It is our pleasure to welcome you to the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security (PLAS 2009).
The call for papers attracted 19 submissions: 15 full-length papers, and 4 formal short papers. Authors could choose to submit full-length papers, formal short papers, or informal short papers (which would not be included in the proceedings, and would not preclude publication in other conference venues or journals). Authors could choose to submit their work anonymously; one submission did so.
Each submission received at least three reviews. All reviews were made available to all program committee members, and the final decision on which papers to accept was made after a three day on-line program committee meeting. Eight long papers and three short ones will appear in the proceedings and be presented at the Workshop.
Proceeding Downloads
Language-based security on Android
In this paper, we initiate a formal study of security on Android: Google's new open-source platform for mobile devices. Specifically, we present a core typed language to describe Android applications, and to reason about their data-flow security ...
ActionScript bytecode verification with co-logic programming
A prototype security policy verification system for Action-Script binaries is presented, whose implementation leverages recent advances in co-logic programming. Our experience with co-logic programming indicates that it is an extremely useful paradigm ...
Encoding information flow in Aura
Two of the main ways to protect security-sensitive resources in computer systems are to enforce access-control policies and information-flow policies. In this paper, we show how to enforce information-flow policies in Aura, which is a programming ...
On PDG-based noninterference and its modular proof
We present the first machine-checked correctness proof for information flow control (IFC) based on program dependence graphs (PDGs). IFC based on slicing and PDGs is flow-sensitive, context-sensitive, and object-sensitive; thus offering more precision ...
Catch me if you can: permissive yet secure error handling
Program errors are a source of information leaks. Tracking these leaks is hard because error propagation breaks out of program structure. Programming languages often feature exception constructs to provide some structure to error handling: for example, ...
A weakest precondition approach to active attacks analysis
Information flow controls can be used to protect both data confidentiality and data integrity. The certification of the security degree of a program that runs in untrusted environments still remains an open problem in language-based security. The notion ...
Measuring channel capacity to distinguish undue influence
The channel capacity of a program is a quantitative measure of the amount of control that the inputs to a program have over its outputs. Because it corresponds to worst-case assumptions about the probability distribution over those inputs, it is ...
An implementation and semantics for transactional memory introspection in Haskell
Transactional Memory Introspection (TMI) is a novel reference monitor architecture that provides complete mediation, freedom from time of check to time of use bugs and improved failure handling for authorization. TMI builds on and integrates with ...
Flow-sensitive semantics for dynamic information flow policies
Dynamic information flow policies, such as declassification, are essential for practically useful information flow control systems. However, most systems proposed to date that handle dynamic information flow policies suffer from a common drawback. They ...
Efficient purely-dynamic information flow analysis
We present a novel approach for efficiently tracking information flow in a dynamically-typed language such as JavaScript. Our approach is purely dynamic, and it detects problems with implicit paths via a dynamic check that avoids the need for an ...
A language for information flow: dynamic tracking in multiple interdependent dimensions
This paper presents λI, a language for dynamic tracking of information flow across multiple, interdependent dimensions of information. Typical dimensions of interest are integrity and confidentiality. λI supports arbitrary domain-specific policies that ...