Modelling declassification policies using abstract domain completeness

Mastroeni, Isabella; Banerjee, Anindya

doi:10.1017/s096012951100020x

Cited by 12 publications

(20 citation statements)

References 38 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…That is one motivation for research in quantitative information flow analysis. In addition, a number of works investigate weakenings of noninterference and downgrading policies that are conditioned on events or data values (Askarov and Sabelfeld 2007;Banerjee et al 2008;Sabelfeld and Sands 2009;Mastroeni and Banerjee 2011). Assaf (2015, Chapter 4) proposes to take the guarantees provided by termination-insensitive noninterference (Askarov et al 2008) as an explicit definition for security; this Relative Secrecy requirement is inspired by Volpano and Smith (2000) who propose a type-system preventing batch-job programs from leaking secrets in polynomial time.…”

Section: Related Workmentioning

confidence: 99%

“…The relations are defined in terms of abstract interpretations of the individual states/executions. Mastroeni and Banerjee (2011) show how to infer indistinguishability relations-modelling attackers' observations-to find the best abstract noninterference policy that holds. The inference algorithm iteratively refines the relation by using counter-examples and abstract domain completion (Cousot and Cousot 1979).…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Hypercollecting semantics and its application to static analysis of information flow

et al. 2017

View full text Add to dashboard Cite

We show how static analysis for secure information flow can be expressed and proved correct entirely within the framework of abstract interpretation. The key idea is to define a Galois connection that directly approximates the hyperproperty of interest. To enable use of such Galois connections, we introduce a fixpoint characterisation of hypercollecting semantics, i.e. a "set of sets" transformer. This makes it possible to systematically derive static analyses for hyperproperties entirely within the calculational framework of abstract interpretation. We evaluate this technique by deriving example static analyses. For qualitative information flow, we derive a dependence analysis similar to the logic of Amtoft and Banerjee (SAS'04) and the type system of Hunt and Sands (POPL'06). For quantitative information flow, we derive a novel cardinality analysis that bounds the leakage conveyed by a program instead of simply deciding whether it exists. This encompasses problems that are hypersafety but not k-safety. We put the framework to use and introduce variations that achieve precision rivalling the most recent and precise static analyses for information flow.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Hypercollecting semantics and its application to static analysis of information flow

et al. 2017

View full text Add to dashboard Cite

show abstract

“…To this end, several methods automatically infer programming patterns [e.g., 19,32,58] and security specifications [e.g., 28,34,54], from code, revision histories [33], and preconditions of APIs [e.g., 7,41,55]. A related strain of research has followed a more principled approach by modeling and inferring security policies [e.g., 6,36,52,57] for discovering informationflow vulnerabilities. Similar to our method, many of these approaches are based on syntax trees and code slices as well as representations that combine syntax, control flow, and datadependence relationships [e.g., 27,29].…”

Section: Related Workmentioning

confidence: 99%

Automatic Inference of Search Patterns for Taint-Style Vulnerabilities

Yamaguchi

Maier

Gascón

et al. 2015

2015 IEEE Symposium on Security and Privacy

149

View full text Add to dashboard Cite

Taint-style vulnerabilities are a persistent problem in software development, as the recently discovered "Heartbleed" vulnerability strikingly illustrates. In this class of vulnerabilities, attacker-controlled data is passed unsanitized from an input source to a sensitive sink. While simple instances of this vulnerability class can be detected automatically, more subtle defects involving data flow across several functions or projectspecific APIs are mainly discovered by manual auditing. Different techniques have been proposed to accelerate this process by searching for typical patterns of vulnerable code. However, all of these approaches require a security expert to manually model and specify appropriate patterns in practice.In this paper, we propose a method for automatically inferring search patterns for taint-style vulnerabilities in C code. Given a security-sensitive sink, such as a memory function, our method automatically identifies corresponding source-sink systems and constructs patterns that model the data flow and sanitization in these systems. The inferred patterns are expressed as traversals in a code property graph and enable efficiently searching for unsanitized data flows-across several functions as well as with project-specific APIs. We demonstrate the efficacy of this approach in different experiments with 5 open-source projects. The inferred search patterns reduce the amount of code to inspect for finding known vulnerabilities by 94.9% and also enable us to uncover 8 previously unknown vulnerabilities.

show abstract

“…King et al [29], Pottier and Conchon [43], Smith and Thober [51], and the Jif compiler [40,41] all perform various forms of type inference for security-typed languages. Mastroeni and Banerjee [39] use refinement to derive a program's semantic declassification policy. We do not currently support automatic inference of security policies from a PDG.…”

Section: Related Workmentioning

confidence: 99%

Exploring and enforcing security guarantees via program dependence graphs

Johnson

Waye

Moore

et al. 2015

Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

We present PIDGIN, a program analysis and understanding tool that enables the specification and enforcement of precise applicationspecific information security guarantees. PIDGIN also allows developers to interactively explore the information flows in their applications to develop policies and investigate counter-examples.PIDGIN combines program dependence graphs (PDGs), which precisely capture the information flows in a whole application, with a custom PDG query language. Queries express properties about the paths in the PDG; because paths in the PDG correspond to information flows in the application, queries can be used to specify global security policies.PIDGIN is scalable. Generating a PDG for a 330k line Java application takes 90 seconds, and checking a policy on that PDG takes under 14 seconds. The query language is expressive, supporting a large class of precise, application-specific security guarantees. Policies are separate from the code and do not interfere with testing or development, and can be used for security regression testing.We describe the design and implementation of PIDGIN and report on using it: (1) to explore information security guarantees in legacy programs; (2) to develop and modify security policies concurrently with application development; and (3) to develop policies based on known vulnerabilities.

show abstract

Modelling declassification policies using abstract domain completeness

Cited by 12 publications

References 38 publications

Hypercollecting semantics and its application to static analysis of information flow

Hypercollecting semantics and its application to static analysis of information flow

Automatic Inference of Search Patterns for Taint-Style Vulnerabilities

Exploring and enforcing security guarantees via program dependence graphs

Contact Info

Product

Resources

About