Skip to main content

A Low-Overhead, Value-Tracking Approach to Information Flow Security

  • Conference paper
Software Engineering and Formal Methods (SEFM 2012)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 7504))

Included in the following conference series:

Abstract

We present a hybrid approach to information flow security where security violations are detected at execution time. We track secure values and secure locations at run time to prevent problems such as password disclosure in C programs. This analysis is safe in the presence of pointer aliasing. Such problems are hard to solve using static analysis (or lead to many false positives). Our technique works on programs with annotations that identify values and locations that need to be secure. We instrument the annotated program with statements that capture relevant information flow with assertions that detect any violation. This instrumentation does not interfere with the safe assignment of values to variables in the program. The instrumented assertions are invoked only when relevant values or locations are involved. We demonstrate the applicability of our approach by analysing various Linux utilities such as su, sudo, passwd, ftp and ssh. Our experiments show that for safe executions the overhead introduced by our instrumentation is, on average, less than 1%.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. clang: a C language family frontend for LLVM (March 2012), http://clang.llvm.org

  2. Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, PLAS 2009, pp. 113–124. ACM (2009)

    Google Scholar 

  3. Lattner, C., Adve, V.: LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In: Proceedings of the 2004 International Symposium on Code Generation and Optimization, Palo Alto, California (March 2004)

    Google Scholar 

  4. Le Guernic, G., Banerjee, A., Jensen, T.P., Schmidt, D.A.: Automata-Based Confidentiality Monitoring. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435, pp. 75–89. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  5. Levenshtein, V.I.: Binary codes capable of correcting deletions, insertions and reversals. Soviet Physics Doklady 10(8), 707–710 (1966)

    MathSciNet  Google Scholar 

  6. Ma, W., Campbell, J., Tran, D., Kleeman, D.: Password entropy and password quality. In: International Conference on Network and System Security, pp. 583–587 (2010)

    Google Scholar 

  7. Magazinius, J., Russo, A., Sabelfeld, A.: On-the-fly Inlining of Dynamic Security Monitors. In: Rannenberg, K., Varadharajan, V., Weber, C. (eds.) SEC 2010. IFIP AICT, vol. 330, pp. 173–186. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  8. Qin, F., Wang, C., Li, Z., Kim, H., Zhou, Y., Wu, Y.: Lift: A low-overhead practical information flow tracking system for detecting security attacks. In: 39th Annual IEEE/ACM International Symposium on Microarchitecture, Orlando, Florida, USA, pp. 135–148 (December 2006)

    Google Scholar 

  9. Russo, A., Sabelfeld, A.: Dynamic vs. static flow-sensitive security analysis. In: Proceedings of the 23rd IEEE Computer Security Foundations Symposium, CSF 2010, pp. 186–199. IEEE (2010)

    Google Scholar 

  10. Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1), 5–19 (2003)

    Article  Google Scholar 

  11. Shroff, P., Smith, S.F., Thober, M.: Dynamic dependency monitoring to secure information flow. In: Proceedings of the 20th IEEE Computer Security Foundations Symposium, CSF 2007, pp. 203–217. IEEE (2007)

    Google Scholar 

  12. Smith, G.: Principles of secure information flow analysis. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds.) Malware Detection, Advances in Information Security, vol. 27, pp. 291–307. Springer US (2007)

    Google Scholar 

  13. Winskel, G.: The formal semantics of programming languages - an introduction. Foundation of computing series. MIT Press (1993)

    Google Scholar 

  14. Yip, A., Wang, X., Zeldovich, N., Kaashoek, M.F.: Improving application security with data flow assertions. In: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, SOSP 2009, pp. 291–304. ACM (2009)

    Google Scholar 

  15. Yu, J., Zhang, S., Liu, P., Li, Z.: Leakprober: a framework for profiling sensitive data leakage paths. In: Proceedings of the 1st ACM Conference on Data and Application Security and Privacy, CODASPY 2011, pp. 75–84. ACM, New York (2011)

    Google Scholar 

  16. Zheng, L., Myers, A.C.: Dynamic security labels and static information flow control. International Journal of Information Security 6(2-3), 67–84 (2007)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Vorobyov, K., Krishnan, P., Stocks, P. (2012). A Low-Overhead, Value-Tracking Approach to Information Flow Security. In: Eleftherakis, G., Hinchey, M., Holcombe, M. (eds) Software Engineering and Formal Methods. SEFM 2012. Lecture Notes in Computer Science, vol 7504. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33826-7_26

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-33826-7_26

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33825-0

  • Online ISBN: 978-3-642-33826-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics