Efficient purely-dynamic information flow analysis

Austin, Thomas H.; Flanagan, Cormac

doi:10.1145/1554339.1554353

Cited by 156 publications

(201 citation statements)

References 34 publications

(28 reference statements)

Supporting

Mentioning

200

Contrasting

Order By: Relevance

“…Having both is impossible: a purely dynamic flow-sensitive monitor (as, e.g., [5], [6]) will inevitably reject programs that are typable by HuntSands-style type system. To the best of our knowledge, there are no prior impossibility results on permissive purely dynamic monitoring of information-flow policies.…”

Section: Discussionmentioning

confidence: 99%

“…For flow-sensitive monitoring [5], [6], we believe Properties 1-3 hold, but, as we discuss in Section VIII, Property 4 does not hold because it is not allowed to first relabel a public variable in high context and then branch on it. This is consistent with our result that having all of Properties 1-4 is impossible in a flow-sensitive setting.…”

Section: Dynamic Flow-sensitive Monitoringmentioning

confidence: 99%

“…Austin and Flanagan [5], [6] suggest a purely dynamic monitor for information flow with a limited form of flow sensitivity. They discuss two disciplines: no sensitive-upgrade, where the execution gets stuck on an attempt to assign to a public variable in secret context, and permissive-upgrade, where on an attempt to assign to a public variable in secret context, the public variable is marked as one that cannot be branched on later in the execution.…”

Section: Related Workmentioning

confidence: 99%

“…Recently, it has been shown (e.g., [43], [5], [4], [39], [6]) that purely dynamic monitors can enforce the same security policy as Denning-style static analysis: terminationinsensitive noninterference. In addition, Sabelfeld and Russo [43] prove that sound purely dynamic information-flow enforcement is more permissive than static analysis in the flow-insensitive case (where variables are assigned security levels at the beginning of the execution and this assignment is kept unchanged during the execution).…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Dynamic vs. Static Flow-Sensitive Security Analysis

Russo

Sabelfeld

2010

2010 23rd IEEE Computer Security Foundations Symposium

152

216

View full text Add to dashboard Cite

Abstract-This paper seeks to answer fundamental questions about trade-offs between static and dynamic security analysis. It has been previously shown that flow-sensitive static information-flow analysis is a natural generalization of flowinsensitive static analysis, which allows accepting more secure programs. It has been also shown that sound purely dynamic information-flow enforcement is more permissive than static analysis in the flow-insensitive case. We argue that the step from flow-insensitive to flow-sensitive is fundamentally limited for purely dynamic information-flow controls. We prove impossibility of a sound purely dynamic information-flow monitor that accepts programs certified by a classical flow-sensitive static analysis. A side implication is impossibility of permissive dynamic instrumented security semantics for information flow, which guides us to uncover an unsound semantics from the literature. We present a general framework for hybrid mechanisms that is parameterized in the static part and in the reaction method of the enforcement (stop, suppress, or rewrite) and give security guarantees with respect to terminationinsensitive noninterference for a simple language with output.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Dynamic Flow-sensitive Monitoringmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Dynamic vs. Static Flow-Sensitive Security Analysis

Russo

Sabelfeld

2010

2010 23rd IEEE Computer Security Foundations Symposium

152

216

View full text Add to dashboard Cite

show abstract

“…While the above tools are mostly based on static analysis, considerable progress has been also made on understanding monitoring for secure information flow [12,43,41,18,17,37,25,34,2,1]. Mozilla's ongoing project FlowSafe [9] aims at empowering Firefox with runtime information-flow tracking, where dynamic information-flow reference monitoring [2,3] lies at its core.…”

Section: Introductionmentioning

confidence: 99%

On-the-fly inlining of dynamic security monitors

Magazinius

Russo

Sabelfeld

2012

Computers & Security

View full text Add to dashboard Cite

Abstract. Language-based information-flow security considers programs that manipulate pieces of data at different sensitivity levels. Securing information flow in such programs remains an open challenge. Recently, considerable progress has been made on understanding dynamic monitoring for secure information flow. This paper presents a framework for inlining dynamic information-flow monitors. A novel feature of our framework is the ability to perform inlining on the fly. We consider a source language that includes dynamic code evaluation of strings whose content might not be known until runtime. To secure this construct, our inlining is done on the fly, at the string evaluation time, and, just like conventional offline inlining, requires no modification of the hosting runtime environment. We present a formalization for a simple language to show that the inlined code is secure: it satisfies a noninterference property. We also discuss practical considerations and preliminary experimental results.

show abstract

Static analysis of JavaScript libraries in a scalable and precise way using loop sensitivity

2017

View full text Add to dashboard Cite

Statically analyzing JavaScript applications often requires an analysis of JavaScript libraries because many JavaScript applications use libraries. However, static analysis techniques for JavaScript are not yet ready for analyzing libraries in a scalable and precise manner. Simply loading JavaScript libraries uses various dynamic features of JavaScript, which cause static analyzers to suffer from mutually intermingled problems of scalability and imprecision. In this paper, we present a loop-sensitive analysis (LSA) technique, which can improve the analysis scalability when analyzing JavaScript libraries by enhancing the analysis precision of loops. The LSA technique distinguishes loop iterations when loop conditions can be determined to be either true or false precisely. We formalize LSA in the abstract interpretation framework in the presence of tricky language features such as exceptions and prove its soundness and precision theorems using Coq. We evaluate our LSA implementation with the analysis results of programs that use 5 JavaScript libraries and show that LSA significantly improves the analysis scalability and precision of an existing JavaScript static analyzer when analyzing JavaScript libraries. In addition, using the configurability of LSA, we experimentally show the correlation between scalability and precision in the analysis of JavaScript libraries. We found that even the analysis of simple programs that just load jQuery, which is the most popular JavaScript library, in a scalable way requires distinguishing not only the last 4 functions being called but also 40 iterations in each loop with 2-level nested loops at least. Both the mechanization and implementation of LSA are publicly available. KEYWORDSabstract interpretation, context-sensitive analysis, JavaScript, libraries, loop-sensitive analysis, static analysis The results in this paper are based in part on findings presented at the Proceeding of the 29th European Conference on Object-Oriented Programming (ECOOP'15).Softw Pract Exper. 2018;48:911-944.wileyonlinelibrary.com/journal/spe

show abstract

Efficient purely-dynamic information flow analysis

Cited by 156 publications

References 34 publications

Dynamic vs. Static Flow-Sensitive Security Analysis

Dynamic vs. Static Flow-Sensitive Security Analysis

On-the-fly inlining of dynamic security monitors

Static analysis of JavaScript libraries in a scalable and precise way using loop sensitivity

Contact Info

Product

Resources

About