Multiple facets for dynamic information flow

ACM SIGPLAN Notices

Volumn 47, Issue 1, 2012, Pages 165-177

  Austin, Thomas H ^a   Flanagan, Cormac ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Dynamic analysis; Information flow control; JavaScript; Web security

Indexed keywords

CROSS SITE SCRIPTING; DATA CONFIDENTIALITY; DYNAMIC INFORMATION; FIREFOX; INFORMATION FLOW CONTROL; INFORMATION FLOW SECURITY; INFORMATION FLOWS; JAVASCRIPT; NEW MECHANISMS; NON INTERFERENCE; SECURITY LEVEL; SECURITY POLICY; SECURITY PROBLEMS; STATIC TYPE SYSTEMS; WEB APPLICATION; WEB SECURITY;

DYNAMIC ANALYSIS; FLOW CONTROL; HIGH LEVEL LANGUAGES; SECURITY OF DATA;

JAVA PROGRAMMING LANGUAGE;

EID: 84857163173     PISSN: 15232867     EISSN: None     Source Type: Journal    
DOI: 10.1145/2103621.2103677     Document Type: Conference Paper

References (40)

1. Aslan Askarov, Sebastian Hunt, Andrei Sabelfeld, and David Sands. Termination-insensitive noninterference leaks more than just a bit. In ESORICS '08, pages 333-348. Springer-Verlag, 2008.
2. Aslan Askarov and Andrew Myers. A semantic framework for declassification and endorsement. In ESOP, pages 64-84, 2010.
3. Aslan Askarov and Andrei Sabelfeld. Tight enforcement of information-release policies for dynamic languages. In IEEE Computer Security Foundations Symposium, pages 43-59, Washington, DC, USA, 2009. IEEE Computer Society.
4. Thomas H. Austin. ZaphodFacetes github page. https://github.com/taustin/ ZaphodFacets, 2011.
5. Thomas H. Austin and Cormac Flanagan. Efficient purely-dynamic information flow analysis. In PLAS '09: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, pages 113-124, New York, NY, USA, 2009. ACM.
6. Thomas H. Austin and Cormac Flanagan. Permissive dynamic information flow analysis. In Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pages 1-12. ACM, 2010.
7. Arnar Birgisson, Alejandro Russo, and Andrei Sabelfeld. Capabilities for information flow. In PLAS '11: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security. ACM, 2011.
8. Aaron Bohannon, Benjamin C. Pierce, Vilhelm Sjöberg, Stephanie Weirich, and Steve Zdancewic. Reactive noninterference. In ACM Conference on Computer and Communications Security, pages 79-90, 2009.
9. R. Capizzi, A. Longo, V.N. Venkatakrishnan, and A.P. Sistla. Preventing information leaks through shadow executions. In ACSAC, pages 322-331, dec 2008.
10. Stephen Chong and Andrew C. Myers. Security policies for downgrading. In CCS '04: Proceedings of the 11th ACM conference on Computer and communications security, pages 198-209, New York, NY, USA, 2004. ACM. (Pubitemid 40338201)
11. Ravi Chugh, Jeffrey A. Meister, Ranjit Jhala, and Sorin Lerner. Staged information flow for javascript. In PLDI, pages 50-62, 2009.
12. Dorothy E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236-243, 1976.
13. Dominique Devriese and Frank Piessens. Noninterference through secure multi-execution. Security and Privacy, IEEE Symposium on, 0:109-124, 2010.
14. Mohan Dhawan and Vinod Ganapathy. Analyzing information flow in javascript-based browser extensions. In ACSAC, pages 382-391, 2009.
15. Brendan Eich. Narcissus-JS implemented in JS. Available on the web at https://github.com/mozilla/narcissus/.
16. J. S. Fenton. Memoryless subsystems. The Computer Journal, 17(2):143-147, 1974.
17. Andreas Gal, David Flanagan, and Donovon Preston. dom.js github page. https://github.com/andreasgal/dom.js, accessed October 2011, 2011.
18. Gurvan Le Guernic, Anindya Banerjee, Thomas P. Jensen, and David A. Schmidt. Automata-based confidentiality monitoring. In ASIAN, pages 75-89, 2006.
19. Nevin Heintze and Jon G. Riecke. The SLam calculus: Programming with secrecy and integrity. In Symposium on Principles of Programming Languages, pages 365-377, 1998.
20. Sebastian Hunt and David Sands. On flow-sensitive security types. In POPL, pages 79-90, 2006.
21. Dongseok Jang, Ranjit Jhala, Sorin Lerner, and Hovav Shacham. An empirical study of privacy-violating information flows in javascript web applications. In ACM Conference on Computer and Communications Security, pages 270-283, 2010.
22. Jif homepage. http://www.cs.cornell.edu/jif/, accessed October 2010.
23. Vineeth Kashyap, Ben Wiedermann, and Ben Hardekopf. Timing-and termination-sensitive secure information flow: Exploring a new approach. In IEEE Security and Privacy, 2011.
24. Dave King, Boniface Hicks, Michael Hicks, and Trent Jaeger. Implicit flows: Can't live with 'em, can't live without 'em. In International Conference on Information Systems Security, pages 56-70, 2008.
25. Clemens Kolbitsch, Benjamin Livshits, Benjamin Zorn, and Christian Seifert. Rozzle: De-cloaking internet malware. Technical Report MSR-TR-2011-94, Microsoft Research Technical Report, 2001.
26. Mozilla labs: Zaphod add-on for the firefox browser. http://mozillalabs. com/zaphod, accessed October 2010.
27. Andrew C. Myers. JFlow: Practical mostly-static information flow control. In Symposium on Principles of Programming Languages, pages 228-241, 1999.
28. François Pottier and Vincent Simonet. Information flow inference for ML. Transactions on Programming Languages and Systems, 25(1):117-158, 2003.
29. Willard Rafnsson and Andrei Sabelfeld. Limiting information leakage in event-based communication. In PLAS '11: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security. ACM, 2011.
30. Alejandro Russo and Andrei Sabelfeld. Securing timeout instructions in web applications. In IEEE Computer Security Foundations Symposium, 2009.
31. Alejandro Russo and Andrei Sabelfeld. Dynamic vs. static flow-sensitive security analysis. In IEEE Computer Security Foundations Symposium. IEEE Computer Society, 2010.
32. Alejandro Russo, Andrei Sabelfeld, and Andrey Chudnov. Tracking information flow in dynamic tree structures. In ESORICS, pages 86-103, 2009.
33. Andrei Sabelfeld and Andrew C. Myers. Language-based information-flow security. Selected Areas in Communications, IEEE Journal on, 21(1):5-19, Jan 2003.
34. Paritosh Shroff, Scott F. Smith, and Mark Thober. Dynamic dependency monitoring to secure information flow. In CSF, pages 203-217, 2007. (Pubitemid 47554215)
35. Jeffrey Vaughan and Stephen Chong. Inference of expressive declassification policies. In IEEE Security and Privacy, 2011.
36. Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Krügel, and Giovanni Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In NDSS, 2007.
37. Dennis Volpano, Cynthia Irvine, and Geoffrey Smith. A sound type system for secure flow analysis. Journal of Computer Security, 4(2-3):167-187, 1996.
38. Webkit.org. SunSpider JavaScript benchmark. http://www.webkit.org/perf/ sunspider/sunspider.html, accessed October 2011.
39. Stephan Arthur Zdancewic. Programming languages for information security. PhD thesis, Cornell University, 2002.
40. Steve Zdancewic. A type system for robust declassification. In 19th Mathematical Foundations of Programming Semantics Conference, 2003.