On-the-Fly Inlining of Dynamic Dependency Monitors for Secure Information Flow

  • Luciano Bello
  • Eduardo Bonelli
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7140)

Abstract

Information flow analysis (IFA) in the setting of programming languages is steadily veering towards the adoption of dynamic techniques. This is particularly attractive for scripting languages for web applications programming. A common manifestation of dynamic techniques is that of run-time monitors, which should block program execution in the presence of an insecure run. Significant efforts are still required before practical, scalable monitors for secure IFA of industrial scale languages such as JavaScript can be achieved. Such monitors ideally should compensate for the absence of the traces they do not track, should not require modifications of the VM and should provide a fair compromise between security and usability among other things. This paper discusses on-the-fly inlining of monitors that track dependencies as a prospective candidate.

Keywords

Security Level Program Counter Covert Channel Program Point Dynamic Technique 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in CommunicationsGoogle Scholar
  2. 2.
    Venkatakrishnan, V.N., Xu, W., Duvarney, D.C., Sekar, R.: Provably correct runtime enforcement of non-interference properties. In: International Conference on Information and Communication Security, pp. 332–351 (2006)Google Scholar
  3. 3.
    Guernic, G.L., Banerjee, A., Jensen, T.P., Schmidt, D.A.: Automata-Based Confidentiality Monitoring. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435, pp. 75–89. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  4. 4.
    Guernic, G.L.: Automaton-based confidentiality monitoring of concurrent programs. In: Computer Security Foundations Workshop, pp. 218–232 (2007)Google Scholar
  5. 5.
    Shroff, P., Smith, S., Thober, M.: Dynamic dependency monitoring to secure information flow. In: Proceedings of the 20th IEEE Computer Security Foundations Symposium, pp. 203–217. IEEE Computer Society, Washington, DC, USA (2007)Google Scholar
  6. 6.
    Mccamant, S., Ernst, M.D.: Quantitative information flow as network flow capacity. In: SIGPLAN Conference on Programming Language Design and Implementation, pp. 193–205 (2008)Google Scholar
  7. 7.
    Sabelfeld, A., Russo, A.: From dynamic to static and back: Riding the roller coaster of information-flow control research. In: Ershov. Memorial Conf., pp. 352–365 (2009)Google Scholar
  8. 8.
    Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: SIGPLAN Conference on Programming Language Design and Implementation, pp. 113–124 (2009)Google Scholar
  9. 9.
    Askarov, A., Sabelfeld, A.: Tight enforcement of information-release policies for dynamic languages. In: Computer Security Foundations Workshop, pp. 43–59 (2009)Google Scholar
  10. 10.
    Volpano, D.M., Irvine, C.E., Smith, G.: A sound type system for secure flow analysis. Journal of Computer Security 4, 167–188Google Scholar
  11. 11.
    Russo, A., Sabelfeld, A.: Dynamic vs. static flow-sensitive security analysis. In: Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium, CSF 2010, pp. 186–199. IEEE Computer Society, Washington, DC, USA (2010)CrossRefGoogle Scholar
  12. 12.
    Hunt, S., Sands, D.: On flow-sensitive security types. In: Morrisett, J.G., Jones, S.L.P. (eds.) POPL, pp. 79–90. ACM (2006)Google Scholar
  13. 13.
    Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. SIGPLAN Not. 44, 20–31 (2009)CrossRefGoogle Scholar
  14. 14.
    Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. In: Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, PLAS 2010, pp. 3:1–3:12. ACM, New York (2010)Google Scholar
  15. 15.
    Chudnov, A., Naumann, D.A.: Information flow monitor inlining. In: Computer Security Foundations Workshop, pp. 200–214 (2010)Google Scholar
  16. 16.
    Futoransky, A., Gutesman, E., Waissbein, A.: A dynamic technique for enhancing the security and privacy of web applications. In: Black Hat USA 2007 Briefings, August 1-2, Las Vegas, NV, USA (2007)Google Scholar
  17. 17.
    Dhawan, M., Ganapathy, V.: Analyzing information flow in javascript-based browser extensions. In: Annual Comp. Sec. App. Conference, pp. 382–391 (2009)Google Scholar
  18. 18.
    Erlingsson, U.: The Inlined Reference Monitor Approach to Security Policy Enforcement. PhD thesis, Department of Computer Science, Cornell University (2003) TR 2003-1916Google Scholar
  19. 19.
    Magazinius, J., Russo, R., Sabelfeld, A.: On-the-fly inlining of dynamic security monitors. In: Proc. IFIP International Information Security Conference (2010)Google Scholar
  20. 20.
    Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for javascript. In: SIGPLAN Conference on Programming Language Design and Implementation, pp. 50–62 (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Luciano Bello
    • 1
    • 2
  • Eduardo Bonelli
    • 2
    • 3
    • 4
  1. 1.Si6 Labs - CITEDEF - Inst. de Investigac. Cient. y Técnicas para la DefensaArgentina
  2. 2.ITBA - Instituto Tecnológico Buenos AiresArgentina
  3. 3.CONICET - Consejo Nacional de Investigaciones Científicas y TécnicasArgentina
  4. 4.UNQ - Univesidad Nacional de QuilmesArgentina

Personalised recommendations