research-article

Generalizing Permissive-Upgrade in Dynamic Information Flow Analysis

Authors:

Abhishek Bichhawat,

Christian HammerAuthors Info & Claims

PLAS'14: Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security

Pages 15 - 24

https://doi.org/10.1145/2637113.2637116

Published: 28 July 2014 Publication History

Abstract

Preventing implicit information flows by dynamic program analysis requires coarse approximations that result in false positives, because a dynamic monitor sees only the executed trace of the program. One widely deployed method is the no-sensitive-upgrade check, which terminates a program whenever a variable's taint is upgraded (made more sensitive) due to a control dependence on tainted data. Although sound, this method is restrictive, e.g., it terminates the program even if the upgraded variable is never used subsequently. To counter this, Austin and Flanagan introduced the permissive-upgrade check, which allows a variable upgrade due to control dependence, but marks the variable "partially-leaked". The program is stopped later if it tries to use the partially-leaked variable. Permissive-upgrade handles the dead-variable assignment problem and remains sound. However, Austin and Flanagan develop permissive-upgrade only for a two-point (low-high) security lattice and indicate a generalization to pointwise products of such lattices. In this paper, we develop a non-trivial and non-obvious generalization of permissive-upgrade to arbitrary lattices. The key difficulty lies in finding a suitable notion of partial leaks that is both sound and permissive and in developing a suitable definition of memory equivalence that allows an inductive proof of soundness.

References

[1]

A. Askarov and A. Sabelfeld. Tight enforcement of information-release policies for dynamic languages. In Proc. IEEE Computer Security Foundations Symposium (CSF), pages 43--59, 2009.

Digital Library

[2]

A. Askarov, S. Hunt, A. Sabelfeld, and D. Sands. Termination-insensitive noninterference leaks more than just a bit. In Proc. European Symposium on Research in Computer Security (ESORICS), pages 333--348, 2008.

Digital Library

[3]

T. H. Austin and C. Flanagan. Efficient purely-dynamic information flow analysis. In Proc. ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS), pages 113--124, 2009.

Digital Library

[4]

T. H. Austin and C. Flanagan. Permissive dynamic information flow analysis. In Proc. ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS), pages 3:1--3:12, 2010.

Digital Library

[5]

A. Bichhawat, V. Rajani, D. Garg, and C. Hammer. Information flow control in WebKit's JavaScript Bytecode. In Proc. Conference on Principles of Security and Trust (POST), pages 159--178, 2014.

[6]

A. Birgisson, D. Hedin, and A. Sabelfeld. Boosting the permissiveness of dynamic information-flow tracking by testing. In Proc. European Symposium on Research in Computer Security (ESORICS), pages 55--72, 2012.

[7]

P. Buiras, D. Stefan, A. Russo, and D. Mazieres. On dynamic flow-sensitive floating label systems. In Proc. IEEE Symposium on Computer Security Foundations (CSF), 2014. To appear.

Digital Library

[8]

R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged information flow for JavaScript. In Proc. ACM Conference on Programming Language Design and Implementation (PLDI), pages 50--62, 2009.

Digital Library

[9]

D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Communications of the ACM, 20(7):504--513, July 1977.

Digital Library

[10]

D. Devriese and F. Piessens. Noninterference through secure multi-execution. In Proc. IEEE Symposium on Security and Privacy (Oakland), pages 109--124, 2010.

Digital Library

[11]

S. Guarnieri, M. Pistoia, O. Tripp, J. Dolby, S. Teilhet, and R. Berg. Saving the World Wide Web from vulnerable JavaScript. In Proc. International Symposium on Software Testing and Analysis (ISSTA), pages 177--187, 2011.

Digital Library

[12]

G. L. Guernic, A. Banerjee, T. Jensen, and D. A. Schmidt. Automata-based confidentiality monitoring. In Proc. Asian Computing Science Conference on Secure Software (ASIAN), pages 75--89, 2006.

Digital Library

[13]

D. Hedin and A. Sabelfeld. Information-flow security for a core of JavaScript. In Proc. IEEE Computer Security Foundations Symposium (CSF), pages 3--18, 2012.

Digital Library

[14]

C. Hritcu, M. Greenberg, B. Karel, B. C. Pierce, and G. Morrisett. All your IFCException are belong to us. In Proc. IEEE Symposium on Security and Privacy (Oakland), pages 3--17, 2013.

Digital Library

[15]

S. Hunt and D. Sands. On flow-sensitive security types. In Proc. ACM-SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), pages 79--90, 2006.

Digital Library

[16]

G. Le Guernic. Automaton-based confidentiality monitoring of concurrent programs. In Proc. IEEE Computer Security Foundations Symposium (CSF), pages 218--232, 2007.

Digital Library

[17]

A. C. Myers. JFlow: Practical mostly-static information flow control. In Proc. ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), pages 228--241, 1999.

Digital Library

[18]

F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-site scripting prevention with dynamic data tainting and static analysis. In Proc. Network and Distributed System Security Symposium (NDSS), 2007.

[19]

A. Russo and A. Sabelfeld. Dynamic vs. static flow-sensitive security analysis. In Proc. IEEE Computer Security Foundations Symposium (CSF), pages 186--199, 2010.

Digital Library

[20]

A. Sabelfeld and A. Russo. From dynamic to static and back: Riding the roller coaster of information-flow control research. In Proc. Perspectives of Systems Informatics (PSI), pages 352--365, 2010.

Digital Library

[21]

D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. Journal of Computer Security, 4(2-3):167--187, 1996.

Digital Library

[22]

S. A. Zdancewic. Programming Languages for Information Security. PhD thesis, Cornell University, 2002.

Digital Library

Cited By

Bichhawat ARajani VGarg DHammer C(2021)Permissive runtime information flow control in the presence of exceptionsJournal of Computer Security10.3233/JCS-21138529:4(361-401)Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.3233/JCS-211385
Bichhawat AMcCall MJia L(2021)Gradual Security Types and Gradual Guarantees2021 IEEE 34th Computer Security Foundations Symposium (CSF)10.1109/CSF51468.2021.00015(1-16)Online publication date: Jul-2021
https://doi.org/10.1109/CSF51468.2021.00015
Kozyri ESchneider FBedford ADesharnais JTawbi N(2019)Beyond Labels: Permissiveness for Dynamic Information Flow Enforcement2019 IEEE 32nd Computer Security Foundations Symposium (CSF)10.1109/CSF.2019.00031(351-35115)Online publication date: Jul-2019
https://doi.org/10.1109/CSF.2019.00031
Show More Cited By

Index Terms

Generalizing Permissive-Upgrade in Dynamic Information Flow Analysis
1. Software and its engineering

Recommendations

Permissive dynamic information flow analysis
PLAS '10: Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security

A key challenge in dynamic information flow analysis is handling implicit flows, where code conditional on a private variable updates a public variable x. The naive approach of upgrading x to private results in x being partially leaked, where its value ...
Permissive runtime information flow control in the presence of exceptions

Information flow control (IFC) has been extensively studied as an approach to mitigate information leaks in applications. A vast majority of existing work in this area is based on static analysis. However, some applications, especially on the Web, are ...
Exception handling for dynamic information flow control
ICSE Companion 2014: Companion Proceedings of the 36th International Conference on Software Engineering

Exceptions are a source of information leaks, which are difficult to handle as they allow for non-local control transfer. Existing dynamic information flow control techniques either ignore unstructured control flow or are restrictive. This work ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

PLAS'14: Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security

July 2014

83 pages

ISBN:9781450328623

DOI:10.1145/2637113

General Chairs:
Alejandro Russo
Chalmers University of Technology
,
Omer Tripp
IBM T. J. Watson Research Center

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

Uppsala University, Department of Information Science: Uppsala University, Department of Information Science
SIGPLAN: ACM Special Interest Group on Programming Languages
SIGSOFT: ACM Special Interest Group on Software Engineering
AITO: Assoc Internationale por les Technologies Objects

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 July 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ECOOP '14

ECOOP '14: European Conference on Object-Oriented Programming

July 28 - August 1, 2014

Uppsala, Sweden

Acceptance Rates

PLAS'14 Paper Acceptance Rate 6 of 10 submissions, 60%;

Overall Acceptance Rate 43 of 77 submissions, 56%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
124
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)1

Reflects downloads up to 28 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bichhawat ARajani VGarg DHammer C(2021)Permissive runtime information flow control in the presence of exceptionsJournal of Computer Security10.3233/JCS-21138529:4(361-401)Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.3233/JCS-211385
Bichhawat AMcCall MJia L(2021)Gradual Security Types and Gradual Guarantees2021 IEEE 34th Computer Security Foundations Symposium (CSF)10.1109/CSF51468.2021.00015(1-16)Online publication date: Jul-2021
https://doi.org/10.1109/CSF51468.2021.00015
Kozyri ESchneider FBedford ADesharnais JTawbi N(2019)Beyond Labels: Permissiveness for Dynamic Information Flow Enforcement2019 IEEE 32nd Computer Security Foundations Symposium (CSF)10.1109/CSF.2019.00031(351-35115)Online publication date: Jul-2019
https://doi.org/10.1109/CSF.2019.00031
Ngo MBielova NFlanagan CRezk TRusso ASchmitz TChampin PGandon FMédini LLalmas MIpeirotis P(2018)A Better Facet of Dynamic Information Flow ControlCompanion Proceedings of the The Web Conference 201810.1145/3184558.3185979(731-739)Online publication date: 23-Apr-2018
https://dl.acm.org/doi/10.1145/3184558.3185979
Scull Pupo AChristophe LNicolay Jde Roover CGonzalez Boix E(2018)Practical Information Flow Control for Web ApplicationsRuntime Verification10.1007/978-3-030-03769-7_21(372-388)Online publication date: 8-Nov-2018
https://doi.org/10.1007/978-3-030-03769-7_21
Saoji TAustin TFlanagan CBielova NGaboardi M(2017)Using Precise Taint Tracking for Auto-sanitizationProceedings of the 2017 Workshop on Programming Languages and Analysis for Security10.1145/3139337.3139341(15-24)Online publication date: 30-Oct-2017
https://dl.acm.org/doi/10.1145/3139337.3139341
Austin TSchmitz TFlanagan C(2017)Multiple Facets for Dynamic Information Flow with ExceptionsACM Transactions on Programming Languages and Systems10.1145/302408639:3(1-56)Online publication date: 10-May-2017
https://dl.acm.org/doi/10.1145/3024086
Bielova NRezk T(2016)A Taxonomy of Information Flow MonitorsProceedings of the 5th International Conference on Principles of Security and Trust - Volume 963510.5555/3089491.3089495(46-67)Online publication date: 2-Apr-2016
https://dl.acm.org/doi/10.5555/3089491.3089495
Hedin DBello LSabelfeld A(2016)Information-flow security for JavaScript and its APIsJournal of Computer Security10.3233/JCS-16054424:2(181-234)Online publication date: 19-Apr-2016
https://doi.org/10.3233/JCS-160544
Azevedo de Amorim ACollins NDeHon ADemange DHriţcu CPichardie DPierce BPollack RTolmach A(2016)A verified information-flow architectureJournal of Computer Security10.3233/JCS-1578424:6(689-734)Online publication date: 1-Dec-2016
https://doi.org/10.3233/JCS-15784
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents