Citation Context

...n both server and client side. Information-flow controls focus on preventing leaks of information from secret (or high) to public (or low) data. The desirable baseline policy is noninterference [16], =-=[21]-=-, which demands that there is no dependence of public outputs on secret inputs. Two basic kinds of information flows through program constructs are explicit and implicit flows. Information is passed e...

Citation Context

... a simple language with output. I. INTRODUCTION Information-flow controls offer a promising approach to security enforcement, where the goal is to prevent disclosure of sensitive data by applications =-=[42]-=-. Several informationflow tools have been developed for mainstream languages, e.g., Java-based Jif [35], Caml-based FlowCaml [46], and Ada-based SPARK Examiner [8], [11], as well as case studies [46],...

Citation Context

...n expression that does not involve high variables. As a result, the value of secret is leaked into public, which is missed by the monitor. While similar examples have appeared in the literature [20], =-=[17]-=-, [49], [10], the contribution of this paper is to formally pin down the essence of the problem: We prove impossibility of a sound purely dynamic information-flow monitor that accepts programs certifi...

Citation Context

...ables in high context. It is known that noninterference is not a safety property [33], [47]. Precise characterizations of what can be enforced by monitoring have been studied in the literature (e.g., =-=[44]-=-, [22]), where noninterference is discussed as an example of a policy that cannot be enforced precisely by dynamic mechanisms. However, the focus of this paper is on enforcing permissive yet safe appr...

Citation Context

...ls concentrate on preventing explicit and implicit flows in order to guarantee noninterference. One alternative to prevent explicit and implicit flows is purely static Denning-style enforcement [18], =-=[52]-=-, [42]. For example, each assignment is checked for the following property: the level of the assigned variable must be high in case there is a high variable on the right-hand side of the assignment (t...

Citation Context

... high and low security levels, respectively. For example, program public := secret exhibits an explicit flow from secret to public. Information is passed via controlflow structure in an implicit flow =-=[18]-=-. For example, program if secret then public := 1 has an implicit flow. Whether the assignment to the public variable is performed depends on a secret. Let us call a conditional or loop high if its gu...

Citation Context

... to choose a termination-insensitive security condition comes from the fact that termination is difficult to track in practice. Program errors make the problem even worse. Even in languages like Agda =-=[36]-=-, where it is impossible to write nonterminating programs, it is possible to write programs that terminate abnormally: for example, with a stack overflow. It is not difficult to imagine monitors that ...

Citation Context

...the problem with the formal impossibility result. Tracking information flow in web applications is becoming increasingly important (e.g., recent highlights are a server-side mechanism by Huang et al. =-=[24]-=- and a client-side mechanism for JavaScript by Vogt et al. [49], although they do not discuss soundness). Dynamism of web applications puts higher demands on the permissiveness of the security mechani...

Citation Context

...e of sensitive data by applications [42]. Several informationflow tools have been developed for mainstream languages, e.g., Java-based Jif [35], Caml-based FlowCaml [46], and Ada-based SPARK Examiner =-=[8]-=-, [11], as well as case studies [46], [3], [23], [13], [12], [15], [38]. Informationflow analysis is becoming particularly attractive for web applications (e.g, [13], [12], [49], [30]), where the chal...

Citation Context

...in case the assigned variable is high. This mechanism dynamically keeps a simple invariant of no assignment to low variables in high context. It is known that noninterference is not a safety property =-=[33]-=-, [47]. Precise characterizations of what can be enforced by monitoring have been studied in the literature (e.g., [44], [22]), where noninterference is discussed as an example of a policy that cannot...

Citation Context

...ms by Le Guernic et al. for sequential [28] and concurrent [27] programs are flowsensitive. Section VI shows how to represent the monitor [28] for sequential programs in our framework. Ligatti et al. =-=[29]-=- present a general framework for security policies that can be enforced by monitoring and modifying programs at runtime. The authors introduce the notion of edit automata, i.e., monitors that can stop...

Citation Context

... security enforcement, where the goal is to prevent disclosure of sensitive data by applications [42]. Several informationflow tools have been developed for mainstream languages, e.g., Java-based Jif =-=[35]-=-, Caml-based FlowCaml [46], and Ada-based SPARK Examiner [8], [11], as well as case studies [46], [3], [23], [13], [12], [15], [38]. Informationflow analysis is becoming particularly attractive for we...

Citation Context

...ionflow tools have been developed for mainstream languages, e.g., Java-based Jif [35], Caml-based FlowCaml [46], and Ada-based SPARK Examiner [8], [11], as well as case studies [46], [3], [23], [13], =-=[12]-=-, [15], [38]. Informationflow analysis is becoming particularly attractive for web applications (e.g, [13], [12], [49], [30]), where the challenge is to secure the manipulation of secret and public da...

Citation Context

...in high context. It is known that noninterference is not a safety property [33], [47]. Precise characterizations of what can be enforced by monitoring have been studied in the literature (e.g., [44], =-=[22]-=-), where noninterference is discussed as an example of a policy that cannot be enforced precisely by dynamic mechanisms. However, the focus of this paper is on enforcing permissive yet safe approximat...

Citation Context

...da-based SPARK Examiner [8], [11], as well as case studies [46], [3], [23], [13], [12], [15], [38]. Informationflow analysis is becoming particularly attractive for web applications (e.g, [13], [12], =-=[49]-=-, [30]), where the challenge is to secure the manipulation of secret and public data on both server and client side. Information-flow controls focus on preventing leaks of information from secret (or ...

Citation Context

...s and loops. Static techniques offer benefits of reducing runtime overhead since the security checks are performed before running the program. Another alternative is purely dynamic enforcement (e.g., =-=[20]-=-, [50], [43], [4]), that performs dynamic security checks similar to the ones done by static analysis. For example, whenever there is a high variable on the righthand side of an assignment (tracking e...

Citation Context

...nstant 0. However, a flow-insensitive analysis (e.g., [52]) rejects this program because it has an insecure subprogram. On the other hand, this program is accepted by a flow-sensitive analysis (e.g., =-=[25]-=-) because the level of variable secret is relabeled to low after the first assignment. Hunt and Sands [25] have shown that flow-sensitive static information-flow analysis is a natural generalization o...

Citation Context

...hybrid monitors and for flow-insensitive purely dynamic monitors, but not for flow-sensitive purely dynamic monitors. We conjecture that our results also hold for terminationsensitive noninterference =-=[51]-=-, [42], where the termination behavior should not depend on secret data. The termination behavior is hard to control dynamically—no matter if the mechanism is flow-sensitive or insensitive—and so it i...

Citation Context

...formationflow tools have been developed for mainstream languages, e.g., Java-based Jif [35], Caml-based FlowCaml [46], and Ada-based SPARK Examiner [8], [11], as well as case studies [46], [3], [23], =-=[13]-=-, [12], [15], [38]. Informationflow analysis is becoming particularly attractive for web applications (e.g, [13], [12], [49], [30]), where the challenge is to secure the manipulation of secret and pub...

Citation Context

...e the assigned variable is high. This mechanism dynamically keeps a simple invariant of no assignment to low variables in high context. It is known that noninterference is not a safety property [33], =-=[47]-=-. Precise characterizations of what can be enforced by monitoring have been studied in the literature (e.g., [44], [22]), where noninterference is discussed as an example of a policy that cannot be en...

Citation Context

...data on both server and client side. Information-flow controls focus on preventing leaks of information from secret (or high) to public (or low) data. The desirable baseline policy is noninterference =-=[16]-=-, [21], which demands that there is no dependence of public outputs on secret inputs. Two basic kinds of information flows through program constructs are explicit and implicit flows. Information is pa...

Citation Context

...es realized by security type systems and dynamic analysis realized by monitors. Figure 2(a) depicts the set inclusion for programs accepted by flow-insensitive mechanisms: a Denning-style type system =-=[1]-=- and a simple monitor flow-insensitive monitor [43]. Both are sound [1], [43], and the monitor accepts the runs of a set of programs that is strictly larger than the set of typable programs [43]. So, ...

Citation Context

...elfeld [39] show how to secure programs with timeout instructions using execution monitoring. Russo et al. [41] investigate monitoring information flow in dynamic tree structures. Austin and Flanagan =-=[5]-=-, [6] suggest a purely dynamic monitor for information flow with a limited form of flow sensitivity. They discuss two disciplines: no sensitive-upgrade, where the execution gets stuck on an attempt to...

Citation Context

...es are assigned security levels at the beginning of the execution and this assignment is kept unchanged during the execution). Fusion of static and dynamic techniques is becoming increasingly popular =-=[28]-=-, [45], [27], [49]. These techniques offer benefits of increasing permissiveness because more information on the actual execution trace is available at runtime, while keeping runtime overhead moderate...

Citation Context

...antics is similar to monitoring, but its intention is different: in contrast to monitoring, they are supposed to specify security, not enforce it. This is as opposed to extensional security semantics =-=[32]-=-, which defines security in terms of relations between inputs and outputs, as done in this paper. We observe that it is impossible to define permissive dynamic instrumented security semantics, which c...

Citation Context

...c techniques offer benefits of reducing runtime overhead since the security checks are performed before running the program. Another alternative is purely dynamic enforcement (e.g., [20], [50], [43], =-=[4]-=-), that performs dynamic security checks similar to the ones done by static analysis. For example, whenever there is a high variable on the righthand side of an assignment (tracking explicit flows) or...

Citation Context

... that does not involve high variables. As a result, the value of secret is leaked into public, which is missed by the monitor. While similar examples have appeared in the literature [20], [17], [49], =-=[10]-=-, the contribution of this paper is to formally pin down the essence of the problem: We prove impossibility of a sound purely dynamic information-flow monitor that accepts programs certified by Hunt a...

Citation Context

... The exact policies that are enforced might just as well be safety properties (or not), but, importantly, they must guarantee noninterference. Recently, it has been shown (e.g., [43], [5], [4], [39], =-=[6]-=-) that purely dynamic monitors can enforce the same security policy as Denning-style static analysis: terminationinsensitive noninterference. In addition, Sabelfeld and Russo [43] prove that sound pur...

Citation Context

... assigned security levels at the beginning of the execution and this assignment is kept unchanged during the execution). Fusion of static and dynamic techniques is becoming increasingly popular [28], =-=[45]-=-, [27], [49]. These techniques offer benefits of increasing permissiveness because more information on the actual execution trace is available at runtime, while keeping runtime overhead moderate as so...

Citation Context

...re the goal is to prevent disclosure of sensitive data by applications [42]. Several informationflow tools have been developed for mainstream languages, e.g., Java-based Jif [35], Caml-based FlowCaml =-=[46]-=-, and Adabased SPARK Examiner [8], [11], as well as case studies [46], [3], [23], [13], [12], [15], [38]. Information-flow analysis is becoming particularly attractive for web applications (e.g, [13],...

Citation Context

...e respective monitored execution runs until some command c ′′ that represents c ′ modulo auxiliary commands that might be used by the monitor (Strip(c′′) = c ′). Some monitors (e.g., [43], [4], [39], =-=[41]-=-) rely on auxiliary commands to help the information-flow analysis, for example, to detect join points. We assume that no auxiliary commands are necessary for terminated programs (Strip(stop) = stop)....

Citation Context

...sensitive data by applications [42]. Several informationflow tools have been developed for mainstream languages, e.g., Java-based Jif [35], Caml-based FlowCaml [46], and Ada-based SPARK Examiner [8], =-=[11]-=-, as well as case studies [46], [3], [23], [13], [12], [15], [38]. Informationflow analysis is becoming particularly attractive for web applications (e.g, [13], [12], [49], [30]), where the challenge ...

Citation Context

... Several informationflow tools have been developed for mainstream languages, e.g., Java-based Jif [35], Caml-based FlowCaml [46], and Ada-based SPARK Examiner [8], [11], as well as case studies [46], =-=[3]-=-, [23], [13], [12], [15], [38]. Informationflow analysis is becoming particularly attractive for web applications (e.g, [13], [12], [49], [30]), where the challenge is to secure the manipulation of se...

Citation Context

...ral informationflow tools have been developed for mainstream languages, e.g., Java-based Jif [35], Caml-based FlowCaml [46], and Ada-based SPARK Examiner [8], [11], as well as case studies [46], [3], =-=[23]-=-, [13], [12], [15], [38]. Informationflow analysis is becoming particularly attractive for web applications (e.g, [13], [12], [49], [30]), where the challenge is to secure the manipulation of secret a...

Citation Context

...ning is done on the fly, at the string evaluation time, and, just like conventional offline inlining, requires no modification of the hosting runtime environment. Mechanisms by Venkatakrishnan et al. =-=[48]-=-, Le Guernic et al. [28], [27], and Shroff et al. [45] combine dynamic and static checks. The mechanisms by Le Guernic et al. for sequential [28] and concurrent [27] programs are flowsensitive. Sectio...

Citation Context

...because the low variable public is assigned in high context) and by permissive-upgrade (because it is not allowed to first relabel public to high and then branch on it). Recently, Chudnov and Naumann =-=[14]-=- have presented an inlining approach to monitoring information flow. They inline a flow-sensitive hybrid monitor based on our monitoring framework. The soundness of the inlined monitor is ensured by b...

Citation Context

...ned security levels at the beginning of the execution and this assignment is kept unchanged during the execution). Fusion of static and dynamic techniques is becoming increasingly popular [28], [45], =-=[27]-=-, [49]. These techniques offer benefits of increasing permissiveness because more information on the actual execution trace is available at runtime, while keeping runtime overhead moderate as some sta...

Citation Context

...rence. The exact policies that are enforced might just as well be safety properties (or not), but, importantly, they must guarantee noninterference. Recently, it has been shown (e.g., [43], [5], [4], =-=[39]-=-, [6]) that purely dynamic monitors can enforce the same security policy as Denning-style static analysis: terminationinsensitive noninterference. In addition, Sabelfeld and Russo [43] prove that soun...

Citation Context

...ed SPARK Examiner [8], [11], as well as case studies [46], [3], [23], [13], [12], [15], [38]. Informationflow analysis is becoming particularly attractive for web applications (e.g, [13], [12], [49], =-=[30]-=-), where the challenge is to secure the manipulation of secret and public data on both server and client side. Information-flow controls focus on preventing leaks of information from secret (or high) ...

Citation Context

...ve hybrid monitor based on our monitoring framework. The soundness of the inlined monitor is ensured by bisimulation of the inlined monitor and the original monitor from Section VI. Magazinius et al. =-=[31]-=- show how to perform informationflow monitor inlining on the fly: security checks are injected as the computation goes along. They consider a source language that includes dynamic code evaluation of s...

Citation Context

...erence-like properties. Volpano [50] considers a purely dynamic monitor that only checks explicit flows. Implicit flows are allowed, and therefore the monitor does not enforce noninterference. Boudol =-=[9]-=- revisits Fenton’s work and observes that the intended security policy “no security error” corresponds to a safety property, which is stronger than noninterference. Boudol shows how to enforce this sa...

Citation Context

...tors but rejected by the static analysis in practice? It might be or not be significant enough to motivate runtime overhead and late error discovery. These intriguing questions are subject of ongoing =-=[19]-=- and future practical case studies. An exciting challenge in this area is that static analysis has to be done on the fly (as in the browser scenario, where incoming JavaScript programs are analyzed fo...

Citation Context

...rams accepted by type systems and monitors Another implication is impossibility of permissive dynamic instrumented security semantics for information flow. Instrumented security semantics (e.g., [2], =-=[34]-=-, [7], [37]) defines information flows in programs by instrumenting standard semantics with security operations. Variables are instrumented with security labels, which are propagated by the semantics ...

Citation Context

...ed by type systems and monitors Another implication is impossibility of permissive dynamic instrumented security semantics for information flow. Instrumented security semantics (e.g., [2], [34], [7], =-=[37]-=-) defines information flows in programs by instrumenting standard semantics with security operations. Variables are instrumented with security labels, which are propagated by the semantics along with ...

Citation Context

...ccepted by type systems and monitors Another implication is impossibility of permissive dynamic instrumented security semantics for information flow. Instrumented security semantics (e.g., [2], [34], =-=[7]-=-, [37]) defines information flows in programs by instrumenting standard semantics with security operations. Variables are instrumented with security labels, which are propagated by the semantics along...

Citation Context

...ow tools have been developed for mainstream languages, e.g., Java-based Jif [35], Caml-based FlowCaml [46], and Adabased SPARK Examiner [8], [11], as well as case studies [46], [3], [23], [13], [12], =-=[15]-=-, [38]. Information-flow analysis is becoming particularly attractive for web applications (e.g, [13], [12], [49], [30]), where the challenge is to secure the manipulation of secret and public data on...