Citation Context

...c techniques offer benefits of reducing runtime overhead since the security checks are performed before running the program. Another alternative is purely dynamic enforcement (e.g., [20], [50], [43], =-=[4]-=-), that performs dynamic security checks similar to the ones done by static analysis. For example, whenever there is a high variable on the righthand side of an assignment (tracking explicit flows) or...

Citation Context

...itor is purely dynamic. The monitor presented here is at core of (i) the termination-insensitive part of the enforcement of information-release (or declassification) policies by Askarov and Sabelfeld =-=[2]-=- for a language with dynamic code evaluation and communication and (ii) the monitor by Russo and Sabelfeld [18] to secure programs with timeout instructions. 9 Concluding remarks When it comes to info...

Citation Context

...cript. Several papers address challenges that are of particular interest to JavaScript. Russo et al. study information flow analysis in the DOM [34] and timeout mechanisms [32]. Askarov and Sabelfeld =-=[3]-=- cover declassification and analysis of dynamic code evaluation. Magazinius et al. [26] study safe declassification in JavaScript mashups. In his dissertation, Zdancewic [42] first proposed rules for ...

Citation Context

... system. Russo and Sabelfeld [31] discuss the tradeoffs between static and dynamic analyses in some depth. Le Guernic et al. [18] examine code from branches not taken, increasing precision at the expense of run-time performance overhead. Shroff et al. [34] use a purely-dynamic analysis to track variable dependencies and reject more insecure programs over time. Zdancewic [40] uses integrity labels to provide robust declassification. Askarov and Myers [2] consider checked endorsements. Chong and Myers [10] use a framework for application-specific declassification policies. Askarov and Sabelfeld [3] study a declassification framework specifying what and where data is released. Vaughan and Chong [35] infer declassification policies for Java programs. Askarov et al. [1] highlight complications of intermediary output channels. Rafnnson et al. [29] buffer output to reduce data lost from intermediary output channels and termination behavior. King et al. [24] study false alarms caused by implicit flows. 8. Discussion Information flow non-interference is a tricky security property to enforce via dynamic monitoring, since it is a 2-safety property: non-interference can be refuted only by observi...

Citation Context

...ow security, often with a particular focus on JavaScript, or on the web context. Sabelfeld et al. have proposed monitoring algorithms that can handle DOM-like structures [37], dynamic code evaluation =-=[3]-=- and timeouts [36]. In a very recent paper, Hedin and Sabelfeld [21] propose dynamic mechanisms for all the core JavaScript language features. Austin and Flanagan [4] have developed alternative, somet...

Citation Context

...ent in the monitor rule for event ⊕e →. Then, let us consider the executions of the program (if h then new→(h ′) else skip); remove→; move→; l := value with the given tree t = {[1] ↦→ ⋆, [1, 1] ↦→ ⋆, =-=[1, 2]-=- ↦→ 0, [1, 3] ↦→ 1}, where each node is associated with the type LL and the initial actual working node set to [1, 1] (symbol ⋆ represents any value). Observe that when h is true, the first instructio...

Citation Context

... Knowledge is monotonic in the number of low events: as the program produces low events, the attacker may learn more about secrets. Two extensions of attacker knowledge are useful: progress knowledge =-=[1, 3]-=- and divergence knowledge [1]. Definition 2 (Progress knowledge) Given a sequence of low events ℓ, initial low memory mP, and a program c, define progress knowledge k→(c, mP, ℓ) as k→(c, mP, ℓ) ...

Citation Context

..., the ubiquitous use of dynamic code generation (i.e. eval) is a serious impediment to static analysis (though it is not impossible [8]). In theory, runtime monitoring is better suited to handle eval =-=[3]-=-. Runtime monitoring for an interpreted language like JavaScript or Java is in principle easier than monitoring at the hardware level: complete mediation can be achieved by modifications of the langua...

Citation Context

...ninsensitive noninterference [42]. For similarly-spirited work on dynamic information-flow control for systems with declassification and DOM tree operations, we refer to work by Askarov and Sabelfeld =-=[8]-=- and Russo et al. [37], respectively. The compositional nature of the underlying monitor enables a natural combination of these enforcement techniques (which do not address timing issues) with the one...