Thomas H. Austin scite author profile

We present a novel approach for efficiently tracking information flow in a dynamically-typed language such as JavaScript. Our approach is purely dynamic, and it detects problems with implicit paths via a dynamic check that avoids the need for an approximate static analyses while still guaranteeing non-interference. We incorporate this check into an efficient evaluation strategy based on sparse information labeling that leaves information flow labels implicit whenever possible, and introduces explicit labels only for values that migrate between security domains. We present experimental results showing that, on a range of small benchmark programs, sparse labeling provides a substantial (30%-50%) speed-up over universal labeling.

show abstract

Multiple facets for dynamic information flow

Austin

Flanagan

2012

126

192

View full text Add to dashboard Cite

JavaScript has become a central technology of the web, but it is also the source of many security problems, including cross-site scripting attacks and malicious advertising code. Central to these problems is the fact that code from untrusted sources runs with full privileges. We implement information flow controls in Firefox to help prevent violations of data confidentiality and integrity. Most previous information flow techniques have primarily relied on either static type systems, which are a poor fit for JavaScript, or on dynamic analyses that sometimes get stuck due to problematic implicit flows, even in situations where the target web application correctly satisfies the desired security policy. We introduce faceted values, a new mechanism for providing information flow security in a dynamic manner that overcomes these limitations. Taking inspiration from secure multi-execution, we use faceted values to simultaneously and efficiently simulate multiple executions for different security levels, thus providing non-interference with minimal overhead, and without the reliance on the stuck executions of prior dynamic approaches.

show abstract

Permissive dynamic information flow analysis

2010

View full text Add to dashboard Cite

A key challenge in dynamic information flow analysis is handling implicit flows, where code conditional on a private variable updates a public variable x. The naive approach of upgrading x to private results in x being partially leaked, where its value contains private data but its label might remain public on an alternative execution (where the conditional update was not performed). Prior work proposed the no-sensitive-upgrade check, which handles implicit flows by prohibiting partially leaked data, but attempts to update a public variable from a private context causes execution to get stuck.To overcome this limitation, we develop a sound yet flexible permissive-upgrade strategy. To prevent information leaks, partially leaked data is permitted but carefully tracked to ensure that it is never totally leaked. This permissiveupgrade strategy is more flexible than the prior approaches such as the no-sensitive-upgrade check.Under the permissive-upgrade strategy, partially leaked data must be marked as private before being used in a conditional test, thereby ensuring that it is private for both the current execution as well as alternate execution paths. This paper also presents a dynamic analysis technique for inferring these privatization operations and inserting them into the program source code. The combination of these techniques allows more programs to run to completion, while still guaranteeing termination-insensitive non-interference in a purely dynamic manner.

show abstract

A comparison of static, dynamic, and hybrid analysis for malware detection

Damodaran

Troia

Visaggio

et al. 2015

J Comput Virol Hack Tech

311

128

View full text Add to dashboard Cite

Hidden Markov models for malware classification

Annachhatre

Austin

Stamp

2014

J Comput Virol Hack Tech

View full text Add to dashboard Cite

show abstract

Exploring Hidden Markov Models for Virus Analysis: A Semantic Approach

Austin

Filiol

Josse

et al. 2013

View full text Add to dashboard Cite

Hunting for metamorphic JavaScript malware

Musale

Austin

Stamp

2014

J Comput Virol Hack Tech

View full text Add to dashboard Cite

Hunting For Metamorphic JavaScript Malware by Mangesh MusaleInternet plays a major role in the propagation of malware. A recent trend is the infection of machines through web pages, often due to malicious code inserted in JavaScript. From the malware writer's perspective, one potential advantage of JavaScript is that powerful code obfuscation techniques can be applied to evade detection. In this research, we analyze metamorphic JavaScript malware. We compare the effectiveness of several static detection strategies and we quantify the degree of morphing required to defeat each of these techniques. ACKNOWLEDGMENTS

show abstract

Precise, dynamic information flow for database-backed applications

Yang

Hance²,

Austin

et al. 2016

View full text Add to dashboard Cite

We present an approach for dynamic information flow control across the application and database. Our approach reduces the amount of policy code required, yields formal guarantees across the application and database, works with existing relational database implementations, and scales for realistic applications. In this paper, we present a programming model that factors out information flow policies from application code and database queries, a dynamic semantics for the underlying λ JDB core language, and proofs of termination-insensitive non-interference and policy compliance for the semantics. We implement these ideas in Jacqueline, a Python web framework, and demonstrate feasibility through three application case studies: a course manager, a health record system, and a conference management system used to run an academic workshop. We show that in comparison to traditional applications with hand-coded policy checks, Jacqueline applications have 1) a smaller trusted computing base, 2) fewer lines of policy code, and 2) reasonable, often negligible, overheads.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

334 Leonard St

Brooklyn, NY 11211

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Thomas H. Austin

Efficient purely-dynamic information flow analysis

Multiple facets for dynamic information flow

Permissive dynamic information flow analysis

A comparison of static, dynamic, and hybrid analysis for malware detection

Hidden Markov models for malware classification

Exploring Hidden Markov Models for Virus Analysis: A Semantic Approach

Hunting for metamorphic JavaScript malware

Precise, dynamic information flow for database-backed applications

Contact Info

Product

Resources

About