On-the-fly inlining of dynamic security monitors

IFIP Advances in Information and Communication Technology

Volumn 330, Issue , 2010, Pages 173-186

  Magazinius, Jonas ^a   Russo, Alejandro ^a   Sabelfeld, Andrei ^a  

^a CHALMERS UNIVERSITY OF TECHNOLOGY   (Sweden)

Author keywords

[No Author keywords available]

Indexed keywords

CODE EVALUATION; DYNAMIC MONITORING; DYNAMIC SECURITY; INFORMATION FLOWS; NONINTERFERENCE PROPERTIES; RUNTIME ENVIRONMENTS; SECURE INFORMATION FLOW; SOURCE LANGUAGE;

INFORMATION TECHNOLOGY;

SECURITY OF DATA;

EID: 84870603974     PISSN: 18684238     EISSN: None     Source Type: Book Series    
DOI: 10.1007/978-3-642-15257-3_16     Document Type: Conference Paper

References (46)

1. Askarov, A., Sabelfeld, A.: Tight enforcement of information-release policies for dynamic languages. In: Proc. IEEE Computer Security Foundations Symposium (July 2009)
2. Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS) (June 2009)
3. Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. In: Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS) (June 2010)
4. Boudol, G.: Secure information flow as a safety property. In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 20-34. Springer, Heidelberg (2009)
5. Chudnov, A., Naumann, D.A.: Information flow monitor inlining. In: Proc. IEEE Computer Security Foundations Symposium (July 2010)
6. Cohen, E.S.: Information transmission in sequential programs. In: DeMillo, R.A., Dobkin, D.P., Jones, A.K., Lipton, R.J. (eds.) Foundations of Secure Computation, pp. 297-335. Academic Press, London (1978)
7. Crockford, D.: Making javascript safe for advertising (2009), adsafe. org
8. Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Comm. of the ACM 20(7), 504-513 (1977)
9. Eich, B.: Flowsafe: Information flow security for the browser (October 2009), https://wiki.mozilla.org/FlowSafe
10. Erlingsson, U.: The inlined reference monitor approach to security policy enforcement. PhD thesis, Cornell University, Ithaca, NY, USA (2004)
11. Facebook. FBJS (2009), http://wiki.developers.facebook.com/index.php/FBJS
12. Fenton, J.S.: Memoryless subsystems. Computing J 17(2), 143-147 (1974)
13. Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proc. IEEE Symp. on Security and Privacy, April 1982, pp. 11-20 (1982)
14. Hamlen, K.W., Morrisett, G., Schneider, F.B.: Computability classes for enforcement mechanisms. ACM TOPLAS 28(1), 175-205 (2006)
15. Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., Kuo, S.-Y.: Securing web application code by static analysis and runtime protection. In: Proc. International Conference on World Wide Web, May 2004, pp. 40-52 (2004)
16. Kozen, D.: Language-based security. In: Kutyłowski, M., Wierzbicki, T., Pacholski, L. (eds.) MFCS 1999. LNCS, vol. 1672, pp. 284-298. Springer, Heidelberg (1999)
17. Le Guernic, G.: Automaton-based confidentiality monitoring of concurrent programs. In: Proc. IEEE Computer Security Foundations Symposium, July 2007, pp. 218-232 (2007)
18. Le Guernic, G., Banerjee, A., Jensen, T., Schmidt, D.: Automata-based confidentiality monitoring. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435. Springer, Heidelberg (2008)
19. Leroy, X.: Java bytecode verification: algorithms and formalizations. J. Automated Reasoning 30(3-4), 235-269 (2003)
20. Ligatti, J., Bauer, L., Walker, D.: Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security 4, 2-16 (2005)
21. Maffeis, S., Mitchell, J., Taly, A.: Isolating java Script with filters, rewriting, and wrappers. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 505-522. Springer, Heidelberg (2009)
22. Maffeis, S., Taly, A.: Language-based isolation of untrusted Javascript. In: Proc. of CSF'09. IEEE, Los Alamitos (2009), See also: Dep. of Computing, Imperial College London, Technical Report DTR09-3 (2009)
23. Magazinius, J., Askarov, A., Sabelfeld, A.: A lattice-based approach to mashup security. In: Proc. ACM Symposium on Information, Computer and Communications Security (ASIACCS) (April 2010)
24. Magazinius, J., Russo, A., Sabelfeld, A.: Inlined security monitor performance test (2010), http://www.cse.chalmers.se/d02pulse/inlining/
25. McCamant, S., Ernst, M.D.: Quantitative information flow as network flow capacity. In: Proc. ACM SIGPLAN Conference on Programming language Design and Implementation, pp. 193-205 (2008)
26. McLean, J.: A general theory of composition for trace sets closed under selective interleaving functions. In: Proc. IEEE Symp. on Security and Privacy, May 1994, pp. 79-93 (1994)
27. Miller, M., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja: Safe active content in sanitized javascript (2008)
28. Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow. Software release (July 2001), http://www.cs.cornell.edu/jif
29. Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: Browsershield: Vulnerabilitydriven filtering of dynamic html. ACM Trans. Web 1(3), 11 (2007)
30. Russo, A., Sabelfeld, A.: Securing timeout instructions in web applications. In: Proc. IEEE Computer Security Foundations Symposium (July 2009)
31. Russo, A., Sabelfeld, A.: Dynamic vs. static flow-sensitive security analysis. In: Proc. IEEE Computer Security Foundations Symposium (July 2010)
32. Russo, A., Sabelfeld, A., Chudnov, A.: Tracking information flow in dynamic tree structures. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 86-103. Springer, Heidelberg (2009)
33. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1), 5-19 (2003)
34. Sabelfeld, A., Russo, A.: From dynamic to static and back: Riding the roller coaster of information-flow control research. In: Proc. Andrei Ershov International Conference on Perspectives of System Informatics. LNCS. Springer, Heidelberg (2009)
35. Schneider, F.B.: Enforceable security policies. ACM Transactions on Information and System Security 3(1), 30-50 (2000)
36. Schneider, F.B., Morrisett, G., Harper, R.: A language-based approach to security. In: Wilhelm, R. (ed.) Informatics: 10 Years Back, 10 Years Ahead. LNCS, vol. 2000, pp. 86-101. Springer, Heidelberg (2001)
37. Shroff, P., Smith, S., Thober, M.: Dynamic dependency monitoring to secure information flow. In: Proc. IEEE Computer Security Foundations Symposium, July 2007, pp. 203-217 (2007)
38. Simonet, V.: The Flow Caml system. Software release (July 2003), http://cristal.inria.fr/simonet/soft/flowcaml
39. P.H.I. Systems: Sparkada examinar. Software release, http://www.praxis-his.com/sparkada/
40. Terauchi, T., Aiken, A.: Secure information flow as a safety problem. In: Hankin, C., Siveroni, I. (eds.) SAS 2005. LNCS, vol. 3672, pp. 352-367. Springer, Heidelberg (2005)
41. Venkatakrishnan, V.N., Xu, W., DuVarney, D.C., Sekar, R.: Provably correct runtime enforcement of non-interference properties. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 332-351. Springer, Heidelberg (2006)
42. Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross-site scripting prevention with dynamic data tainting and static analysis. In: Proc. Network and Distributed System Security Symposium (February 2007)
43. Volpano, D.: Safety versus secrecy. In: Cortesi, A., Filé, G. (eds.) SAS 1999. LNCS, vol. 1694, pp. 303-311. Springer, Heidelberg (1999)
44. Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. J. Computer Security 4(3), 167-187 (1996)
45. Wallach, D.S., Appel, A.W., Felten, E.W.: The security architecture formerly known as stack inspection: A security mechanism for language-based systems. ACM Transactions on Software Engineering and Methodology 9(4), 341-378 (2000)
46. Winskel, G.: The Formal Semantics of Programming Languages: An Introduction. MIT Press, Cambridge (1993)