Efficient purely-dynamic information flow analysis

ACM SIGPLAN Notices

Volumn 44, Issue 8, 2009, Pages 20-31

  Austin, Thomas H ^a   Flanagan, Cormac ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Dynamic analysis; Information flow control

Indexed keywords

BENCHMARK PROGRAMS; EVALUATION STRATEGIES; INFORMATION FLOW ANALYSIS; INFORMATION FLOW CONTROL; INFORMATION FLOWS; JAVASCRIPT; NON INTERFERENCE; SECURITY DOMAINS; SPEED-UPS;

STATIC ANALYSIS;

DYNAMIC ANALYSIS;

EID: 79959879431     PISSN: 15232867     EISSN: None     Source Type: Journal    
DOI: 10.1145/1667209.1667223     Document Type: Article

References (33)

1. Aslan Askarov, Sebastian Hunt, Andrei Sabelfeld, and David Sands. Termination-insensitive noninterference leaks more than just a bit. In ESORICS '08: Proceedings of the 13th European Symposium on Research in Computer Security, pages 333-348, Berlin, Heidelberg, 2008. Springer-Verlag.
2. Anindya Banerjee and David A. Naumann. Secure information flow and pointer confinement in a java-like language. In IEEE Computer Security Foundations Workshop, pages 253- 267. IEEE Computer Society, 2002.
3. Gilles Barthe, Pedro R. D'Argenio, and Tamara Rezk. Secure information flow by self-composition. In IEEE Computer Security Foundations Workshop, pages 100-114. IEEE Computer Society, 2004.
4. Gérard Boudol. Secure information flow as a safety property. In Pierpaolo Degano, Joshua D. Guttman, and Fabio Martinelli, editors, Formal Aspects in Security and Trust, volume 5491 of Lecture Notes in Computer Science, pages 20-34. Springer, 2008.
5. Deepak Chandra and Michael Franz. Fine-grained information flow analysis and enforcement in a java virtual machine. pages 463- 475, Dec. 2007.
6. Stephen Chong and Andrew C. Myers. Security policies for downgrading. In CCS '04: Proceedings of the 11th ACM conference on Computer and communications security, pages 198- 209, New York, NY, USA, 2004. ACM.
7. Dorothy E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236-243, 1976.
8. Dorothy E. Denning and Peter J. Denning. Certification of programs for secure information flow. Communications of the ACM, 20(7):504-513, 1977.
9. Brendan Eich. Narcissus-JS implemented in JS. Available on the web at http://mxr.mozilla.org/ mozilla/source/js/narcissus/.
10. J. S. Fenton. Memoryless subsystems. The Computer Journal, 17 (2):143-147, 1974.
11. Robert Bruce Findler. Behavioral Software Contracts. PhD thesis, Rice University, 2002.
12. Cédric Fournet and Tamara Rezk. Cryptographically sound implementations for typed information-flow security. In Symposium on Principles of Programming Languages, pages 323-335, 2008.
13. Andreas Gal, Brendan Eich, Mike Shaver, David Anderson, Blake Kaplan, Graydon Hoare, David Mandelin, Boris Zbarsky, Jason Orendorff, Michael Bebenita, Mason Chang, Michael Franz, Edwin Smith, Rick Reitmaier, and Mohammad Haghighat. Tracebased just-in-time type specialization for dynamic languages. In Conference on Programming Language Design and Implementation, 2009.
14. Joseph A. Goguen and Jose Meseguer. Security policies and security models. IEEE Symposium on Security and Privacy, 0:11, 1982.
15. Kathryn E. Gray, Robert Bruce Findler, and Matthew Flatt. Finegrained interoperability through mirrors and contracts. In OOPSLA '05: Proceedings of the 20th annual ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, pages 231-245, 2005.
16. Vivek Haldar, Deepak Chandra, and Michael Franz. Dynamic taint propagation for java. In ACSAC, pages 303-311. IEEE Computer Society, 2005. (Pubitemid 46116486)
17. Nevin Heintze and Jon G. Riecke. The slam calculus: Programming with secrecy and integrity. In Symposium on Principles of Programming Languages, pages 365-377, 1998.
18. Dave King, Boniface Hicks, Michael Hicks, and Trent Jaeger. Implicit flows: Can't live with 'em, can't live without 'em. In International Conference on Information Systems Security, pages 56-70, 2008.
19. Monica S. Lam, Michael Martin, V. Benjamin Livshits, and John Whaley. Securing web applications with static and dynamic information flow tracking. In Robert Glück and Oege de Moor, editors, ACM SIGPLAN Workshop on Partial Evaluation and Program Manipulation, pages 3-12. ACM, 2008.
20. Gurvan Le Guernic, Anindya Banerjee, Thomas Jensen, and David Schmidt. Automata-based confidentiality monitoring. 2006. URL http://hal.inria.fr/inria- 00130210/en/.
21. Pasquale Malacaria and Han Chen. Lagrange multipliers and maximum information leakage in different observational models. In ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pages 135-146, 2008.
22. John McLean. Proving noninterference and functional correctness using traces. Journal of Computer Security, 1(1):37-58, 1992.
23. Andrew C. Myers. Jflow: Practical mostly-static information flow control. In Symposium on Principles of Programming Languages, pages 228-241, 1999.
24. Andrew C. Myers and Barbara Liskov. A decentralized model for information flow control. In Symposium on Operating System Principles, pages 129-142, 1997. (Pubitemid 127466034)
25. Kevin R. O'Neill, Michael R. Clarkson, and Stephen Chong. Information-flow security for interactive programs. In IEEE Computer Security Foundations Workshop, pages 190-201. IEEE Computer Society, 2006. (Pubitemid 46499727)
26. François Pottier and Vincent Simonet. Information flow inference for ml. Transactions on Programming Languages and Systems, 25(1):117-158, 2003.
27. Andrei Sabelfeld and Andrew C. Myers. Language-based information-flow security. Selected Areas in Communications, IEEE Journal on, 21(1):5-19, Jan 2003.
28. Tachio Terauchi and Alexander Aiken. Secure information flow as a safety problem. In Chris Hankin and Igor Siveroni, editors, SAS, volume 3672 of Lecture Notes in Computer Science, pages 352-367. Springer, 2005.
29. V. N. Venkatakrishnan, Wei Xu, Daniel C. DuVarney, and R. Sekar. Provably correct runtime enforcement of non-interference properties. In Information and Communications Security, pages 332- 351, 2006.
30. Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. February 2007. URL http://www.infosys.tuwien.ac. at/Staff/ek/ papers/xss prevention.pdf.
31. Dennis Volpano, Cynthia Irvine, and Geoffrey Smith. A sound type system for secure flow analysis. Journal of Computer Security, 4(2-3):167-187, 1996.
32. Stephan Arthur Zdancewic. Programming languages for information security. PhD thesis, Ithaca, NY, USA, 2002. Chair-Myers, , Andrew.
33. Lantian Zheng and Andrew C. Myers. Securing nonintrusive web encryption through information flow. In ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pages 125-134, 2008.