141,713 research outputs found
Recommended from our members
A progress-sensitive flow-sensitive inlined information-flow control monitor (extended version)
We present a novel progress-sensitive, flow-sensitive hybrid information-flow control monitor for an imperative interactive language. Progress-sensitive information-flow control is a strong information security guarantee which ensures that a program's progress (or lack of) does not leak information. Flow-sensitivity means that this strong security guarantee is enforced fairly precisely: our monitor tracks information flow per variable and per program point. We illustrate our approach on an imperative interactive language. Our hybrid monitor is inlined: source programs are translated, by a type-based analysis, into a target language that supports dynamic security levels. A key benefit of this is that the resulting monitored program is amenable to standard optimization techniques such as partial evaluation. One of the distinguishing features of our hybrid monitor is that it uses sets of levels to track the different possible security types of variables. This feature allows us to distinguish outputs that never leak information from those that may leak information.Engineering and Applied Science
Combining Graph-Based and Deduction-Based Information-Flow Analysis
Information flow control (IFC) is a category of techniques for
ensuring system security by enforcing information flow properties such as
non-interference. Established IFC techniques range from fully automatic
approaches with much over-approximation to approaches with high pre-
cision but potentially laborious user interaction. A noteworthy approach
mitigating the weaknesses of both automatic and interactive IFC tech-
niques is the hybrid approach, developed by Küsters et al., which – how-
ever – is based on program modifications and still requires a significant
amount of user interaction.
In this paper, we present a combined approach that works without any
program modifications. It minimizes potential user interactions by apply-
ing a dependency-graph-based information-flow analysis first. Based on
over-approximations, this step potentially generates false positives. Pre-
cise non-interference proofs are achieved by applying a deductive theorem
prover with a specialized information-flow calculus for checking that no
path from a secret input to a public output exists. Both tools are fully
integrated into a combined approach, which is evaluated on a case study,
demonstrating the feasibility of automatic and precise non-interference
proofs for complex programs
Non-interference for deterministic interactive programs
We consider the problem of defining an appropriate notion of non-interference (NI) for deterministic interactive programs. Previous work on the security of interactive programs by O'Neill, Clarkson and Chong (CSFW 2006) builds on earlier ideas due to Wittbold and Johnson (Symposium on Security and Privacy 1990), and argues for a notion of NI defined in terms of strategies modelling the behaviour of users. We show that, for deterministic interactive programs, it is not necessary to consider strategies and that a simple stream model of the users' behaviour is sufficient. The key technical result is that, for deterministic programs, stream-based NI implies the apparently more general strategy-based NI (in fact we consider a wider class of strategies than those of O'Neill et al). We give our results in terms of a simple notion of Input-Output Labelled Transition System, thus allowing application of the results to a large class of deterministic interactive programming languages
Recommended from our members
Reverse Engineering Environment for Teaching Secure Coding in Java
Few toolsets for program analysis and Java learning system provide an integrated console, debugger, and reverse engineered visualizer. We present an interactive debugging environment for Java which helps students to understand the secure coding by detecting and visualizing the data flow anomaly. Previous research shows that the earlier students learn secure coding concepts, even at the same time as they first learn to write code, the better they will continue using secure coding practices. This paper proposes web-based Java programming environment for teaching secure coding practices which provides the essential and fundamental skills in secure coding. Also, this tool helps students to understand the data anomaly and security leak with detecting vulnerabilities in given code.Cockrell School of Engineerin
Just forget it - The semantics and enforcement of information erasure
Abstract. There are many settings in which sensitive information is made available to a system or organisation for a specific purpose, on the understanding that it will be erased once that purpose has been fulfilled. A familiar example is that of online credit card transactions: a customer typically provides credit card details to a payment system on the understanding that the following promises are kept: (i) Noninterference (NI): the card details may flow to the bank (in order that the payment can be authorised) but not to other users of the system; (ii) Erasure: the payment system will not retain any record of the card details once the transaction is complete. This example shows that we need to reason about NI and erasure in combination, and that we need to consider interactive systems: the card details are used in the interaction between the principals, and then erased; without the interaction, the card details could be dispensed with altogether and erasure would be unnecessary. The contributions of this paper are as follows. (i) We show that an end-to-end erasure property can be encoded as a “flow sensitive ” noninterference property. (ii) By a judicious choice of language construct to support erasur
Relational Symbolic Execution
Symbolic execution is a classical program analysis technique used to show
that programs satisfy or violate given specifications. In this work we
generalize symbolic execution to support program analysis for relational
specifications in the form of relational properties - these are properties
about two runs of two programs on related inputs, or about two executions of a
single program on related inputs. Relational properties are useful to formalize
notions in security and privacy, and to reason about program optimizations. We
design a relational symbolic execution engine, named RelSym which supports
interactive refutation, as well as proving of relational properties for
programs written in a language with arrays and for-like loops
Checking Interaction-Based Declassification Policies for Android Using Symbolic Execution
Mobile apps can access a wide variety of secure information, such as contacts
and location. However, current mobile platforms include only coarse access
control mechanisms to protect such data. In this paper, we introduce
interaction-based declassification policies, in which the user's interactions
with the app constrain the release of sensitive information. Our policies are
defined extensionally, so as to be independent of the app's implementation,
based on sequences of security-relevant events that occur in app runs. Policies
use LTL formulae to precisely specify which secret inputs, read at which times,
may be released. We formalize a semantic security condition, interaction-based
noninterference, to define our policies precisely. Finally, we describe a
prototype tool that uses symbolic execution to check interaction-based
declassification policies for Android, and we show that it enforces policies
correctly on a set of apps.Comment: This research was supported in part by NSF grants CNS-1064997 and
1421373, AFOSR grants FA9550-12-1-0334 and FA9550-14-1-0334, a partnership
between UMIACS and the Laboratory for Telecommunication Sciences, and the
National Security Agenc
Computational Soundness for Dalvik Bytecode
Automatically analyzing information flow within Android applications that
rely on cryptographic operations with their computational security guarantees
imposes formidable challenges that existing approaches for understanding an
app's behavior struggle to meet. These approaches do not distinguish
cryptographic and non-cryptographic operations, and hence do not account for
cryptographic protections: f(m) is considered sensitive for a sensitive message
m irrespective of potential secrecy properties offered by a cryptographic
operation f. These approaches consequently provide a safe approximation of the
app's behavior, but they mistakenly classify a large fraction of apps as
potentially insecure and consequently yield overly pessimistic results.
In this paper, we show how cryptographic operations can be faithfully
included into existing approaches for automated app analysis. To this end, we
first show how cryptographic operations can be expressed as symbolic
abstractions within the comprehensive Dalvik bytecode language. These
abstractions are accessible to automated analysis, and they can be conveniently
added to existing app analysis tools using minor changes in their semantics.
Second, we show that our abstractions are faithful by providing the first
computational soundness result for Dalvik bytecode, i.e., the absence of
attacks against our symbolically abstracted program entails the absence of any
attacks against a suitable cryptographic program realization. We cast our
computational soundness result in the CoSP framework, which makes the result
modular and composable.Comment: Technical report for the ACM CCS 2016 conference pape
- …