:2-16, 2005.
30. J. Magazinius, A. Askarov, and A. Sabelfeld. A lattice-based approach to mashup security. In Proc. ACM Symposium on Information, Computer and Communications Security (ASIACCS), Apr. 2010.
31. J. Magazinius, A. Askarov, and A. Sabelfeld. On-the-fly inlining of dynamic security monitors. In Proc. IFIP International Information Security Conference, Sept. 2010.
32. J. McLean. The specification and modeling of computer security. Computer, 23(1):9-16, Jan. 1990.
33. J. McLean. A general theory of composition for trace sets closed under selective interleaving functions. In Proc. IEEE Symp. on Security and Privacy, pages 79-93, May 1994.
34. M. Mizuno and A. Oldehoeft. Information flow control in a distributed object-oriented system with statically-bound object variables. In Proc. National Computer Security Conference, pages 56-67, 1987.
35. A. C. Myers, L. Zheng, S. Zdancewic, S. Chong, and N. Nystrom. Jif: Java information flow. Software release. Located at http://www.cs.cornell.edu/jif July 2001-2008.
36. U. Norell. Towards a practical programming language based on dependent type theory. PhD thesis, Department of Computer Science and Engineering, Chalmers University of Technology, SE-412 96 Göteborg, Sweden, September 2007.
37. P. Ørbæk. Can you trust your data? In Proc. TAPSOFT/FASE'95, volume 915 of LNCS, pages 575-590. Springer-Verlag, May 1995.
38. A. Russo, K. Claessen, and J. Hughes. A library for lightweight information-flow security in Haskell. In Haskell '08: Proceedings of the first ACM SIGPLAN symposium on Haskell, pages 13-24. ACM, 2008.
39. A. Russo and A. Sabelfeld. Securing timeout instructions in web applications. In Proc. IEEE Computer Security Foundations Symposium, July 2009.
40. A. Russo and A. Sabelfeld. Dynamic vs. static flowsensitive security analysis. http://www.cse.chalmers.se/-russo/publicationsfiles/csf2010full.pdf, May 2010. Full version.
41. A. Russo, A. Sabelfeld, and A. Chudnov. Tracking information flow in dynamic tree structures. In Proc. European Symp. on Research in Computer Security, LNCS. Springer-Verlag, Sept. 2009.
42. A. Sabelfeld and A. C. Myers. Language-based informationflow security. IEEE J. Selected Areas in Communications, 21(1):5-19, Jan. 2003.
43. A. Sabelfeld and A. Russo. From dynamic to static and back: Riding the roller coaster of information-flow control research. In Proc. Andrei Ershov International Conference on Perspectives of System Informatics, LNCS. Springer-Verlag, June 2009.
44. F. B. Schneider. Enforceable security policies. ACM Transactions on Information and System Security, 3(1):30-50, 2000.
45. P. Shroff, S. Smith, and M. Thober. Dynamic dependency monitoring to secure information flow. In Proc. IEEE Computer Security Foundations Symposium, pages 203-217, July 2007.
46. V. Simonet. The Flow Caml system. Software release. Located at http://cristal.inria.fr/-simonet/soft/flowcaml July 2003.
47. T. Terauchi and A. Aiken. Secure information flow as a safety problem. In Proc. Symp. on Static Analysis, volume 3672 of LNCS, pages 352-367. Springer-Verlag, Sept. 2005.
48. V. N. Venkatakrishnan, W. Xu, D. C. DuVarney, and R. Sekar. Provably correct runtime enforcement of non-interference properties. In Proc. International Conference on Information and Communications Security, pages 332-351. Springer-Verlag, Dec. 2006.
49. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-site scripting prevention with dynamic data tainting and static analysis. In Proc. Network and Distributed System Security Symposium, Feb. 2007.
50. D. Volpano. Safety versus secrecy. In Proc. Symp. on Static Analysis, volume 1694 of LNCS, pages 303-311. Springer-Verlag, Sept. 1999.
51. D. Volpano and G. Smith. Eliminating covert flows with minimum typings. Proc. IEEE Computer Security Foundations Workshop, pages 156-168, June 1997.
52. D. Volpano, G. Smith, and C. Irvine. A sound type system for secure flow analysis. J. Computer Security, 4(3):167-187, 1996.
53. G. Winskel. The Formal Semantics of Programming Languages: An Introduction. MIT Press, Cambridge, MA, 1993.