Results 1 - 10
of
52
Dynamic vs. static flow-sensitive security analysis
, 2010
"... This paper seeks to answer fundamental questions about trade-offs between static and dynamic security analysis. It has been previously shown that flow-sensitive static information-flow analysis is a natural generalization of flowinsensitive static analysis, which allows accepting more secure program ..."
Abstract
-
Cited by 63 (14 self)
- Add to MetaCart
(Show Context)
This paper seeks to answer fundamental questions about trade-offs between static and dynamic security analysis. It has been previously shown that flow-sensitive static information-flow analysis is a natural generalization of flowinsensitive static analysis, which allows accepting more secure programs. It has been also shown that sound purely dynamic information-flow enforcement is more permissive than static analysis in the flow-insensitive case. We argue that the step from flow-insensitive to flow-sensitive is fundamentally limited for purely dynamic information-flow controls. We prove impossibility of a sound purely dynamic information-flow monitor that accepts programs certified by a classical flow-sensitive static analysis. A side implication is impossibility of permissive dynamic instrumented security semantics for information flow, which guides us to uncover an unsound semantics from the literature. We present a general framework for hybrid mechanisms that is parameterized in the static part and in the reaction method of the enforcement (stop, suppress, or rewrite) and give security guarantees with respect to terminationinsensitive noninterference for a simple language with output.
From dynamic to static and back: Riding the roller coaster of information-flow control research
, 2009
"... Historically, dynamic techniques are the pioneers of the area of information flow in the 70’s. In their seminal work, Denning and Denning suggest a static alternative for information-flow analysis. Following this work, the 90’s see the domination of static techniques for information flow. The common ..."
Abstract
-
Cited by 58 (21 self)
- Add to MetaCart
(Show Context)
Historically, dynamic techniques are the pioneers of the area of information flow in the 70’s. In their seminal work, Denning and Denning suggest a static alternative for information-flow analysis. Following this work, the 90’s see the domination of static techniques for information flow. The common wisdom appears to be that dynamic approaches are not a good match for security since monitoring a single path misses public side effects that could have happened in other paths. Dynamic techniques for information flow are on the rise again, driven by the need for permissiveness in today’s dynamic applications. But they still involve nontrivial static checks for leaks related to control flow. This paper demonstrates that it is possible for a purely dynamic enforcement to be as secure as Denning-style static information-flow analysis, despite the common wisdom. We do have the trade-off that static techniques have benefits of reducing runtime overhead, and dynamic techniques have the benefits of permissiveness (this, for example, is of particular importance in dynamic applications, where freshly generated code is evaluated). But on the security side, we show for a simple imperative language that both Denning-style analysis and dynamic enforcement have the same assurance: termination-insensitive noninterference.
Information-flow security for a core of JavaScript
"... Tracking information flow in dynamic languages remains an important and intricate problem. This paper makes substantial headway toward understanding the main challenges and resolving them. We identify language constructs that constitute a core of JavaScript: objects, higher-order functions, excepti ..."
Abstract
-
Cited by 49 (7 self)
- Add to MetaCart
Tracking information flow in dynamic languages remains an important and intricate problem. This paper makes substantial headway toward understanding the main challenges and resolving them. We identify language constructs that constitute a core of JavaScript: objects, higher-order functions, exceptions, and dynamic code evaluation. The core is powerful enough to naturally encode native constructs as arrays, as well as functionalities of JavaScript’s API from the document object model (DOM) related to document tree manipulation and event processing. As the main contribution, we develop a dynamic type system that guarantees information-flow security for this language.
Permissive dynamic information flow analysis
, 2009
"... A key challenge in dynamic information flow analysis is handling implicit flows, where code conditional on a private variable updates a public variable x. The naive approach of upgrading x to private results in x being partially leaked, where its value contains private data but its label might remai ..."
Abstract
-
Cited by 46 (3 self)
- Add to MetaCart
(Show Context)
A key challenge in dynamic information flow analysis is handling implicit flows, where code conditional on a private variable updates a public variable x. The naive approach of upgrading x to private results in x being partially leaked, where its value contains private data but its label might remain public on an alternative execution (where the conditional update was not performed). Prior work proposed the no-sensitive-upgrade check, which handles implicit flows by prohibiting partially leaked data, but attempts to update a public variable from a private context causes execution to get stuck. To overcome this limitation, we develop a sound yet flexible permissive-upgrade strategy. To prevent information leaks, partially leaked data is permitted but carefully tracked to ensure that it is never totally leaked. This permissiveupgrade strategy is more flexible than the prior approaches such as the no-sensitive-upgrade check. Under the permissive-upgrade strategy, partially leaked data must be marked as private before being used in a conditional test, thereby ensuring that it is private for both the current execution as well as alternate execution paths. This paper also presents a dynamic analysis technique for inferring these privatization operations and inserting them into the program source code. The combination of these techniques allows more programs to run to completion, while still guaranteeing termination-insensitive non-interference in a purely dynamic manner.
Multiple facets for dynamic information flow
- In Proceedings of the 39th Symposium on Principles of Programming Languages
, 2012
"... Abstract JavaScript has become a central technology of the web, but it is also the source of many security problems, including cross-site scripting attacks and malicious advertising code. Central to these problems is the fact that code from untrusted sources runs with full privileges. We implement ..."
Abstract
-
Cited by 36 (1 self)
- Add to MetaCart
(Show Context)
Abstract JavaScript has become a central technology of the web, but it is also the source of many security problems, including cross-site scripting attacks and malicious advertising code. Central to these problems is the fact that code from untrusted sources runs with full privileges. We implement information flow controls in Firefox to help prevent violations of data confidentiality and integrity. Most previous information flow techniques have primarily relied on either static type systems, which are a poor fit for JavaScript, or on dynamic analyses that sometimes get stuck due to problematic implicit flows, even in situations where the target web application correctly satisfies the desired security policy. We introduce faceted values, a new mechanism for providing information flow security in a dynamic manner that overcomes these limitations. Taking inspiration from secure multi-execution, we use faceted values to simultaneously and efficiently simulate multiple executions for different security levels, thus providing non-interference with minimal overhead, and without the reliance on the stuck executions of prior dynamic approaches.
FlowFox: A web browser with flexible and precise information flow control
- in Proc. ACM CCS
, 2012
"... We present FlowFox, the first fully functional web browser that implements a precise and general information flow con-trol mechanism for web scripts based on the technique of se-cure multi-execution. We demonstrate how FlowFox sub-sumes many ad-hoc script containment countermeasures de-veloped over ..."
Abstract
-
Cited by 33 (3 self)
- Add to MetaCart
(Show Context)
We present FlowFox, the first fully functional web browser that implements a precise and general information flow con-trol mechanism for web scripts based on the technique of se-cure multi-execution. We demonstrate how FlowFox sub-sumes many ad-hoc script containment countermeasures de-veloped over the last years. We also show that FlowFox is compatible with the current web, by investigating its be-havior on the Alexa top-500 web sites, many of which make intricate use of JavaScript. The performance and memory cost of FlowFox is sub-stantial (a performance cost of around 20 % on macro bench-marks for a simple two level policy), but not prohibitive. Our prototype implementation shows that information flow enforcement based on secure multi-execution can be imple-mented in full-scale browsers. It can support powerful, yet precise policies refining the same-origin-policy in a way that is compatible with existing websites.
Tracking information flow in dynamic tree structures
, 2009
"... This paper explores the problem of tracking information flow in dynamic tree structures. Motivated by the problem of manipulating the Document Object Model (DOM) trees by browser-run client-side scripts, we address the dynamic nature of interactions via tree structures. We present a runtime enforc ..."
Abstract
-
Cited by 32 (12 self)
- Add to MetaCart
(Show Context)
This paper explores the problem of tracking information flow in dynamic tree structures. Motivated by the problem of manipulating the Document Object Model (DOM) trees by browser-run client-side scripts, we address the dynamic nature of interactions via tree structures. We present a runtime enforcement mechanism that monitors this interaction and prevents a range of attacks, some of them missed by previous approaches, that exploit the tree structure in order to transfer sensitive information. We formalize our approach for a simple language with DOM-like tree operations and show that the monitor prevents scripts from disclosing secrets.
A semantic framework for declassification and endorsement
- In Proc. European Symp. on Programming, LNCS
, 2010
"... Abstract. Language-based information flow methods offer a principled way to enforce strong security properties, but enforcing noninterference is too inflexible for realistic applications. Security-typed languages have therefore introduced declassification mechanisms for relaxing confidentiality poli ..."
Abstract
-
Cited by 28 (5 self)
- Add to MetaCart
(Show Context)
Abstract. Language-based information flow methods offer a principled way to enforce strong security properties, but enforcing noninterference is too inflexible for realistic applications. Security-typed languages have therefore introduced declassification mechanisms for relaxing confidentiality policies, and endorsement mechanisms for relaxing integrity policies. However, a continuing challenge has been to define what security is guaranteed when such mechanisms are used. This paper presents a new semantic framework for expressing security policies for declassification and endorsement in a language-based setting. The key insight is that security can be described in terms of the power that declassification and endorsement give the attacker. The new framework specifies how attackercontrolled code affects program execution and what the attacker is able to learn from observable effects of this code. This approach yields novel security conditions for checked endorsements and robust integrity. The framework is flexible enough to recover and to improve on the previously introduced notions of robustness and qualified robustness. Further, the new security conditions can be soundly enforced by a security type system. The applicability and enforcement of the new policies is illustrated through various examples, including data sanitization and authentication. 1
Information Flow Monitor Inlining
, 2010
"... In recent years it has been shown that dynamic monitoring can be used to soundly enforce information flow policies. For programs distributed in source or bytecode form, the use of JIT compilation makes it difficult to implement monitoring by modifying the language runtime system. An inliner avoids t ..."
Abstract
-
Cited by 26 (0 self)
- Add to MetaCart
(Show Context)
In recent years it has been shown that dynamic monitoring can be used to soundly enforce information flow policies. For programs distributed in source or bytecode form, the use of JIT compilation makes it difficult to implement monitoring by modifying the language runtime system. An inliner avoids this problem and also serves to provide monitoring for more than one runtime. We show how to inline an information flow monitor, specifically a flow sensitive one previously proved to enforce termination insensitive noninterference. We prove that the inlined version is observationally equivalent to the original. 1.
Securing timeout instructions in web applications
- In Proc. IEEE Computer Security Foundations Symposium
, 2009
"... Timeout mechanisms are a useful feature for web applications. However, these mechanisms need to be used with care because, if used as-is, they are vulnerable to timing attacks. This paper focuses on internal timing attacks, a particularly dangerous class of timing attacks, where the attacker needs n ..."
Abstract
-
Cited by 23 (13 self)
- Add to MetaCart
(Show Context)
Timeout mechanisms are a useful feature for web applications. However, these mechanisms need to be used with care because, if used as-is, they are vulnerable to timing attacks. This paper focuses on internal timing attacks, a particularly dangerous class of timing attacks, where the attacker needs no access to a clock. In the context of client-side web application security, we present JavaScript-based exploits against the timeout mechanism of the DOM (document object model), supported by the modern browsers. Our experimental findings reveal rather liberal choices for the timeout semantics by different browsers and motivate the need for a general security solution. We propose a foundation for such a solution in the form of a runtime monitor. We illustrate for a simple language that, while being more permissive than a typical static analysis, the monitor enforces termination-insensitive noninterference. 1.