2010 23rd IEEE Computer Security Foundations Symposium 2010
DOI: 10.1109/csf.2010.20
|View full text |Cite
|
Sign up to set email alerts
|

Abstract: Abstract-This paper seeks to answer fundamental questions about trade-offs between static and dynamic security analysis. It has been previously shown that flow-sensitive static information-flow analysis is a natural generalization of flowinsensitive static analysis, which allows accepting more secure programs. It has been also shown that sound purely dynamic information-flow enforcement is more permissive than static analysis in the flow-insensitive case. We argue that the step from flow-insensitive to flow-se… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

3
216
0
1

Year Published

2012
2012
2023
2023

Publication Types

Select...
5
2

Relationship

1
6

Authors

Journals

citations
Cited by 152 publications
(220 citation statements)
references
References 46 publications
3
216
0
1
Order By: Relevance
“…Some readers may find this odd: In order to fully address implicit flows, it is usually necessary to modify the rules for memory stores to handle the case where the pc is labeled high (Austin and Flanagan 2009;Russo and Sabelfeld 2010). The current machine doesn't require this, but the reason is subtle: here, the pc can go from L to H when we jump to a secret address, but it never goes from H to L!…”
Section: Jumps Implicit Flows and The Pc Labelmentioning
confidence: 99%
See 1 more Smart Citation
“…Some readers may find this odd: In order to fully address implicit flows, it is usually necessary to modify the rules for memory stores to handle the case where the pc is labeled high (Austin and Flanagan 2009;Russo and Sabelfeld 2010). The current machine doesn't require this, but the reason is subtle: here, the pc can go from L to H when we jump to a secret address, but it never goes from H to L!…”
Section: Jumps Implicit Flows and The Pc Labelmentioning
confidence: 99%
“…The mechanisms involved are intricate and easy to get wrong: static type systems must impose numerous constraints that interact with other typing rules in subtle ways (Sabelfeld and Myers 2003), while dynamic mechanisms must appropriately propagate taints and raise security exceptions when necessary Flanagan 2009, 2010;Fenton 1974;Sabelfeld and Russo 2009). In a dynamic setting, allowing IFC labels to vary dynamically (i.e., performing flow-sensitive analysis) can lead to subtle information leaks through the labels themselves (Russo and Sabelfeld 2010;Zheng and Myers 2007); these leaks are particularly hard to avoid if labels are observable inside the language (Hriţcu et al 2013a;Stefan et al 2011). This intricacy makes it hard to be confident in the correctness of such mechanisms without detailed proofs; however, carrying out these proofs while designing the mechanisms can be an exercise in frustration, with a great deal of time spent attempting to verify broken definitions!…”
Section: Introductionmentioning
confidence: 99%
“…They inline a flowsensitive hybrid monitor by Russo and Sabelfeld [31]. The soundness of the inlined monitor is ensured by bisimulation of the inlined monitor and the original monitor.…”
Section: Related Workmentioning
confidence: 99%
“…In addition, Austin and Flanagan [2] use pc to restrict updates of variables' security levels: changes of variables' security levels are not allowed when the security context (pc) is set to H . This restriction helps to prevent attackers from turning flow sensitivity into a channel for laundering secrets [34,31]. With this in mind, the inlining of x := e demands that pc x before updating x .…”
Section: Inlining Transformationmentioning
confidence: 99%
See 1 more Smart Citation