Secure Multi-Execution through Static Program Transformation

  • Gilles Barthe
  • Juan Manuel Crespo
  • Dominique Devriese
  • Frank Piessens
  • Exequiel Rivas
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7273)


Secure multi-execution (SME) is a dynamic technique to ensure secure information flow. In a nutshell, SME enforces security by running one execution of the program per security level, and by reinterpreting input/output operations w.r.t. their associated security level. SME is sound, in the sense that the execution of a program under SME is non-interfering, and precise, in the sense that for programs that are non-interfering in the usual sense, the semantics of a program under SME coincides with its standard semantics. A further virtue of SME is that its core idea is language-independent; it can be applied to a broad range of languages. A downside of SME is the fact that existing implementation techniques require modifications to the runtime environment, e.g. the browser for Web applications. In this article, we develop an alternative approach where the effect of SME is achieved through program transformation, without modifications to the runtime, thus supporting server-side deployment on the web. We show on an exemplary language with input/output and dynamic code evaluation (modeled after JavaScript’s eval) that our transformation is sound and precise. The crux of the proof is a simulation between the execution of the transformed program and the SME execution of the original program. This proof has been machine-checked using the Agda proof assistant. We also report on prototype implementations for a small fragment of Python and a substantial subset of JavaScript.


Security Level Operational Semantic Output Channel Input Channel Input Pointer 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Askarov, A., Sabelfeld, A.: Tight enforcement of information-release policies for dynamic languages. In: CSF, pp. 43–59 (2009)Google Scholar
  2. 2.
    Austin, T., Flanagan, C.: Multiple facets for dynamic information flow. In: POPL (2012)Google Scholar
  3. 3.
    Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. In: PLAS (2010)Google Scholar
  4. 4.
    Barthe, G., Crespo, J.M., Devriese, D., Piessens, F., Rivas, E.: Secure multi-execution through static program transformation: extended version. Technical Report CW620, Department of Computer Science, Katholieke Universiteit Leuven (2012)Google Scholar
  5. 5.
    Barthe, G., D’Argenio, P.R., Rezk, T.: Secure information flow by self-composition. In: CSFW, pp. 100–114 (2004)Google Scholar
  6. 6.
    Bielova, N., Devriese, D., Massacci, F., Piessens, F.: Reactive non-interference for a browser model. In: NSS (2011)Google Scholar
  7. 7.
    Birgisson, A., Russo, A., Sabelfeld, A.: Capabilities for information flow. In: PLAS (2011)Google Scholar
  8. 8.
    Capizzi, R., Longo, A., Venkatakrishnan, V.N., Prasad Sistla, A.: Preventing information leaks through shadow executions. In: ACSAC (2008)Google Scholar
  9. 9.
    Cavadini, S.: Secure slices of insecure programs. In: ASIACCS, pp. 112–122 (2008)Google Scholar
  10. 10.
    Chudnov, A., Naumann, D.A.: Information flow monitor inlining. In: CSF, pp. 200–214 (2010)Google Scholar
  11. 11.
    Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for Javascript. In: PLDI (2009)Google Scholar
  12. 12.
    Cristiá, M., Mata, P.: Runtime enforcement of noninterference by duplicating processes and their memories. In: WSEGI 2009 (2009)Google Scholar
  13. 13.
    Crockford, D.: Adsafe (December 2009),
  14. 14.
    Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: IEEE Symposium on Security and Privacy, pp. 109–124 (2010)Google Scholar
  15. 15.
  16. 16.
    Le Guernic, G.: Confidentiality Enforcement Using Dynamic Information Flow Analyses. PhD thesis, Kansas State University (2007)Google Scholar
  17. 17.
    Heintze, N., Riecke, J.G.: The SLam calculus: programming with secrecy and integrity. In: Proc. ACM Symp. on Principles of Programming Languages, pp. 365–377 (January 1998)Google Scholar
  18. 18.
    Jaskelioff, M., Russo, A.: Secure multi-execution in haskell. In: PSI (2011)Google Scholar
  19. 19.
    Kashyap, V., Wiedermann, B., Hardekopf, B.: Timing- and termination-sensitive secure information flow: Exploring a new approach. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP 2011, pp. 413–428. IEEE Computer Society, Washington, DC (2011)CrossRefGoogle Scholar
  20. 20.
    Louw, M.T., Ganesh, K.T., Venkatakrishnan, V.N.: Adjail: Practical enforcement of confidentiality and integrity policies on web advertisements. In: USENIX Security Symposium, pp. 371–388 (2010)Google Scholar
  21. 21.
    Maffeis, S., Mitchell, J.C., Taly, A.: Isolating JavaScript with Filters, Rewriting, and Wrappers. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 505–522. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  22. 22.
    Maffeis, S., Mitchell, J.C., Taly, A.: Object capabilities and isolation of untrusted web applications. In: IEEE Symposium on Security and Privacy, pp. 125–140 (2010)Google Scholar
  23. 23.
    Miller, M.S., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja: Safe active content in sanitized javascript (January 2008),
  24. 24.
    Myers, A.C.: JFlow: Practical mostly-static information flow control. In: Proc. ACM Symp. on Principles of Programming Languages, pp. 228–241 (January 1999)Google Scholar
  25. 25.
    Richards, G., Hammer, C., Burg, B., Vitek, J.: The Eval That Men Do. In: Mezini, M. (ed.) ECOOP 2011. LNCS, vol. 6813, pp. 52–78. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  26. 26.
    Russo, A., Sabelfeld, A.: Securing timeout instructions in web applications. In: CSF, pp. 92–106 (2009)Google Scholar
  27. 27.
    Russo, A., Sabelfeld, A., Chudnov, A.: Tracking Information Flow in Dynamic Tree Structures. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 86–103. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  28. 28.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. JSAC 21, 5–19 (2003)Google Scholar
  29. 29.
    Sabelfeld, A., Russo, A.: From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research. In: Pnueli, A., Virbitskaite, I., Voronkov, A. (eds.) PSI 2009. LNCS, vol. 5947, pp. 352–365. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  30. 30.
    Taly, A., Erlingsson, U., Miller, M.S., Mitchell, J.C., Nagra, J.: Automated analysis of security-critical javascript apis. In: IEEE Symposium on Security and Privacy (2011)Google Scholar
  31. 31.
    Volpano, D., Irvine, C., Smith, G.: A sound type system for secure flow analysis. Journal of Computer Security 4(2/3), 167–188 (1996)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Gilles Barthe
    • 1
  • Juan Manuel Crespo
    • 1
  • Dominique Devriese
    • 2
  • Frank Piessens
    • 2
  • Exequiel Rivas
    • 1
  1. 1.IMDEA Software InstituteMadridSpain
  2. 2.IBBT-DistriNet Research GroupKULeuvenBelgium

Personalised recommendations