DMCA
DIFC Programs by Automatic Instrumentation ∗
Cached
Download Links
Citations: | 10 - 4 self |
Citations
4182 | Communicating Sequential Processes
- Hoare
- 1985
(Show Context)
Citation Context ...(i.e., the version of the server without the calls to create_tag(), expand_label(), and clear_label()). Swim represents programs internally using a dialect of Communicating Sequential Processes (CSP) =-=[2]-=-: it translates the C program into a CSP program that models properties relevant to DIFC instrumentation, and then analyzes the CSP program. We use CSP as an intermediate representation because CSP is... |
2000 | Aspect-oriented programming
- Kiczales, Lamping, et al.
- 1997
(Show Context)
Citation Context ...the set of tags that represent principals, along with inferring the code that manipulates these tags. Aspect-oriented programming (AOP) breaks program logic down into distinct parts (called concerns) =-=[13]-=-. AOP deals with concerns (called crosscutting concerns) that span multiple abstractions in a program. Logging exemplifies a crosscutting concern because a logging strategy necessarily affects every s... |
533 | CIL: Intermediate language and tools for analysis and transformation of C programs.
- Necula, McPeak, et al.
- 2002
(Show Context)
Citation Context ...-flow policy from the literature [15, 26], expressed the policy in terms of the flow assertions described in §3.2.2, and then fed the program and policy to the tool. We implemented Swim using the CIL =-=[19]-=- program-analysis infrastructure for C, and the Yices SMT solver [7]. The only program annotations required by Swim are C labels (not Flume labels) that map program points to variables used in flow as... |
266 | A decentralized model for information flow control.
- Myers, Liskov
- 1997
(Show Context)
Citation Context ...t of processes. Several programming languages, such as Jif, provide type systems based on security labels that allow the programmer to validate security properties of their code through type-checking =-=[18, 23]-=-. Jif has been used to implement several real-world applications with strong security guarantees (e.g. [3, 5, 12]), but these programs are written from scratch in Jif. Automatic techniques can partiti... |
247 | Making information flow explicit in HiStar.
- Zeldovich, Boyd-Wickizer, et al.
- 2011
(Show Context)
Citation Context ...TRODUCTION Decentralized information flow control (DIFC) operating systems are a recent innovation aimed at providing applications with mechanisms for ensuring the secrecy and integrity of their data =-=[15, 24, 26]-=-. To achieve this goal, a DIFC OS associates with each process a label drawn from a partiallyordered set. A process may send data to another process only if the processes’ labels satisfy a certain ord... |
189 | Information Flow Control for Standard OS Abstractions”,
- Krohn, Yip, et al.
- 2007
(Show Context)
Citation Context ...TRODUCTION Decentralized information flow control (DIFC) operating systems are a recent innovation aimed at providing applications with mechanisms for ensuring the secrecy and integrity of their data =-=[15, 24, 26]-=-. To achieve this goal, a DIFC OS associates with each process a label drawn from a partiallyordered set. A process may send data to another process only if the processes’ labels satisfy a certain ord... |
133 | Secure web applications via automatic partitioning.
- Chong, Liu, et al.
- 2007
(Show Context)
Citation Context ...allow the programmer to validate security properties of their code through type-checking [18, 23]. Jif has been used to implement several real-world applications with strong security guarantees (e.g. =-=[3, 5, 12]-=-), but these programs are written from scratch in Jif. Automatic techniques can partition a Jif web application between its client and server [3]. Jif requires the programmer to define a bounded set o... |
92 | A.C.: Civitas: Toward a secure voting system. In:
- Clarkson, Chong, et al.
- 2008
(Show Context)
Citation Context ...allow the programmer to validate security properties of their code through type-checking [18, 23]. Jif has been used to implement several real-world applications with strong security guarantees (e.g. =-=[3, 5, 12]-=-), but these programs are written from scratch in Jif. Automatic techniques can partition a Jif web application between its client and server [3]. Jif requires the programmer to define a bounded set o... |
78 | Ebcioglu, ”Programming by sketching for bitstreaming programs
- Solar-Lezama, Rabbah, et al.
- 2005
(Show Context)
Citation Context ...ionally, DIFC systems provide certain guarantees that Resin does not match [25]. Previous work describes techniques to automatically synthesize programs from complete specifications of their behavior =-=[6, 21, 22]-=-. Like Swim, these techniques assume a program skeleton and a specification of correctness, and then use constraint solving to generate language constructs, yielding a concrete implementation of the s... |
71 | Improving application security with data flow assertions.
- Yip, Wang, et al.
- 2009
(Show Context)
Citation Context ...ically, given only an uninstrumented program and a policy. Such code is correct by construction. Krohn and Tromer [14] use CSP to reason about the Flume OS, not applications running atop Flume. Resin =-=[25]-=- is a language runtime that allows a programmer to specify dataflow assertions, which are checked over the state of the associated data before the data is allowed to be sent from one system object to ... |
67 | Fable: A language for enforcing userdefined security policies
- Swamy, Corcoran, et al.
- 2008
(Show Context)
Citation Context ...t of processes. Several programming languages, such as Jif, provide type systems based on security labels that allow the programmer to validate security properties of their code through type-checking =-=[18, 23]-=-. Jif has been used to implement several real-world applications with strong security guarantees (e.g. [3, 5, 12]), but these programs are written from scratch in Jif. Automatic techniques can partiti... |
42 | Labels and event processes in the Asbestos operating system.
- Vandebogart, Efstathopoulos, et al.
- 2007
(Show Context)
Citation Context ...TRODUCTION Decentralized information flow control (DIFC) operating systems are a recent innovation aimed at providing applications with mechanisms for ensuring the secrecy and integrity of their data =-=[15, 24, 26]-=-. To achieve this goal, a DIFC OS associates with each process a label drawn from a partiallyordered set. A process may send data to another process only if the processes’ labels satisfy a certain ord... |
31 | Managable fine-grained information flow
- Efstathopoulos, Kohler
- 2008
(Show Context)
Citation Context ...cally by Swim on on top of a DIFC operating system, a user obtains greater assurance of the end-toend information-flow security of their application. Our goals are shared by Efstathopoulos and Kohler =-=[8]-=-, who have also explored the idea of describing a policy as declarations of allowed and prohibited information flows, for the Asbestos DIFC system. However, their work appears to have some significant... |
30 |
Understanding practical application development in security-typed languages.
- Hicks, Ahmadizadeh, et al.
- 2006
(Show Context)
Citation Context ...allow the programmer to validate security properties of their code through type-checking [18, 23]. Jif has been used to implement several real-world applications with strong security guarantees (e.g. =-=[3, 5, 12]-=-), but these programs are written from scratch in Jif. Automatic techniques can partition a Jif web application between its client and server [3]. Jif requires the programmer to define a bounded set o... |
30 |
Z3: an efficient SMT solver
- Moura, Bjørner
- 2008
(Show Context)
Citation Context ...onstraint system has a solution if and only if the bit-vector system has a solution. Bit-vector constraints can be solved efficiently in practice by an off-the-shelf SMT solver, such as Yices [6], Z3 =-=[16]-=-, or STP [8]. Such solvers implement decision procedures for decidable first-order theories, including the theory of bit vectors. If the SMT solver determines that no solution exists for the bit-vecto... |
25 | Noninterference for a practical DIFC-based operating system.
- Krohn, Tromer
- 2009
(Show Context)
Citation Context ...perating systems. Furthermore, some systems have formal proofs that if an application running on the system correctly manipulates labels to implement a policy, then the system will enforce the policy =-=[14]-=-. However, for a user to have end-to-end assurance that their application implements a high-level information-flow policy, they must have assurance that the application indeed correctly manipulates la... |
18 |
The Yices SMT solver. http://yices.csl.sri.com/toolpaper.pdf
- Dutertre, Moura
- 2006
(Show Context)
Citation Context ...em of correctly instrumenting the program to a problem of solving a system of set constraints. It feeds the resulting constraint system to an off-the-shelf Satisfiability Modulo Theories (SMT) solver =-=[7]-=-, which in our experiments found solutions to the systems in seconds (see Tab. 4). From a solution, Swim instruments the program. Thus the programmer reasons at the policy level about information flow... |
15 | Verifying information flow control over unbounded processes
- Harris, Kidd, et al.
- 2009
(Show Context)
Citation Context ...a system with such a semantics enables high-throughput leaks, while a system such as Flume, in which labels are explicitly manipulated by each process, is provably free of such leaks. Harris et. al. =-=[11]-=- apply a model checker for safety properties of concurrent programs to determine if a fully instrumented DIFC application satisfies a high-level information flow policy. The present paper describes ho... |
12 |
Schema-guided synthesis of imperative programs by constraint solving
- Colón
(Show Context)
Citation Context ...ionally, DIFC systems provide certain guarantees that Resin does not match [25]. Previous work describes techniques to automatically synthesize programs from complete specifications of their behavior =-=[6, 21, 22]-=-. Like Swim, these techniques assume a program skeleton and a specification of correctness, and then use constraint solving to generate language constructs, yielding a concrete implementation of the s... |
5 |
A decision procesure for bit-vectors and arrays
- Ganesh, Dill
- 2007
(Show Context)
Citation Context ...tem has a solution if and only if the bit-vector system has a solution. Bit-vector constraints can be solved efficiently in practice by an off-the-shelf SMT solver, such as Yices [7], Z3 [17], or STP =-=[9]-=-. Such solvers implement decision procedures for decidable first-order theories, including the theory of bit vectors.If the solver determines that no solution exists for the bitvector constraints, th... |
5 |
The MoinMoin Wiki Engine
- MoinMoin
- 2006
(Show Context)
Citation Context ...sion of FlumeWiki in which each process that services a request acts with exactly the DIFC permissions of the user who makes the request. FlumeWiki [15] is based on the software package MoinMoin Wiki =-=[16]-=-, but has been extended to run on the Flume operating system with enhanced security guarantees. Similar to Apache, in FlumeWiki a launcher process receives requests from users for generating CGI forms... |
2 |
From program verfication to program synthesis
- Srivastava, Gulwani, et al.
- 2010
(Show Context)
Citation Context ...ionally, DIFC systems provide certain guarantees that Resin does not match [25]. Previous work describes techniques to automatically synthesize programs from complete specifications of their behavior =-=[6, 21, 22]-=-. Like Swim, these techniques assume a program skeleton and a specification of correctness, and then use constraint solving to generate language constructs, yielding a concrete implementation of the s... |
1 |
DIFC programs by automatic instrumentation. http://cs.wisc.edu/ ~wrharris/publications/tr-1673.pdf
- Harris, Jha, et al.
- 2010
(Show Context)
Citation Context ...ld programs and information-flow policies. §5 places our work in the context of other work on DIFC systems and program synthesis. §6 concludes. Some technical details are covered in the appendices of =-=[9]-=-. 2. OVERVIEW We now informally describe each step of the workflow of Swim, using the example from Fig. 1. We first give a brief overview of the Flume operating system. For a more complete description... |