Results 1 - 10
of
39
On flow-sensitive security types
- ACM SIGPLAN Notices– Proceedings of POPL 2006
, 2006
"... This article investigates formal properties of a family of semantically sound flow-sensitive type systems for tracking information flow in simple While programs. The family is indexed by the choice of flow lattice. By choosing the flow lattice to be the powerset of program variables, we obtain a sys ..."
Abstract
-
Cited by 93 (5 self)
- Add to MetaCart
This article investigates formal properties of a family of semantically sound flow-sensitive type systems for tracking information flow in simple While programs. The family is indexed by the choice of flow lattice. By choosing the flow lattice to be the powerset of program variables, we obtain a system which, in a very strong sense, subsumes all other systems in the family (in particular, for each program, it provides a principal typing from which all others may be inferred). This distinguished system is shown to be equivalent to, though more simply described than, Amtoft and Banerjee’s Hoare-style independence logic (SAS’04). In general, some lattices are more expressive than others. Despite this, we show that no type system in the family can give better results for a given choice of lattice than the type system for that lattice itself. Finally, for any program typeable in one of these systems, we show how to construct an equivalent program which is typeable in a simple flow-insensitive system. We argue that this general approach could be useful in a proof-carrying-code setting.
A certified lightweight non-interference java bytecode verifier
- EUROPEAN SYMPOSIUM ON PROGRAMMING, LECTURE NOTES IN COMPUTER SCIENCE
, 2007
"... Non-interference is a semantical condition on programs that guarantees the absence of illicit information flow throughout their execution, and that can be enforced by appropriate information flow type systems. Much of previous work on type systems for non-interference has focused on calculi or hig ..."
Abstract
-
Cited by 46 (7 self)
- Add to MetaCart
Non-interference is a semantical condition on programs that guarantees the absence of illicit information flow throughout their execution, and that can be enforced by appropriate information flow type systems. Much of previous work on type systems for non-interference has focused on calculi or high-level programming languages, and existing type systems for low-level languages typically omit objects, exceptions, and method calls, and/or do not prove formally the soundness of the type system. We define an information flow type system for a sequential JVM-like language that includes classes, objects, arrays, exceptions and method calls, and prove that it guarantees non-interference. For increased confidence, we have formalized the proof in the proof assistant Coq; an additional benefit of the formalization is that we have extracted from our proof a certified lightweight bytecode verifier for information flow. Our work provides, to our best knowledge, the first sound and implemented information flow type system for such an expressive fragment of the JVM.
Information flow control for java based on path conditions in dependence graphs
- In IEEE International Symposium on Secure Software Engineering
, 2006
"... Language-based information flow control (IFC) is a powerful tool to discover security leaks in software. Most current IFC approaches are however based on nonstandard type systems. Type-based IFC is elegant, but not precise and can lead to false alarms. We present a more precise approach to IFC which ..."
Abstract
-
Cited by 35 (5 self)
- Add to MetaCart
Language-based information flow control (IFC) is a powerful tool to discover security leaks in software. Most current IFC approaches are however based on nonstandard type systems. Type-based IFC is elegant, but not precise and can lead to false alarms. We present a more precise approach to IFC which exploits active research in static program analysis. Our IFC approach is based on path conditions in program dependence graphs (PDGs). PDGs are a sophisticated and powerful analysis device, and today can handle realistic programs in full C or Java. We first recapitulate a theorem connecting the classical notion of noninterference to PDGs. We then introduce path conditions in Java PDGs. Path conditions are necessary conditions for information flow; today path conditions can be generated and solved for realistic programs. We show how path conditions can produce witnesses for security leaks. The approach has been implemented for full Java and augmented with classical security level lattices. Examples and case studies demonstrate the feasibility and power of the method. 1
Security types preserving compilation
- In Proc. 5th International Conference on Verification, Model Checking and Abstract Interpretation, volume 2937 of LNCS
, 2004
"... Starting from the seminal work of Volpano and Smith, there has been growing evidence that type systems may be used to enforce condentiality of programs through non-interference. However, most type systems operate on high-level languages and calculi, and \low-level lan-guages have not received much a ..."
Abstract
-
Cited by 31 (3 self)
- Add to MetaCart
Starting from the seminal work of Volpano and Smith, there has been growing evidence that type systems may be used to enforce condentiality of programs through non-interference. However, most type systems operate on high-level languages and calculi, and \low-level lan-guages have not received much attention in studies of secure information
ow " (Sabelfeld and Myers, [1]). Therefore, we introduce an information
ow type system for a low-level language featuring jumps and calls, and show that the type system enforces termination-insensitive non-interference. Furthermore, information
ow type systems for low-level languages should appropriately relate to their counterparts for high-level languages. Therefore, we introduce a compiler from a high-level imperative programming language to our low-level language, and show that the compiler preserves information
ow types.
A Flexible (C)LP-Based Approach to the Analysis of Object-Oriented Programs
- In 17th International Symposium on Logic-based Program Synthesis and Transformation (LOPSTR’07
, 2007
"... Abstract. Static analyses of object-oriented programs usually rely on intermediate representations that respect the original semantics while having a more uniform and basic syntax. Most of the work involving object-oriented languages and abstract interpretation usually omits the description of that ..."
Abstract
-
Cited by 25 (8 self)
- Add to MetaCart
(Show Context)
Abstract. Static analyses of object-oriented programs usually rely on intermediate representations that respect the original semantics while having a more uniform and basic syntax. Most of the work involving object-oriented languages and abstract interpretation usually omits the description of that language or just refers to the Control Flow Graph (CFG) it represents. However, this lack of formalization on one hand results in an absence of assurances regarding the correctness of the transformation and on the other it typically strongly couples the analysis to the source language. In this work we present a framework for analysis of object-oriented languages in which in a first phase we transform the input program into a representation based on Horn clauses. This allows on one hand proving the transformation correct attending to a simple condition and on the other being able to apply an existing analyzer for (constraint) logic programming to automatically derive a safe approximation of the semantics of the original program. The approach is flexible in the sense that the first phase decouples the analyzer from most languagedependent features, and correct because the set of Horn clauses returned by the transformation phase safely approximates the standard semantics of the input program. The resulting analysis is also reasonably scalable due to the use of mature, modular (C)LP-based analyzers. The overall approach allows us to report results for medium-sized programs. 1
A framework for static detection of privacy leaks in android applications
- In Proceedings of the 27th Annual ACM Symposium on Applied Computing, SAC ’12
, 2012
"... We report on applying techniques for static information flow analysis to identify privacy leaks in Android applications. We have crafted a framework which checks with the help of a security type system whether the Dalvik bytecode imple-mentation of an Android app conforms to a given privacy policy. ..."
Abstract
-
Cited by 22 (2 self)
- Add to MetaCart
(Show Context)
We report on applying techniques for static information flow analysis to identify privacy leaks in Android applications. We have crafted a framework which checks with the help of a security type system whether the Dalvik bytecode imple-mentation of an Android app conforms to a given privacy policy. We have carefully analyzed the Android API for possible sources and sinks of private data and identified ex-emplary privacy policies based on this. We demonstrate the applicability of our framework on two case studies showing detection of privacy leaks.
Security of Multithreaded Programs by Compilation
"... Motivation. Information security is a pressing challenge for mobile code technologies. Current security architectures provide no end-to-end security guarantees for mobile code: such code may either intentionally or accidentally propagate sensitive information to an adversary. However, recent progres ..."
Abstract
-
Cited by 20 (6 self)
- Add to MetaCart
(Show Context)
Motivation. Information security is a pressing challenge for mobile code technologies. Current security architectures provide no end-to-end security guarantees for mobile code: such code may either intentionally or accidentally propagate sensitive information to an adversary. However, recent progress in the area of language-based
Secure information flow and program logics
- In IEEE Computer Security Foundations Symposium
, 2007
"... We present interpretations of type systems for secure information flow in Hoare logic, complementing previous encodings in binary (e.g. relational) program logics. Treating base-line non-interference, multi-level security and flow sensitivity for a while language, we show how typing derivations may ..."
Abstract
-
Cited by 17 (6 self)
- Add to MetaCart
(Show Context)
We present interpretations of type systems for secure information flow in Hoare logic, complementing previous encodings in binary (e.g. relational) program logics. Treating base-line non-interference, multi-level security and flow sensitivity for a while language, we show how typing derivations may be used to automatically generate proofs in the program logic that certify the absence of illicit flows. In addition, we present proof rules for baseline non-interference for object-manipulating instructions, As a consequence, standard verification technology may be used for verifying that a concrete program satisfies the noninterference property. Our development is based on a formalisation of the encodings in Isabelle/HOL. 1
Intransitive Noninterference in Dependence Graphs
"... Abstract — In classic information flow control (IFC), noninterference guarantees that no information flows from secret input channels to public output channels. However, this notion turned out to be overly restrictive as many intuitively secure programs do allow some release. In this paper we define ..."
Abstract
-
Cited by 12 (1 self)
- Add to MetaCart
(Show Context)
Abstract — In classic information flow control (IFC), noninterference guarantees that no information flows from secret input channels to public output channels. However, this notion turned out to be overly restrictive as many intuitively secure programs do allow some release. In this paper we define a static analysis that allows intransitive noninterference in combination with contextsensitive analysis for Java bytecode programs. In contrast to type systems that annotate variables, our approach annotates information sources and sinks. To the best of our knowledge this is the first IFC technique which is flow-, context-, and objectsensitive. It allows IFC for realistic languages like Java or C and offers a mechanism for declassification to accommodate some information leakage for cases where traditional noninterference is too restrictive. I.
An Efficient, Parametric Fixpoint Algorithm for Analysis of Java Bytecode
- BYTECODE 2007 PRELIMINAR VERSION
, 2007
"... Abstract interpretation has been widely used for the analysis of object-oriented languages and, in particular, Java source and bytecode. However, while most existing work deals with the problem of finding expressive abstract domains that track accurately the characteristics of a particular concrete ..."
Abstract
-
Cited by 12 (4 self)
- Add to MetaCart
(Show Context)
Abstract interpretation has been widely used for the analysis of object-oriented languages and, in particular, Java source and bytecode. However, while most existing work deals with the problem of finding expressive abstract domains that track accurately the characteristics of a particular concrete property, the underlying fixpoint algorithms have received comparatively less attention. In fact, many existing (abstract interpretation based–) fixpoint algorithms rely on relatively inefficient techniques for solving inter-procedural call graphs or are specific and tied to particular analyses. We also argue that the design of an efficient fixpoint algorithm is pivotal to supporting the analysis of large programs. In this paper we introduce a novel algorithm for analysis of Java bytecode which includes a number of optimizations in order to reduce the number of iterations. The algorithm is parametric-in the sense that it is independent of the abstract domain used and it can be applied to different domains as “plug-ins”-, multivariant, and flow-sensitive. Also, is based on a program transformation, prior to the analysis, that results in a highly uniform representation of all the features in the language and therefore simplifies analysis. Detailed descriptions of decompilation solutions are given and discussed with an example. We also provide some performance data from a preliminary implementation of the analysis.
