Preventing Information Leaks through Shadow Executions

Capizzi, R.; Longo, Antonio Emilio Alvise; Venkatakrishnan, V.; Sistla, A. Prasad

doi:10.1109/acsac.2008.50

Cited by 52 publications

(47 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Two of the papers discussed above ( [16] and [12]) also consider SME-style approaches to information flow security in a browser. But there are important differences with FlowFox.…”

Section: Limitations and Future Workmentioning

confidence: 99%

“…They partition a program in two programs at source code level and use system call interposition to implement the I/O rules. In followup work, Capizzi et al [16] avoid the need for source level partitioning by means of shadow executions: they run two executions of processes for the H (secret) and L (public) security level to provide strong confidentiality guarantees. Devriese and Piessens [24] independently came up with the closely related technique they called SME, and they were the first to prove the strong soundness and precision guarantees that SME offers.…”

Section: Limitations and Future Workmentioning

confidence: 99%

“…But there are important differences with FlowFox. Both Bielova et al [12] and Capizzi et al [16] propose to multi-execute the entire browser: the DOM API interactions become internal interactions and each SME copy of the browser has its own copy of the DOM.…”

Section: Limitations and Future Workmentioning

confidence: 99%

“…Secure multi-execution (SME) [24,16] is a dynamic enforcement mechanism for information flow security with practical advantages when applied in the context of JavaScript web applications [24,§VI.D].…”

Section: Secure Multi-executionmentioning

confidence: 99%

See 3 more Smart Citations

Secure multi-execution of web scripts: Theory and practice

Groef

Devriese

Nikiforakis

et al. 2014

JCS

View full text Add to dashboard Cite

Secure Multi-Execution (SME) is a precise and general information flow control mechanism that was claimed to be a good fit for implementing information flow security in browsers. We validate this claim by developing FlowFox, the first fully functional web browser that implements an information flow control mechanism for web scripts based on the technique of secure multi-execution. We provide evidence for the security of FlowFox by proving non-interference for a formal model of the essence of FlowFox, and by showing how it stops real attacks. We provide evidence of usefulness by showing how FlowFox subsumes many ad-hoc script-containment countermeasures developed over the last years. An experimental evaluation on the Alexa top-500 web sites provides evidence for compatibility, and shows that FlowFox is compatible with the current web, even on sites that make intricate use of JavaScript.The performance and memory cost of FlowFox is substantial (a performance cost of around 20% on macro benchmarks for a simple two-level policy), but not prohibitive. Our prototype implementation shows that information flow enforcement based on secure multi-execution can be implemented in full-scale browsers. It can support powerful, yet compatible policies refining the same-origin-policy in a way that is compatible with existing websites.

show abstract

“…Two of the papers discussed above ( [16] and [12]) also consider SME-style approaches to information flow security in a browser. But there are important differences with FlowFox.…”

Section: Limitations and Future Workmentioning

confidence: 99%

Section: Limitations and Future Workmentioning

confidence: 99%

Section: Limitations and Future Workmentioning

confidence: 99%

Section: Secure Multi-executionmentioning

confidence: 99%

See 2 more Smart Citations

Secure multi-execution of web scripts: Theory and practice

Groef

Devriese

Nikiforakis

et al. 2014

JCS

View full text Add to dashboard Cite

show abstract

“…However, prior methods of detecting noninterference have typically required access to the program running the system in question. These analyses either used the program for directly analyzing its code (see [9] for a survey), for running an instrumented version of the system (e.g., [10][11][12][13]), or for simulating multiple executions of the system (e.g., [14][15][16]). Traditionally, the requirement of access to the program has not been problematic since the analysis has been motivated as a tool for software engineers securing a program that they have designed.…”

Section: Prior Workmentioning

confidence: 99%

Purpose Restrictions on Information Use

Tschantz

Datta

Wing

2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Privacy policies in sectors as diverse as Web services, finance and healthcare often place restrictions on the purposes for which a governed entity may use personal information. Thus, automated methods for enforcing privacy policies require a semantics of purpose restrictions to determine whether a governed agent used information for a purpose. We provide such a semantics using a formalism based on planning. We model planning using Partially Observable Markov Decision Processes (POMDPs), which supports an explicit model of information. We argue that information use is for a purpose if and only if the information is used while planning to optimize the satisfaction of that purpose under the POMDP model. We determine information use by simulating ignorance of the information prohibited by the purpose restriction, which we relate to noninterference. We use this semantics to develop a sound audit algorithm to automate the enforcement of purpose restrictions.

show abstract