We Are Family: Relating Information-Flow Trackers

  • Musard Balliu
  • Daniel Schoepe
  • Andrei Sabelfeld
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10492)


While information-flow security is a well-established area, there is an unsettling gap between heavyweight information-flow control, with formal guarantees yet limited practical impact, and lightweight tainting techniques, useful for bug finding yet lacking formal assurance. This paper proposes a framework for exploring the middle ground in the range of enforcement from tainting (tracking data flows only) to fully-fledged information-flow control (tracking both data and control flows). We formally illustrate the trade-offs between the soundness and permissiveness that the framework allows to achieve. The framework is deployed in a staged fashion, statically embedding a dynamic monitor, being parametric in security policies, as they do not need to be fixed until the final deployment. This flexibility facilitates a secure app store architecture, where the static stage of verification is performed by the app store and the dynamic stage is deployed on the client. To illustrate the practicality of the framework, we implement our approach for a core of Java and evaluate it on a use case with enforcing privacy policies in the Android setting. We also show how a state-of-the-art dynamic monitor for JavaScript can be easily adapted to implement our approach.


Language-based security Information-flow control Taint tracking 



This work was partly funded by the European Community under the ProSecuToR project and the Swedish research agency VR.


  1. 1.
    Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Traon, Y.L., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: PLDI (2014)Google Scholar
  2. 2.
    Askarov, A., Chong, S.: Learning is change in knowledge: Knowledge-based security for dynamic policies. In: CSF (2012)Google Scholar
  3. 3.
    Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-insensitive noninterference leaks more than just a bit. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 333–348. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-88313-5_22 CrossRefGoogle Scholar
  4. 4.
    Askarov, A., Sabelfeld, A.: Gradual release: unifying declassification, encryption and key release policies. In: S&P (2007)Google Scholar
  5. 5.
    Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. SIGPLAN Not. 44, 20–31 (2009)CrossRefGoogle Scholar
  6. 6.
    Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. In: PLAS (2010)Google Scholar
  7. 7.
    Austin, T.H., Yang, J., Flanagan, C., Solar-Lezama, A.: Faceted execution of policy-agnostic programs. In: PLAS (2013)Google Scholar
  8. 8.
    Balliu, M., Dam, M., Guernic, G.L.: ENCoVer: symbolic exploration for information flow security. In: CSF (2012)Google Scholar
  9. 9.
    Balliu, M., Dam, M., Le Guernic, G.: Epistemic temporal logic for information flow security. In: PLAS (2011)Google Scholar
  10. 10.
    Banerjee, A., Naumann, D.A., Rosenberg, S.: Expressive declassification policies and modular static enforcement. In: S&P (2008)Google Scholar
  11. 11.
    Bao, T., Zheng, Y., Lin, Z., Zhang, X., Xu, D.: Strict control dependence and its effect on dynamic information flow analyses. In: ISSTA (2010)Google Scholar
  12. 12.
    Barthe, G., Crespo, J.M., Devriese, D., Piessens, F., Rivas, E.: Secure multi-execution through static program transformation. In: Giese, H., Rosu, G. (eds.) FMOODS/FORTE -2012. LNCS, vol. 7273, pp. 186–202. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-30793-5_12 CrossRefGoogle Scholar
  13. 13.
    Barthe, G., D’Argenio, P.R., Rezk, T.: Secure information flow by self-composition. MSCS 21, 1207–1252 (2011)MathSciNetzbMATHGoogle Scholar
  14. 14.
    We are family: relating information flow trackers (Extended Version).
  15. 15.
    Beringer, L.: End-to-end multilevel hybrid information flow control. In: Jhala, R., Igarashi, A. (eds.) APLAS 2012. LNCS, vol. 7705, pp. 50–65. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-35182-2_5 CrossRefGoogle Scholar
  16. 16.
    Biba, K.J.: Integrity considerations for secure computer systems. Technical report, MITRE Corp (1977)Google Scholar
  17. 17.
    Bielova, N., Rezk, T.: A taxonomy of information flow monitors. In: Piessens, F., Viganò, L. (eds.) POST 2016. LNCS, vol. 9635, pp. 46–67. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49635-0_3 CrossRefGoogle Scholar
  18. 18.
    Chudnov, A., Naumann, D.A.: Information flow monitor inlining. In: CSF (2010)Google Scholar
  19. 19.
    Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for javascript. In: PLDI (2009)Google Scholar
  20. 20.
    Darvas, Á., Hähnle, R., Sands, D.: A theorem proving approach to analysis of secure information flow. In: Hutter, D., Ullmann, M. (eds.) SPC 2005. LNCS, vol. 3450, pp. 193–209. Springer, Heidelberg (2005). doi: 10.1007/978-3-540-32004-3_20 CrossRefGoogle Scholar
  21. 21.
    Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Commun. ACM 20, 504–513 (1977)CrossRefzbMATHGoogle Scholar
  22. 22.
    Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: S&P 2010 (2010)Google Scholar
  23. 23.
    Dimitrova, R., Finkbeiner, B., Kovács, M., Rabe, M.N., Seidl, H.: Model checking information flow in reactive systems. In: Kuncak, V., Rybalchenko, A. (eds.) VMCAI 2012. LNCS, vol. 7148, pp. 169–185. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-27940-9_12 CrossRefGoogle Scholar
  24. 24.
    Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. 32, 5 (2014)CrossRefGoogle Scholar
  25. 25.
    Ernst, M.D., Just, R., Millstein, S., Dietl, W., Pernsteiner, S., Roesner, F., Koscher, K., Barros, P.B., Bhoraskar, R., Han, S., Vines, P., Wu, E.X.: Collaborative verification of information flow for a high-assurance app. store. In: CCS (2014)Google Scholar
  26. 26.
    Fenton, J.S.: Memoryless subsystems. Comput. J. 17(2), 143–147 (1974)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Giacobazzi, R., Mastroeni, I.: Abstract non-interference: parameterizing non-interference by abstract interpretation. In: POPL (2004)Google Scholar
  28. 28.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: S&P (1982)Google Scholar
  29. 29.
    Gordon, M.I., Kim, D., Perkins, J.H., Gilham, L., Nguyen, N., Rinard, M.C.: Information flow analysis of android applications in droidsafe. In: NDSS (2015)Google Scholar
  30. 30.
    Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: JSFlow: tracking information flow in javaScript and its APIs. In: SAC (2014)Google Scholar
  31. 31.
    Hedin, D., Bello, L., Sabelfeld, A.: Value-sensitive hybrid information flow control for a javascript-like language. In: CSF (2015)Google Scholar
  32. 32.
    Hunt, S., Sands, D.: On flow-sensitive security types. In: POPL, pp. 79–90 (2006)Google Scholar
  33. 33.
    Jang, D., Jhala, R., Lerner, S., Shacham, H.: An empirical study of privacy-violating information flows in javaScript web applications. In: CCS (2010)Google Scholar
  34. 34.
    Kang, M.G., McCamant, S., Poosankam, P., Song, D.: DTA++: dynamic taint analysis with targeted control-flow propagation. In: NDSS (2011)Google Scholar
  35. 35.
    King, D., Hicks, B., Hicks, M., Jaeger, T.: Implicit flows: can’t live with ‘Em, can’t live without ‘Em. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 56–70. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-89862-7_4 CrossRefGoogle Scholar
  36. 36.
    Le Guernic, G.: Confidentiality enforcement using dynamic information flow analyses. Ph.D. thesis, Kansas State University (2007)Google Scholar
  37. 37.
    Magazinius, J., Russo, A., Sabelfeld, A.: On-the-fly inlining of dynamic security monitors. Comput. Secur. 31, 827–843 (2010)CrossRefGoogle Scholar
  38. 38.
    McLean, J.: A general theory of composition for trace sets closed under selective interleaving functions. In: S&P (1994)Google Scholar
  39. 39.
    Moore, S., Chong, S.: Static analysis for efficient hybrid information-flow control. In: CSF (2011)Google Scholar
  40. 40.
    Nanevski, A., Banerjee, A., Garg, D.: Dependent type theory for verification of information flow and access control policies. ACM Trans. Program. Lang. 35, 6 (2013)Google Scholar
  41. 41.
  42. 42.
    Russo, A., Sabelfeld, A., Li, K.: Implicit flows in malicious and nonmalicious code. Marktoberdorf Summer School (IOS Press) (2009)Google Scholar
  43. 43.
    Russo, A., Sabelfeld, A.: Dynamic vs. static flow-sensitive security analysis. In: CSF (2010)Google Scholar
  44. 44.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. JSAC 21, 5–19 (2003)Google Scholar
  45. 45.
    Schoepe, D., Balliu, M., Pierce, B.C., Sabelfeld, A.: Explicit secrecy: a policy for taint tracking. In: EuroS&P (2016)Google Scholar
  46. 46.
    Schoepe, D., Balliu, M., Piessens, F., Sabelfeld, A.: Let’s face it: faceted values for taint tracking. In: ESORICS (2016)Google Scholar
  47. 47.
    Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: S&P 2010 (2010)Google Scholar
  48. 48.
    Shroff, P., Smith, S., Thober, M.: Dynamic dependency monitoring to secure information flow. In: CSF (2007)Google Scholar
  49. 49.
    SnoopWall: Flashlight Apps Threat Assessment Report (2014).
  50. 50.
    Staicu, C., Pradel, M.: An empirical study of implicit information flow (2015). poster at PLDI.
  51. 51.
  52. 52.
    Tripp, O., Ferrara, P., Pistoia, M.: Hybrid security analysis of web javascript code via dynamic partial evaluation. In: ISSTA (2014)Google Scholar
  53. 53.
    Vachharajani, N., Bridges, M.J., Chang, J., Rangan, R., Ottoni, G., Blome, J.A., Reis, G.A., Vachharajani, M., August, D.I.: RIFLE: an architectural framework for user-centric information-flow security. In: MICRO (2004)Google Scholar
  54. 54.
    Vallée-Rai, R., Co, P., Gagnon, E., Hendren, L.J., Lam, P., Sundaresan, V.: Soot - a java bytecode optimization framework. In: CASCR (1999)Google Scholar
  55. 55.
    Venkatakrishnan, V.N., Xu, W., DuVarney, D.C., Sekar, R.: Provably correct runtime enforcement of non-interference properties. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 332–351. Springer, Heidelberg (2006). doi: 10.1007/11935308_24 CrossRefGoogle Scholar
  56. 56.
    Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. JCS 4, 167–187 (1996)CrossRefGoogle Scholar
  57. 57.
    Volpano, D.: Safety versus secrecy. In: Cortesi, A., Filé, G. (eds.) SAS 1999. LNCS, vol. 1694, pp. 303–311. Springer, Heidelberg (1999). doi: 10.1007/3-540-48294-6_20 CrossRefGoogle Scholar
  58. 58.
    Zdancewic, S.A.: Programming languages for information security. Ph.D. thesis, Cornell University, Ithaca, NY, USA (2002)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Musard Balliu
    • 1
  • Daniel Schoepe
    • 1
  • Andrei Sabelfeld
    • 1
  1. 1.Chalmers University of TechnologyGothenburgSweden

Personalised recommendations