Limiting information leakage in event-based communication

Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security, PLAS 2011

Volumn , Issue , 2011, Pages

  Rafnsson, Willard ^a   Sabelfeld, Andrei ^a  

^a Chalmers ^*  (Sweden)

Author keywords

Event model; Information flow; Reactive programming

Indexed keywords

EVENT MODEL; EVENT STRUCTURES; EVENT-BASED; FLOW-SENSITIVE ANALYSIS; INFORMATION FLOWS; INFORMATION LEAKAGE; JAVASCRIPT; REACTIVE LANGUAGES; REACTIVE PROGRAMMING; SECURITY FRAMEWORKS; SECURITY LEVEL; SENSITIVE INFORMATIONS; USER EXPERIENCE; WEB APPLICATION;

COMPUTER PROGRAMMING LANGUAGES; OBJECT ORIENTED PROGRAMMING; WORLD WIDE WEB;

COMMUNICATION;

EID: 84860301003     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2166956.2166960     Document Type: Conference Paper

References (54)

1. A. Askarov, D. Hedin, and A. Sabelfeld. Cryptographically-masked flows. Theoretical Computer Science, 402:82-101, August 2008.
2. A. Askarov, S. Hunt, A. Sabelfeld, and D. Sands. Termination-insensitive noninterference leaks more than just a bit. In Proc. European Symp. on Research in Computer Security, volume 5283 of LNCS, pages 333-348. Springer-Verlag, October 2008.
3. A. Askarov and A. Sabelfeld. Tight enforcement of information-release policies for dynamic languages. In Proc. IEEE Computer Security Foundations Symposium, July 2009.
4. T. H. Austin and C. Flanagan. Efficient purely-dynamic information flow analysis. In Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), June 2009.
5. T. H. Austin and C. Flanagan. Permissive dynamic information flow analysis. In Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), June 2010.
6. J. Barnes and JG Barnes. High Integrity Software: The SPARK Approach to Safety and Security. Addison-Wesley Longman Publishing Co., Inc. Boston, MA, USA, 2003.
7. Aaron Bohannon, Benjamin C. Pierce, Vilhelm Sjöberg, Stephanie Weirich, and Steve Zdancewic. Reactive noninterference. In ACM Conference on Computer and Communications Security, pages 79-90, November 2009.
8. R. Chapman and A. Hilton. Enforcing security and safety models with an information flow analysis tool. ACM SIGAda Ada Letters, 24(4):39-46, 2004.
9. D. Clark and S. Hunt. Noninterference for deterministic interactive programs. In Workshop on Formal Aspects in Security and Trust (FAST'08), October 2008.
10. E. S. Cohen. Information transmission in sequential programs. In R. A. DeMillo, D. P. Dobkin, A. K. Jones, and R. J. Lipton, editors, Foundations of Secure Computation, pages 297-335. Academic Press, 1978.
11. P. Cousot and R. Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proc. ACM Symp. on Principles of Programming Languages, pages 238-252, January 1977.
12. D. Crockford. Making javascript safe for advertising. ad-safe.org, 2009.
13. D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Comm. of the ACM, 20(7):504-513, July 1977.
14. D. Devriese and F. Piessens. Non-interference through secure multi-execution. In Proc. IEEE Symp. on Security and Privacy, May 2010.
15. B. Eich. Flowsafe: Information flow security for the browser. https://wiki.mozilla.org/FlowSafe, October 2009.
16. Facebook. FBJS. http://wiki.developers.facebook.com/index.php/FBJS, 2009.
17. R. Focardi and R. Gorrieri. A classification of security properties for process algebras. J. Computer Security, 3(1):5-33, 1995.
18. R. Focardi, S. Rossi, and A. Sabelfeld. Bridging language-based and process calculi security. In Proc. Foundations of Software Science and Computation Structure, volume 3441 of LNCS, pages 299-315. Springer-Verlag, April 2005. (Pubitemid 41273714)
19. J. A. Goguen and J. Meseguer. Security policies and security models. In Proc. IEEE Symp. on Security and Privacy, pages 11-20, April 1982.
20. K. Honda, V. Vasconcelos, and N. Yoshida. Secure information flow as typed process behaviour. In Proc. European Symp. on Programming, volume 1782 of LNCS, pages 180-199. Springer-Verlag, 2000.
21. K. Honda and N. Yoshida. A uniform type structure for secure information flow. In Proc. ACM Symp. on Principles of Programming Languages, pages 81-92, January 2002. (Pubitemid 35009032)
22. Arnaud Le Hors and Philippe Le Hegaret. Document Object Model Level 3 Core Specification. Technical report, The World Wide Web Consortium, 2004.
23. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proc. International Conference on World Wide Web, pages 40-52, May 2004. (Pubitemid 40752739)
24. S. Hunt and D. Sands. On flow-sensitive security types. In Proc. ACM Symp. on Principles of Programming Languages, pages 79-90, 2006.
25. N. Kobayashi. Type-based information flow analysis for the pi-calculus. Technical Report TR03-0007, Tokyo Institute of Technology, October 2003.
26. G. Le Guernic, Anindya Banerjee, Thomas Jensen, and David Schmidt. Automata-based confidentiality monitoring. In Proc. Asian Computing Science Conference (ASIAN'06), volume 4435 of LNCS. Springer-Verlag, 2006.
27. G. Lowe. Quantifying information flow. In Proc. IEEE Computer Security Foundations Workshop, pages 18-31, June 2002.
28. S. Maffeis, J.C. Mitchell, and A. Taly. Isolating javascript with filters, rewriting, and wrappers. In Proc. of ESORICS'09. LNCS, 2009.
29. S. Maffeis and A. Taly. Language-based isolation of untrusted Javascript. In Proc. of CSF'09, IEEE, 2009. See also: Dep. of Computing, Imperial College London, Technical Report DTR09-3, 2009.
30. J. Magazinius, A. Askarov, and A. Sabelfeld. A lattice-based approach to mashup security. In Proc. ACM Symposium on Information, Computer and Communications Security (ASI-ACCS), April 2010.
31. H. Mantel. Possibilistic definitions of security - An assembly kit-. In Proc. IEEE Computer Security Foundations Workshop, pages 185-199, July 2000.
32. H. Mantel. Information flow control and applications-Bridging a gap. In Proc. Formal Methods Europe, volume 2021 of LNCS, pages 153-172. Springer-Verlag, March 2001. (Pubitemid 36332798)
33. H. Mantel and A. Sabelfeld. A unifying approach to the security of distributed and multi-threaded programs. J. Computer Security, 11(4):615-676, September 2003.
34. A. Almeida Matos, G. Boudol, and I. Castellani. Typing non-interference for reactive programs. Journal of Logic and Algebraic Programming, 72:124-156, 2007.
35. M. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja: Safe active content in sanitized javascript, 2008.
36. A. C. Myers. JFlow: Practical mostly-static information flow control. In Proc. ACM Symp. on Principles of Programming Languages, pages 228-241, January 1999.
37. A. C. Myers, L. Zheng, S. Zdancewic, S. Chong, and N. Nys-trom. Jif: Java information flow. Software release. Located at http://www.cs.cornell.edu/jif, July 2001.
38. K. O'Neill, M. Clarkson, and S. Chong. Information-flow security for interactive programs. In Proc. IEEE Computer Security Foundations Workshop, pages 190-201, July 2006. (Pubitemid 46499727)
39. F. Pottier. A simple view of type-secure information flow in the pi-calculus. In Proc. IEEE Computer Security Foundations Workshop, pages 320-330, June 2002.
40. W. Rafnsson and A. Sabelfeld. Limiting information leakage in event-based communication: Extended version. Technical report, Chalmers University of Technology, 2011. Located at http://www.cse.chalmers.se/-rafnsson/2011plas.
41. A. Russo and A. Sabelfeld. Securing timeout instructions in web applications. In Proc. IEEE Computer Security Foundations Symposium, July 2009.
42. A. Russo and A. Sabelfeld. Dynamic vs. static flow-sensitive security analysis. In Proc. IEEE Computer Security Foundations Symposium, July 2010.
43. A. Russo, A. Sabelfeld, and A. Chudnov. Tracking information flow in dynamic tree structures. In Proc. European Symp. on Research in Computer Security, LNCS. Springer-Verlag, September 2009.
44. P. Ryan. Mathematical models of computer security-tutorial lectures. In R. Focardi and R. Gorrieri, editors, Foundations of Security Analysis and Design, volume 2171 of LNCS, pages 1-62. Springer-Verlag, 2001. (Pubitemid 33364378)
45. P. Ryan and S. Schneider. Process algebra and noninterference. In Proc. IEEE Computer Security Foundations Workshop, pages 214-227, June 1999.
46. A. Sabelfeld and H. Mantel. Static confidentiality enforcement for distributed programs. In Proc. Symp. on Static Analysis, volume 2477 of LNCS, pages 376-394. Springer-Verlag, September 2002.
47. A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE J. Selected Areas in Communications, 21(1):5-19, January 2003.
48. A. Sabelfeld and A. Russo. From dynamic to static and back: Riding the roller coaster of information-flow control research. In Proc. Andrei Ershov International Conference on Perspectives of System Informatics, LNCS. Springer-Verlag, June 2009.
49. P. Shroff, S. Smith, and M. Thober. Dynamic dependency monitoring to secure information flow. In Proc. IEEE Computer Security Foundations Symposium, pages 203-217, July 2007. (Pubitemid 47554215)
50. V. Simonet. The Flow Caml system. Software release. Located at http://cristal.inria.fr/-simonet/soft/flowcaml, July 2003.
51. G. Smith. On the foundations of quantitative information flow. In Proc. Foundations of Software Science and Computation Structure, volume 5504 of LNCS, pages 288-302, March 2009.
52. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-site scripting prevention with dynamic data tainting and static analysis. In Proc. Network and Distributed System Security Symposium, February 2007.
53. D. Volpano and G. Smith. Eliminating covert flows with minimum typings. Proc. IEEE Computer Security Foundations Workshop, pages 156-168, June 1997.
54. D. Volpano, G. Smith, and C. Irvine. A sound type system for secure flow analysis. J. Computer Security, 4(3):167-187, 1996.