1,063 research outputs found
A Study on Formal Verification for JavaScript Software
Information security is still a major problem for users of websites and hybrid mobile applications. While many apps and websites come with terms of service agreements between the developer and end user, there is no rigorous mechanism in place to ensure that these agreements are being followed. Formal methods can offer greater confidence that these policies are being followed, but there is currently no widely adopted tool that makes formal methods available for average consumers. After studying the current state-of-the-art in JavaScript policy enforcement and verification, this research proposes several new techniques for applying model checking to JavaScript that strikes a balance of low runtime overhead and fine-grained policy enforcement that other techniques do not achieve
Security Policy Specification Using a Graphical Approach
A security policy states the acceptable actions of an information system, as
the actions bear on security. There is a pressing need for organizations to
declare their security policies, even informal statements would be better than
the current practice. But, formal policy statements are preferable to support
(1) reasoning about policies, e.g., for consistency and completeness, (2)
automated enforcement of the policy, e.g., using wrappers around legacy systems
or after the fact with an intrusion detection system, and (3) other formal
manipulation of policies, e.g., the composition of policies. We present LaSCO,
the Language for Security Constraints on Objects, in which a policy consists of
two parts: the domain (assumptions about the system) and the requirement (what
is allowed assuming the domain is satisfied). Thus policies defined in LaSCO
have the appearance of conditional access control statements. LaSCO policies
are specified as expressions in logic and as directed graphs, giving a visual
view of policy. LaSCO has a simple semantics in first order logic (which we
provide), thus permitting policies we write, even for complex policies, to be
very perspicuous. LaSCO has syntax to express many of the situations we have
found to be useful on policies or, more interesting, the composition of
policies. LaSCO has an object-oriented structure, permitting it to be useful to
describe policies on the objects and methods of an application written in an
object-oriented language, in addition to the traditional policies on operating
system objects. A LaSCO specification can be automatically translated into
executable code that checks an invocation of a program with respect to a
policy. The implementation of LaSCO is in Java, and generates wrappers to check
Java programs with respect to a policy.Comment: 28 pages, 22 figures, in color (but color is not essential for
viewing); UC Davis CS department technical report (July 22, 1998
- …