Implicit Flows: Can’t Live with ‘Em, Can’t Live without ‘Em

King, Dave; Hicks, Boniface; Hicks, Michael; Jaeger, Trent

doi:10.1007/978-3-540-89862-7_4

Cited by 71 publications

(50 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Indeed, the prevalence of taint-tracking mechanisms (e.g., Perl's taint mode, and numerous systems [2,32,56,61]) show that it is intuitive and appealing for developers to consider just explicit flows. Moreover, tracking only explicit flows leads to fewer false positives (albeit at the cost of more false negatives) [15,29].…”

Section: Security Guarantees From Pdgsmentioning

confidence: 99%

Exploring and enforcing security guarantees via program dependence graphs

Johnson

Waye

Moore

et al. 2015

Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

We present PIDGIN, a program analysis and understanding tool that enables the specification and enforcement of precise applicationspecific information security guarantees. PIDGIN also allows developers to interactively explore the information flows in their applications to develop policies and investigate counter-examples.PIDGIN combines program dependence graphs (PDGs), which precisely capture the information flows in a whole application, with a custom PDG query language. Queries express properties about the paths in the PDG; because paths in the PDG correspond to information flows in the application, queries can be used to specify global security policies.PIDGIN is scalable. Generating a PDG for a 330k line Java application takes 90 seconds, and checking a policy on that PDG takes under 14 seconds. The query language is expressive, supporting a large class of precise, application-specific security guarantees. Policies are separate from the code and do not interfere with testing or development, and can be used for security regression testing.We describe the design and implementation of PIDGIN and report on using it: (1) to explore information security guarantees in legacy programs; (2) to develop and modify security policies concurrently with application development; and (3) to develop policies based on known vulnerabilities.

show abstract

Section: Security Guarantees From Pdgsmentioning

confidence: 99%

Exploring and enforcing security guarantees via program dependence graphs

Johnson

Waye

Moore

et al. 2015

Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

show abstract

“…λ info is much simpler than JavaScript, allowing us to reason more easily about some of the challenges involved in correctly handling implicit flows. Although exceptions add important additional complexities to implicit flows [2,24], we leave them for future work.…”

Section: A Core Language For Information Flowmentioning

confidence: 99%

“…Askarov et al [1] demonstrate that Denning-style analysis may leak more than one bit in the presence of intermediary output channels, but that any attack will be limited to a brute-force approach. Askarov and Sabelfeld [2] and King et al [24] discuss exception handling challenges. Livshits et al [25] design a system for inferring information flow policies to handle explicit flows.…”

Section: Figure 8: Privatization Inference Evaluation Rulesmentioning

confidence: 99%

Permissive dynamic information flow analysis

Austin

Flanagan

2010

Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security

106

132

View full text Add to dashboard Cite

A key challenge in dynamic information flow analysis is handling implicit flows, where code conditional on a private variable updates a public variable x. The naive approach of upgrading x to private results in x being partially leaked, where its value contains private data but its label might remain public on an alternative execution (where the conditional update was not performed). Prior work proposed the no-sensitive-upgrade check, which handles implicit flows by prohibiting partially leaked data, but attempts to update a public variable from a private context causes execution to get stuck.To overcome this limitation, we develop a sound yet flexible permissive-upgrade strategy. To prevent information leaks, partially leaked data is permitted but carefully tracked to ensure that it is never totally leaked. This permissiveupgrade strategy is more flexible than the prior approaches such as the no-sensitive-upgrade check.Under the permissive-upgrade strategy, partially leaked data must be marked as private before being used in a conditional test, thereby ensuring that it is private for both the current execution as well as alternate execution paths. This paper also presents a dynamic analysis technique for inferring these privatization operations and inserting them into the program source code. The combination of these techniques allows more programs to run to completion, while still guaranteeing termination-insensitive non-interference in a purely dynamic manner.

show abstract

“…Others, including Safe, also track implicit flows [8]-situations where the program's control state depends on secret data. A benefit of dealing with implicit flows is that we get a crisp statement of the security guarantee provided by the information-flow tracking mechanism: a noninterference theorem [6], stating (roughly) that the sensitive inputs of a program cannot influence its public outputs.…”

Section: Language Design and Information Flowmentioning

confidence: 99%

Preliminary design of the SAFE platform

DeHon

Karel

Knight

et al. 2011

Proceedings of the 6th Workshop on Programming Languages and Operating Systems

View full text Add to dashboard Cite

Safe is a clean-slate design for a secure host architecture. It integrates advances in programming languages, operating systems, and hardware and incorporates formal methods at every step. Though the project is still at an early stage, we have assembled a set of basic architectural choices that we believe will yield a high-assurance system. We sketch the current state of the design and discuss several of these choices.

show abstract

Implicit Flows: Can’t Live with ‘Em, Can’t Live without ‘Em

Cited by 71 publications

References 23 publications

Exploring and enforcing security guarantees via program dependence graphs

Exploring and enforcing security guarantees via program dependence graphs

Permissive dynamic information flow analysis

Preliminary design of the SAFE platform

Contact Info

Product

Resources

About