Skip to main content
SpringerLink
Log in

Tracking Information Flow via Delayed Output

Addressing Privacy in IoT and Emailing Apps

  • Conference paper
  • First Online:
Secure IT Systems (NordSec 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11252))

Included in the following conference series:

Abstract

This paper focuses on tracking information flow in the presence of delayed output. We motivate the need to address delayed output in the domains of IoT apps and email marketing. We discuss the threat of privacy leaks via delayed output in code published by malicious app makers on popular IoT app platforms. We discuss the threat of privacy leaks via delayed output in non-malicious code on popular platforms for email-driven marketing. We present security characterizations of projected noninterference and projected weak secrecy to capture information flows in the presence of delayed output in malicious and non-malicious code, respectively. We develop two security type systems: for information flow control in potentially malicious code and for taint tracking in non-malicious code, engaging read and write security types to soundly enforce projected noninterference and projected weak secrecy.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Bastys, I., Balliu, M., Sabelfeld, A.: If this then what? Controlling flows in IoT apps. In: ACM CCS (2018)

    Google Scholar 

  2. Bastys, I., Piessens, F., Sabelfeld, A.: Tracking Information Flow via Delayed Output: Addressing Privacy in IoT and Emailing Apps. Full version at http://www.cse.chalmers.se/research/group/security/nordsec18

  3. Bichhawat, A., Rajani, V., Garg, D., Hammer, C.: Information flow control in WebKit’s JavaScript bytecode. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 159–178. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54792-8_9

    Chapter  Google Scholar 

  4. Bielova, N., Devriese, D., Massacci, F., Piessens, F.: Reactive non-interference for the browser: extended version. Technical report, KULeuven, 2011. Report CW 602 (2011)

    Google Scholar 

  5. Birgisson, A., Russo, A., Sabelfeld, A.: Unifying facets of information integrity. In: Jha, S., Mathuria, A. (eds.) ICISS 2010. LNCS, vol. 6503, pp. 48–65. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17714-9_5

    Chapter  Google Scholar 

  6. BMW Labs. Automatically get an email every time you park your BMW with a map to where you’re parked (2018). https://ifttt.com/applets/346212p-automatically-get-an-email-every-time-you-park-your-bmw-with-a-map-to-where-you-re-parked

  7. Chen, E.Y., Gorbaty, S., Singhal, A., Jackson, C.: Self-Exfiltration: the dangers of browser-enforced information flow control. In: W2SP (2012)

    Google Scholar 

  8. Cohen, E.S.: Information transmission in computational systems. In: SOSP (1977)

    Google Scholar 

  9. Cohen, E.S.: Information transmission in sequential programs. In: F. Sec. Comp. Academic Press (1978)

    Google Scholar 

  10. Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Commun. ACM 20, 504–513 (1977)

    Article  Google Scholar 

  11. Fernandes, E., Paupore, J., Rahmati, A., Simionato, D., Conti, M., Prakash, A.: FlowFence: practical data protection for emerging IoT application frameworks. In: USENIX Security (2016)

    Google Scholar 

  12. Fernandes, E., Rahmati, A., Jung, J., Prakash, A.: Decentralized action integrity for trigger-action IoT platforms. In: NDSS (2018)

    Google Scholar 

  13. General Data Protection Regulation, EU Regulation 2016/679 (2018)

    Google Scholar 

  14. Giacobazzi, R., Mastroeni, I.: Abstract non-interference: parameterizing non-interference by abstract interpretation. In: POPL (2004)

    Article  Google Scholar 

  15. Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE S&P (1982)

    Google Scholar 

  16. Greiner, S., Grahl, D.: Non-interference with what-declassification in component-based systems. In: CSF (2016)

    Google Scholar 

  17. Groef, W.D., Devriese, D., Nikiforakis, N., Piessens, F.: Flowfox: a web browser with flexible and precise information flow control. In: ACM CCS (2012)

    Google Scholar 

  18. Hedin, D., Bello, L., Sabelfeld, A.: Information-flow security for JavaScript and its APIs. J. Comp. Sec. 24, 181–234 (2016)

    Google Scholar 

  19. Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: Jsflow: tracking information flow in JavaScript and its APIs. In: SAC, pp. 1663–1671. ACM (2014)

    Google Scholar 

  20. Hedin, D., Sabelfeld, A.: A perspective on information-flow control. In: Software Safety and Security. IOS Press (2012)

    Google Scholar 

  21. IFTTT. How people use IFTTT today (2016). https://ifttt.com/blog/2016/11/connected-life-of-an-ifttt-user

  22. IFTTT. 550 apps and devices now work with IFTTT (2017). https://ifttt.com/blog/2017/09/550-apps-and-devices-now-on-ifttt-infographic

  23. MailChimp (2018). https://mailchimp.com

  24. mcb. Sync all your new iOS Contacts to a Google Spreadsheet (2018). https://ifttt.com/applets/102384p-sync-all-your-new-ios-contacts-to-a-google-spreadsheet

  25. Murray, T.C., Sison, R., Pierzchalski, E., Rizkallah, C.: Compositional verification and refinement of concurrent value-dependent noninterference. In: CSF (2016)

    Google Scholar 

  26. Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: SOSP (1997)

    Google Scholar 

  27. Poddebniak, D., et al.: Efail: breaking S/MIME and OpenPGP email encryption using Exfiltration channels. In: USENIX Security (2018)

    Google Scholar 

  28. Russo, A., Sabelfeld, A., Li, K.: Implicit flows in malicious and nonmalicious code. In: Logics and Languages for Reliability and Security. IOS Press (2010)

    Google Scholar 

  29. Sabelfeld, A., Mantel, H.: Securing communication in a concurrent language. In: SAS (2002)

    Google Scholar 

  30. Sabelfeld, A., Sands, D.: A per model of secure information flow in sequential programs. High. Order Symb. Comput. 14, 59–91 (2001)

    Article  Google Scholar 

  31. Sabelfeld, A., Sands, D.: Declassification: Dimensions and principles. JCS 17, 517–548 (2009)

    Article  Google Scholar 

  32. Schoepe, D., Balliu, M., Pierce, B.C., Sabelfeld, A.: Explicit secrecy: a policy for taint tracking. In: EuroS&P (2016)

    Google Scholar 

  33. Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: IEEE S&P (2010)

    Google Scholar 

  34. Sen, S., Guha, S., Datta, A., Rajamani, S.K., Tsai, J.Y., Wing, J.M.: Bootstrapping privacy compliance in big data systems. In: IEEE S&P (2014)

    Google Scholar 

  35. silvamerica. Add a map image of current location to Dropbox (2018). https://ifttt.com/applets/255978p-add-a-map-image-of-current-location-to-dropbox

  36. Staicu, C.-A., Pradel, M., Livshits, B.: Understanding and automatically preventing injection attacks on Node.js. In: NDSS (2018)

    Google Scholar 

  37. Surbatovich, M., Aljuraidan, J., Bauer, L., Das, A., Jia, L.: Some recipes can do more than spoil your appetite: analyzing the security and privacy risks of IFTTT recipes. In: WWW (2017)

    Google Scholar 

  38. Volpano, D.: Safety versus secrecy. In: Cortesi, A., Filé, G. (eds.) SAS 1999. LNCS, vol. 1694, pp. 303–311. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48294-6_20

    Chapter  Google Scholar 

Download references

Acknowledgements

This work was partially supported by the Wallenberg AI, Autonomous Systems and Software Program (WASP) funded by the Knut and Alice Wallenberg Foundation. It was also partly funded by the Swedish Foundation for Strategic Research (SSF) and the Swedish Research Council (VR).

Author information

Authors and Affiliations

  1. Chalmers University of Technology, Gothenburg, Sweden

    Iulia Bastys & Andrei Sabelfeld

  2. Katholieke Universiteit Leuven, Heverlee, Belgium

    Frank Piessens

Authors
  1. Iulia Bastys
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Frank Piessens
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrei Sabelfeld
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Iulia Bastys .

Editor information

Editors and Affiliations

  1. University of Oslo, Oslo, Norway

    Nils Gruschka

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bastys, I., Piessens, F., Sabelfeld, A. (2018). Tracking Information Flow via Delayed Output. In: Gruschka, N. (eds) Secure IT Systems. NordSec 2018. Lecture Notes in Computer Science(), vol 11252. Springer, Cham. https://doi.org/10.1007/978-3-030-03638-6_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-03638-6_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-03637-9

  • Online ISBN: 978-3-030-03638-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation