Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs

Hammer, Christian; Snelting, Gregor

doi:10.1007/s10207-009-0086-1

Cited by 172 publications

(145 citation statements)

References 51 publications

Supporting

Mentioning

141

Contrasting

Order By: Relevance

“…Later work by Horwitz et al [HRB90] casts the slicing problem as a graph traversal problem and extends the basic algorithm to the inter-procedural case, using a powerful grammar-based technique to analyse procedure calls in a context-sensitive manner. Hammer and Snelting [HS09,Ham10] explicitly apply this graph-based approach to the problem of information flow analysis. The algorithm presented by Horwitz et al is polynomial but the accompanying algorithmic analysis is stated for measures which are specific to their grammar constructions, preventing any straightforward comparison with the algorithm sketched for procedures in the current paper.…”

Section: Related Workmentioning

confidence: 99%

From Exponential to Polynomial-Time Security Typing via Principal Types

Hunt

Sands

2011

Programming Languages and Systems

View full text Add to dashboard Cite

Abstract. Hunt and Sands (POPL'06) studied a flow sensitive type (FST) system for multi-level security, parametric in the choice of lattice of security levels. Choosing the powerset of program variables as the security lattice yields a system which was shown to be equivalent to Amtoft and Banerjee's Hoare-style independence logic (SAS'04). Moreover, using the powerset lattice, it was shown how to derive a principal type from which all other types (for all choices of lattice) can be simply derived. Both of these earlier works gave "algorithmic" formulations of the type system/program logic, but both algorithms are of exponential complexity due to the iterative typing of While loops. Later work by Hunt and Sands (ESOP'08) adapted the FST system to provide an erasure type system which determines whether some input is correctly erased at a designated time. This type system is inherently exponential, requiring a double typing of the erasure-labelled input command. In this paper we start by developing the FST work in two key ways: (1) We specialise the FST system to a form which only derives principal types; the resulting type system has a simple algorithmic reading, yielding principal security types in polynomial time. (2) We show how the FST system can be simply extended to check for various degrees of termination sensitivity (the original FST system is completely termination insensitive, while the erasure type system is fully termination sensitive). We go on to demonstrate the power of these techniques by combining them to develop a type system which is shown to correctly implement erasure typing in polynomial time. Principality is used in an essential way to reduce type derivation size from exponential to linear.

show abstract

Section: Related Workmentioning

confidence: 99%

From Exponential to Polynomial-Time Security Typing via Principal Types

Hunt

Sands

2011

Programming Languages and Systems

View full text Add to dashboard Cite

show abstract

“…In terms of data flow tracking, our approach restricts the standard notion of information flow analysis which also caters to implicit flows and aims at noninterference assessments [37,38,21,22]: our system detects only flows from container to container. This explains why we prefer to speak of data flow rather than information flow.…”

Section: Related Workmentioning

confidence: 99%

“…opened, (lines 12-15) at most 4 further times and within 30 seconds (1 timestep = 1 second) after the first use (lines [8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27]; further attempts of opening the file will result in opening a predefined error message (lines 28-34).…”

Section: B1 Operating Systemmentioning

confidence: 99%

“…We do not discuss performance nor policy management either. Contribution Data flow tracking at specific layers of abstraction has been done in a multitude of ways [3,4,[11][12][13][14][15][16][17][18][19][20], also in the form of information flow analyses where implicit flows are also taken into account [21,22]. As far as we are aware, this work ends where sensitive (or tainted) data is moved to illegal sinks, e.g., when a file is written or an http post request is sent.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Representation-Independent Data Usage Control

Pretschner

Lovat

Büchler

2012

Data Privacy Management and Autonomous Spontaneus Security

View full text Add to dashboard Cite

Abstract. Usage control is concerned with what happens to data after access has been granted. In the literature, usage control models have been defined on the grounds of events that, somehow, are related to data. In order to better cater to the dimension of data, we extend a usage control model by the explicit distinction between data and representation of data. A data flow model is used to track the flow of data in-between different representations. The usage control model is then extended so that usage control policies can address not just one single representation (e.g., delete file1.txt after thirty days) but rather all representations of the data (e.g., if file1.txt is a copy of file2.txt, also delete file2.txt). We present three proof-of-concept implementations of the model, at the operating system level, at the browser level, and at the X11 level, and also provide an ad-hoc implementation for cross-layer enforcement.

show abstract

“…Hammer and Snelting describe how static analysis can be used to check whether the confidentiality or the integrity of the data processed by a program can be threatened by a user [13]. For their information-flow control, they use a program dependence graph, a representation already known in the area of static program analysis [15,3,11].…”

Section: Related Workmentioning

confidence: 99%

An Approach to Detecting Inter-Session Data Flow Induced by Object Pooling

Berger

Sohr

2012

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Abstract. Security tools, using static code analysis, are employed to find common bug classes, such as SQL injections and cross-site scripting vulnerabilities. This paper focuses on another bug class that is related to the object-pool pattern, which allows objects to be reused over multiple sessions. We show that the pattern is applied in a wide range of Java Enterprise frameworks and describe the problem of inter-session data flows, which comes along with the pattern. To demonstrate that the problem is relevant, we analyzed different open-source and a proprietary commercial software, with the help of a detection approach we introduce. We were able to show that the problem class occurred in these applications and posed a threat to the confidentiality of the closed-source software.

show abstract

Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs

Cited by 172 publications

References 51 publications

From Exponential to Polynomial-Time Security Typing via Principal Types

From Exponential to Polynomial-Time Security Typing via Principal Types

Representation-Independent Data Usage Control

An Approach to Detecting Inter-Session Data Flow Induced by Object Pooling

Contact Info

Product

Resources

About