Static checking of dynamically-varying security policies in database-backed applications

Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2010

Volumn , Issue , 2019, Pages 105-118

  Chlipala, Adam ^a  

^a Impredicative LLC   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

ACCESS CONTROL; DATABASE SYSTEMS; SECURITY SYSTEMS; SYSTEMS ANALYSIS;

AUTOMATED THEOREM PROVING; DATABASE CONTENTS; INFORMATION FLOW POLICIES; PROGRAM ANNOTATION; PROTOTYPE IMPLEMENTATIONS; STATIC CHECKING; SYMBOLIC EVALUATION; WEB APPLICATION;

APPLICATION PROGRAMS;

EID: 85076922866     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (23)

1. ABADI, M., AND GORDON, A. D. A calculus for cryptographic protocols: The spi calculus. In Proc. CCS (1997).
2. BURROWS, M., ABADI, M., AND NEEDHAM, R. A logic of authentication. ACM Trans. Comput. Syst. 8, 1 (1990), 18-36.
3. CHLIPALA, A. Ur: Statically-typed metaprogramming with type-level record computation. In Proc. PLDI (2010).
4. CHONG, S., LIU, J., MYERS, A. C., QI, X., VIKRAM, K., ZHENG, L., AND ZHENG, X. Secure web applications via automatic partitioning. In Proc. SOSP (2007).
5. CHONG, S., VIKRAM, K., AND MYERS, A. C. SIF: Enforcing confidentiality and integrity in web applications. In Proc. USENIX Security (2007).
6. COOPER, E., LINDLEY, S., WADLER, P., AND YALLOP, J. Links: Web programming without tiers. In Proc. FMCO (2006).
7. CORCORAN, B. J., SWAMY, N., AND HICKS, M. Cross-tier, label-based security enforcement for web applications. In Proc. SIGMOD (2009).
8. DETLEFS, D., NELSON, G., AND SAXE, J. B. Simplify: a theorem prover for program checking. J. ACM 52, 3 (2005), 365-473.
9. EFSTATHOPOULOS, P., KROHN, M., VANDEBOGART, S., FREY, C., ZIEGLER, D., KOHLER, E., MAZIÈRES, D., KAASHOEK, F., AND MORRIS, R. Labels and event processes in the Asbestos operating system. In Proc. SOSP (2005).
10. FLANAGAN, C., LEINO, K. R. M., LILLIBRIDGE, M., NELSON, G., SAXE, J. B., AND STATA, R. Extended static checking for Java. In Proc. PLDI (2002).
11. HALFOND, W. G. J., AND ORSO, A. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proc. ASE (2005).
12. HUANG, Y.-W., YU, F., HANG, C., TSAI, C.-H., LEE, D.T., AND KUO, S.-Y. Securing web application code by static analysis and runtime protection. In Proc. WWW'04 (2004).
13. KROHN, M., YIP, A., BRODSKY, M., CLIFFER, N., KAASHOEK, M. F., KOHLER, E., AND MORRIS, R. Information flow control for standard OS abstractions. In Proc. SOSP (2007).
14. LI, P., AND ZDANCEWIC, S. Practical information-flow control in web-based information systems. In Proc. CSFW (2005).
15. MYERS, A. C. JFlow: Practical mostly-static information flow control. In Proc. POPL (1999).
16. MYERS, A. C., ZHENG, L., ZDANCEWIC, S., CHONG, S., AND NYSTROM, N. Jif: Java information flow, July 2001. Software release at http://www.cs.cornell.edu/jif.
17. NGUYEN-TUONG, A., GUARNIERI, S., GREENE, D., SHIRLEY, J., AND EVANS, D. Automatically hardening web applications using precise tainting. In Proc. IFIP International Information Security Conference (2005).
18. RIZVI, S., MENDELZON, A., SUDARSHAN, S., AND ROY, P. Extending query rewriting techniques for fine-grained access control. In Proc. SIGMOD (2004).
19. SHARIR, M., AND PNUELI, A. Two approaches to interprocedural data flow analysis. In Program Flow Analysis: Theory and Applications. Prentice-Hall, 1981, pp. 189-233.
20. VOLPANO, D., AND SMITH, G. A type-based approach to program security. In Proc. International Joint Conference on the Theory and Practice of Software Development (1997).
21. XIE, Y., AND AIKEN, A. Static detection of security vulnerabilities in scripting languages. In Proc. USENIX Security (2006).
22. YIP, A., WANG, X., ZELDOVICH, N., AND KAASHOEK, M. F. Improving application security with data flow assertions. In Proc. SOSP (2009).
23. ZELDOVICH, N., BOYD-WICKIZER, S., KOHLER, E., AND MAZIÈRES, D. Making information flow explicit in HiStar. In Proc. OSDI (2006).