Skip to main content
SpringerLink
Log in

Implementing Erasure Policies Using Taint Analysis

  • Conference paper
Information Security Technology for Applications (NordSec 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7127))

Included in the following conference series:

Abstract

Security or privacy-critical applications often require access to sensitive information in order to function. But in accordance with the principle of least privilege – or perhaps simply for legal compliance – such applications should not retain said information once it has served its purpose. In such scenarios, the timely disposal of data is known as an information erasure policy. This paper studies software-level information erasure policies for the data manipulated by programs. The paper presents a new approach to the enforcement of such policies. We adapt ideas from dynamic taint analysis to track how sensitive data sources propagate through a program and erase them on demand. The method is implemented for Python as a library, with no modifications to the runtime system. The library is easy to use, and allows programmers to indicate information-erasure policies with only minor modifications to their code.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. The Perl programming language, http://www.perl.org/

  2. Bekman, S., Cholet, E.: Practical mod_perl. O’Reilly and Associates (2003)

    Google Scholar 

  3. Chong, S., Myers, A.C.: Language-based information erasure. In: Proc. IEEE Computer Security Foundations Workshop, pp. 241–254 (June 2005)

    Google Scholar 

  4. Chong, S.: Expressive and Enforceable Information Security Policies. Ph.D. thesis, Cornell University (August 2008)

    Google Scholar 

  5. Chong, S., Myers, A.C.: End-to-end enforcement of erasure and declassification. In: CSF 2008: Proceedings of the 2008 21st IEEE Computer Security Foundations Symposium, pp. 98–111. IEEE Computer Society, Washington, DC (2008)

    Chapter  Google Scholar 

  6. Conti, J.J., Russo, A.: A taint mode for python via a library. OWASP AppSec Research (2010)

    Google Scholar 

  7. Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Comm. of the ACM 20(7), 504–513 (1977)

    Article  MATH  Google Scholar 

  8. Futoransky, A., Gutesman, E., Waissbein, A.: A dynamic technique for enhancing the security and privacy of web applications. In: Black Hat USA Briefings (August 2007)

    Google Scholar 

  9. Gutmann, P.: Data remanence in semiconductor devices. In: SSYM 2001: Proceedings of the 10th Conference on USENIX Security Symposium, pp. 4–4. USENIX Association, Berkeley (2001)

    Google Scholar 

  10. Haldar, V., Chandra, D., Franz, M.: Dynamic Taint Propagation for Java. In: Proceedings of the 21st Annual Computer Security Applications Conference, pp. 303–311 (2005)

    Google Scholar 

  11. Hansen, R.R., Probst, C.W.: Non-interference and erasure policies for java card bytecode. In: 6th International Workshop on Issues in the Theory of Security, WITS 2006 (2006)

    Google Scholar 

  12. Hunt, S., Sands, D.: Just Forget it – The Semantics and Enforcement of Information Erasure. In: Gairing, M. (ed.) ESOP 2008. LNCS, vol. 4960, pp. 239–253. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  13. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In: 2006 IEEE Symposium on Security and Privacy, pp. 258–263. IEEE Computer Society (2006)

    Google Scholar 

  14. Kozlov, D., Petukhov, A.: Implementation of Tainted Mode approach to finding security vulnerabilities for Python technology. In: Proc. of Young Researchers’ Colloquium on Software Engineering (SYRCoSE) (June 2007)

    Google Scholar 

  15. Lutz, M.: Learning Python. O’Reilly & Associates, Inc., Sebastopol (2003)

    MATH  Google Scholar 

  16. Newsome, J., McCamant, S., Song, D.: Measuring channel capacity to distinguish undue influence. In: PLAS 2009: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, pp. 73–85. ACM (2009)

    Google Scholar 

  17. Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically Hardening Web Applications Using Precise Tainting. In: 20th IFIP International Information Security Conference, pp. 372–382 (2005)

    Google Scholar 

  18. Pretschner, A., Hilty, M., Basin, D., Schaefer, C., Walter, T.: Mechanisms for usage control. In: ASIACCS 2008: Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, pp. 240–244. ACM, New York (2008)

    Chapter  Google Scholar 

  19. Russo, A., Sabelfeld, A., Li, K.: Implicit flows in malicious and nonmalicious code. Marktoberdorf Summer School. IOS Press (2009)

    Google Scholar 

  20. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1), 5–19 (2003)

    Article  Google Scholar 

  21. Sabelfeld, A., Myers, A.C.: A Model for Delimited Information Release. In: Futatsugi, K., Mizoguchi, F., Yonezaki, N. (eds.) ISSS 2003. LNCS, vol. 3233, pp. 174–191. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  22. Seo, J., Lam, M.S.: InvisiType: Object-Oriented Security Policies. In: 17th Annual Network and Distributed System Security Symposium, Internet Society, ISOC (February 2010)

    Google Scholar 

  23. Del Tedesco, F., Sands, D.: A user model for information erasure. In: 7th International Workshop on Security Issues in Concurrency, SecCo 2009. Electronic Proceedings in Theoretical Computer Science (2009)

    Google Scholar 

  24. Thomas, D., Fowler, C., Hunt, A.: Programming Ruby. The Pragmatic Programmer’s Guide. Pragmatic Programmers (2004)

    Google Scholar 

  25. Volpano, D.: Safety Versus Secrecy. In: Cortesi, A., Filé, G. (eds.) SAS 1999. LNCS, vol. 1694, pp. 303–311. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  26. Zhao, B., Sandhu, R., Zhang, X., Qin, X.: Towards a Times-Based Usage Control Model. In: Barker, S., Ahn, G.-J. (eds.) Data and Applications Security 2007. LNCS, vol. 4602, pp. 227–242. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Chalmers University of Technology, Göteborg, Sweden

    Filippo Del Tedesco, Alejandro Russo & David Sands

Authors
  1. Filippo Del Tedesco
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alejandro Russo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. David Sands
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Science and Technology, Aalto University, Konemiehentie 2, 02150, Espoo, Finland

    Tuomas Aura

  2. Department of Information and Computer Science, Aalto University, Konemiehentie 2, 02150, Aalto, Finland

    Kimmo Järvinen  & Kaisa Nyberg  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Del Tedesco, F., Russo, A., Sands, D. (2012). Implementing Erasure Policies Using Taint Analysis. In: Aura, T., Järvinen, K., Nyberg, K. (eds) Information Security Technology for Applications. NordSec 2010. Lecture Notes in Computer Science, vol 7127. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27937-9_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-27937-9_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-27936-2

  • Online ISBN: 978-3-642-27937-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation