Results 1 - 10
of
46
On the Limits of Information Flow Techniques for Malware Analysis and Containment
"... Abstract. Taint-tracking is emerging as a general technique in software security to complement virtualization and static analysis. It has been applied for accurate detection of a wide range of attacks on benign software, as well as in malware defense. Although it is quite robust for tackling the for ..."
Abstract
-
Cited by 52 (1 self)
- Add to MetaCart
(Show Context)
Abstract. Taint-tracking is emerging as a general technique in software security to complement virtualization and static analysis. It has been applied for accurate detection of a wide range of attacks on benign software, as well as in malware defense. Although it is quite robust for tackling the former problem, application of taint analysis to untrusted (and potentially malicious) software is riddled with several difficulties that lead to gaping holes in defense. These holes arise not only due to the limitations of information flow analysis techniques, but also the nature of today’s software architectures and distribution models. This paper highlights these problems using an array of simple but powerful evasion techniques that can easily defeat taint-tracking defenses. Given today’s binary-based software distribution and deployment models, our results suggest that information flow techniques will be of limited use against future malware that has been designed with the intent of evading these defenses. 1
A framework for static detection of privacy leaks in android applications
- In Proceedings of the 27th Annual ACM Symposium on Applied Computing, SAC ’12
, 2012
"... We report on applying techniques for static information flow analysis to identify privacy leaks in Android applications. We have crafted a framework which checks with the help of a security type system whether the Dalvik bytecode imple-mentation of an Android app conforms to a given privacy policy. ..."
Abstract
-
Cited by 22 (2 self)
- Add to MetaCart
(Show Context)
We report on applying techniques for static information flow analysis to identify privacy leaks in Android applications. We have crafted a framework which checks with the help of a security type system whether the Dalvik bytecode imple-mentation of an Android app conforms to a given privacy policy. We have carefully analyzed the Android API for possible sources and sinks of private data and identified ex-emplary privacy policies based on this. We demonstrate the applicability of our framework on two case studies showing detection of privacy leaks.
Type-preserving Compilation for End-to-end Verification of Security Enforcement
"... A number of programming languages use rich type systems to verify security properties of code. Some of these languages are meant for source programming, but programs written in these languages are compiled without explicit security proofs, limiting their utility in settings where proofs are necessar ..."
Abstract
-
Cited by 22 (7 self)
- Add to MetaCart
A number of programming languages use rich type systems to verify security properties of code. Some of these languages are meant for source programming, but programs written in these languages are compiled without explicit security proofs, limiting their utility in settings where proofs are necessary, e.g., proof-carrying authorization. Others languages do include explicit proofs, but these are generally lambda calculi not intended for source programming, that must be further compiled to an executable form. A language suitable for source programming backed by a compiler that enables end-to-end verification is missing. In this paper, we present a type-preserving compiler that translates programs written in FINE, a source-level functional language with dependent refinements and affine types, to DCIL, a new extension of the.NET Common Intermediate Language. FINE is type checked using an external SMT solver to reduce the proof burden on source programmers. We extract explicit LCF-style proof terms from the solver and carry these proof terms in the compilation to DCIL, thereby removing the solver from the trusted computing base. Explicit proofs enable DCIL to be used in a number of important scenarios, including the verification of mobile code, proof-carrying authorization, and evidence-based auditing. We report on our experience using FINE to build reference monitors for several applications, ranging from a plugin-based email client to a conference management server.
Security of Multithreaded Programs by Compilation
"... Motivation. Information security is a pressing challenge for mobile code technologies. Current security architectures provide no end-to-end security guarantees for mobile code: such code may either intentionally or accidentally propagate sensitive information to an adversary. However, recent progres ..."
Abstract
-
Cited by 20 (6 self)
- Add to MetaCart
(Show Context)
Motivation. Information security is a pressing challenge for mobile code technologies. Current security architectures provide no end-to-end security guarantees for mobile code: such code may either intentionally or accidentally propagate sensitive information to an adversary. However, recent progress in the area of language-based
A Verified Information-Flow Architecture
, 2013
"... SAFE is a clean-slate effort to build a highly secure computer system, including pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instru ..."
Abstract
-
Cited by 17 (5 self)
- Add to MetaCart
SAFE is a clean-slate effort to build a highly secure computer system, including pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine, on which user programs can label sensitive data with rich confidentiality and integrity policies. We present a formal, machine-checked model of the key information-flow mechanisms of the SAFE hardware and software, together with an end-to-end proof of noninterference for this model.
Catch me if you can: Permissive yet secure error handling
-
, 2009
"... Program errors are a source of information leaks. Tracking these leaks is hard because error propagation breaks out of program structure. Programming languages often feature exception constructs to provide some structure to error handling: for example, the try...catch blocks in Java and Caml. Mainst ..."
Abstract
-
Cited by 8 (2 self)
- Add to MetaCart
(Show Context)
Program errors are a source of information leaks. Tracking these leaks is hard because error propagation breaks out of program structure. Programming languages often feature exception constructs to provide some structure to error handling: for example, the try...catch blocks in Java and Caml. Mainstream information-flow security compilers such as Jif and FlowCaml enforce rigid rules for exceptions in order to prevent leaks via public side effects of computation whose reachability depends on exceptions. This paper presents a general and permissive alternative to the rigid solution: the programmer is offered a choice for each type of error/exception whether to handle it or not. The security mechanism ensures that, in the former case, it is never handled and, in the latter case, it is always handled with the mainstream restrictions. This mechanism extends naturally to a language with procedures and output, where we show the soundness of the mechanism with respect to termination-insensitive noninterference.
Tractable enforcement of declassification policies
- In Proc. IEEE Computer Security Foundations Symposium
, 2008
"... Formalizing appropriate information policies that authorize some controlled form of information release, and providing sound analyses for these policies is a necessary step towards practical applications of language-based security. We propose a modular method to enhance noninterference type systems ..."
Abstract
-
Cited by 8 (0 self)
- Add to MetaCart
(Show Context)
Formalizing appropriate information policies that authorize some controlled form of information release, and providing sound analyses for these policies is a necessary step towards practical applications of language-based security. We propose a modular method to enhance noninterference type systems to support controlled forms of information release that combine the what and where dimensions of declassification. As a case study, we derive from earlier work on non-interference type systems new type systems that soundly enforce declassification policies for sequential fragments of the Java Virtual Machine. Our work provides the first modular method to define sound type systems for declassification policies, and the first instance of a sound type system that supports declassification policies for unstructured languages. 1.
Noninterference with dynamic security domains and policies
- In 13th Asian Computing Science Conference, Focusing on Information Security and Privacy
, 2009
"... Abstract. Language-based information flow analysis is used to stati-cally examine a program for information flows between objects of differ-ent security domains, and to verify these flows follow a given policy. When the program is distributed as mobile code, it may access resources whose domains dep ..."
Abstract
-
Cited by 7 (0 self)
- Add to MetaCart
Abstract. Language-based information flow analysis is used to stati-cally examine a program for information flows between objects of differ-ent security domains, and to verify these flows follow a given policy. When the program is distributed as mobile code, it may access resources whose domains depend on the client environment, or may face different security policies. In proof-carrying code scenarios, it is desirable to give a single proof that the program executes securely in any of these situations. This paper presents an object-oriented, Java-like language with runtime security types that can be inspected to ensure that flows between ac-cessed objects are actually allowed before operations inducing these flows are performed. A type system is used to statically prove that the flow tests included in the program are sufficient, such that a noninterference property for the program is ensured regardless of the domains of ob-jects and the effective security policy. Also, the paper outlines how the concepts of the type system are transferred to a bytecode language. 1
Mobius: Mobility, ubiquity, security: Objectives and progress report
- IN TRUSTWORTHY GLOBAL COMPUTING’06, LNCS
, 2007
"... Through their global, uniform provision of services and their distributed nature, global computers have the potential to profoundly enhance our daily life. However, they will not realize their full potential, unless the necessary levels of trust and security can be guaranteed. The goal of the MOBIU ..."
Abstract
-
Cited by 6 (5 self)
- Add to MetaCart
(Show Context)
Through their global, uniform provision of services and their distributed nature, global computers have the potential to profoundly enhance our daily life. However, they will not realize their full potential, unless the necessary levels of trust and security can be guaranteed. The goal of the MOBIUS project is to develop a Proof Carrying Code architecture to secure global computers that consist of Java-enabled mobile devices. In this progress report, we detail its objectives and provide a snapshot of the project results during its first year of activity.
Proving information flow noninterference by reusing a machinechecked correctness proof for slicing
- In 6th International Verification Workshop - VERIFY-2010
"... We present a machine-checked correctness proof for information flow noninterference based on interprocedural slicing. It reuses a correctness proof of the context-sensitive interprocedural slicing algorithm of Horwitz, Reps, and Binkley. The underlying slicing framework is modular in the programming ..."
Abstract
-
Cited by 5 (0 self)
- Add to MetaCart
(Show Context)
We present a machine-checked correctness proof for information flow noninterference based on interprocedural slicing. It reuses a correctness proof of the context-sensitive interprocedural slicing algorithm of Horwitz, Reps, and Binkley. The underlying slicing framework is modular in the programming language used; by instantiating this framework the correctness proofs hold for the respective language, without reproving anything in the correctness proofs for slicing and noninterference. We present instantiations with two different languages to show the applicability of the framework, and thus a verified noninterference algorithm for these languages. The formalization and proofs are conducted in the proof assistant Isabelle/HOL. 1
