Skip to main content
Springer Nature Link
Log in

Value Sensitivity and Observable Abstract Values for Information Flow Control

  • Conference paper
  • First Online:
Logic for Programming, Artificial Intelligence, and Reasoning (LPAR 2015)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 9450))

Included in the following conference series:

  • 858 Accesses

Abstract

Much progress has recently been made on information flow control, enabling the enforcement of increasingly rich policies for increasingly expressive programming languages. This has resulted in tools for mainstream programming languages as JavaScript, Java, Caml, and Ada that enforce versatile security policies. However, a roadblock on the way to wider adoption of these tools has been their limited permissiveness (high number of false positives). Flow-, context-, and object-sensitive techniques have been suggested to improve the precision of static information flow control and dynamic monitors have been explored to leverage the knowledge about the current run for precision.

This paper explores value sensitivity to boost the permissiveness of information flow control. We show that both dynamic and hybrid information flow mechanisms benefit from value sensitivity. Further, we introduce the concept of observable abstract values to generalize and leverage the power of value sensitivity to richer programming languages. We demonstrate the usefulness of the approach by comparing it to known disciplines for dealing with information flow in dynamic and hybrid settings.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Full version at http://chalmerslbs.bitbucket.org/valsens/fullversion.pdf

  2. Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: Proceedings of ACM PLAS (2009)

    Google Scholar 

  3. Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. In: PLAS (2010)

    Google Scholar 

  4. Austin, T.H., Flanagan, C.: Multiple facets for dynamic information flow. In: PoPL (2012)

    Google Scholar 

  5. Barnes, J., Barnes, J.: High Integrity Software: The SPARK Approach to Safety and Security. Addison-Wesley Longman Publishing Co. Inc., Boston (2003)

    Google Scholar 

  6. Bello, L., Bonelli, E.: On-the-fly inlining of dynamic dependency monitors for secure information flow. In: Barthe, G., Datta, A., Etalle, S. (eds.) FAST 2011. LNCS, vol. 7140, pp. 55–69. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  7. Bichhawat, A., Rajani, V., Garg, D., Hammer, C.: Generalizing permissive-upgrade in dynamic information flow analysis. In: PLAS (2014)

    Google Scholar 

  8. Birgisson, A., Hedin, D., Sabelfeld, A.: Boosting the permissiveness of dynamic information-flow tracking by testing. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 55–72. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  9. Broberg, N., van Delft, B., Sands, D.: Paragon for practical programming with information-flow control. In: Shan, C. (ed.) APLAS 2013. LNCS, vol. 8301, pp. 217–232. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  10. Buiras, P., Stefan, D., Russo, A.: On dynamic flow-sensitive floating-label systems. In: CSF (2014)

    Google Scholar 

  11. Capizzi, R., Longo, A., Venkatakrishnan, V.N., Sistla, A.P.: Preventing information leaks through shadow executions. In: ACSAC (2008)

    Google Scholar 

  12. Chudnov, A., Naumann, D.A.: Information flow monitor inlining. In: Proceedings of CSF 2010 (2010)

    Google Scholar 

  13. Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for JavaScript. In: PLDI (2009)

    Google Scholar 

  14. Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. CACM 20(7), 504–513 (1977)

    Article  MATH  Google Scholar 

  15. Devriese, D., Piessens, F.: Non-interference through secure multi-execution. In: SSP (2010)

    Google Scholar 

  16. Groef, W.D., Devriese, D., Nikiforakis, N., Piessens, F.: Flowfox: a web browser with flexible and precise information flow control. In: CCS (2012)

    Google Scholar 

  17. Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. JIS 8(6), 399–422 (2009)

    Google Scholar 

  18. Hedin, D., Sabelfeld, A.: Information-flow security for a core of JavaScript. In: Proceedings of IEEE CSF, pp. 3–18, June 2012

    Google Scholar 

  19. Hedin, D., Bello, L., Sabelfeld, A.: Value-sensitive hybrid information flow control for a JavaScript-like language. In: CSF (2015)

    Google Scholar 

  20. Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: JSFlow: tracking information flow in JavaScript and its APIs. In: SAC (2014)

    Google Scholar 

  21. Just, S., Cleary, A., Shirley, B., Hammer, C.: Information flow analysis for Javascript. In: Proceedings of ACM PLASTIC, pp. 9–18. ACM, USA (2011). http://doi.acm.org/10.1145/2093328.2093331

  22. Le Guernic, G., Banerjee, A., Jensen, T., Schmidt, D.A.: Automata-based confidentiality monitoring. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435, pp. 75–89. Springer, Heidelberg (2008)

    Google Scholar 

  23. Magazinius, J., Russo, A., Sabelfeld, A.: On-the-fly inlining of dynamic security monitors. Comput. Secur. 31(7), 827–843 (2012)

    Article  Google Scholar 

  24. Almeida-Matos, A., Fragoso Santos, J., Rezk, T.: An information flow monitor for a core of DOM - introducing references and live primitives. In: Maffei, M., Tuosto, E. (eds.) TGC 2014. LNCS, vol. 8902, pp. 1–16. Springer, Heidelberg (2014)

    Google Scholar 

  25. Moore, S., Chong, S.: Static analysis for efficient hybrid information-flow control. In: CSF (2011)

    Google Scholar 

  26. Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow (2001). http://www.cs.cornell.edu/jif

  27. Russo, A., Sabelfeld, A.: Dynamic vs. static flow-sensitive security analysis. In: Proceedings of IEEE CSF, pp. 186–199, July 2010

    Google Scholar 

  28. Russo, A., Sabelfeld, A., Chudnov, A.: Tracking information flow in dynamic tree structures. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 86–103. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  29. Santos, J.F., Rezk, T.: An information flow monitor-inlining compiler for securing a core of JavaScript. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 278–292. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  30. Simonet, V.: The Flow Caml system (2003). http://cristal.inria.fr/simonet/soft/flowcaml

  31. Stefan, D., Russo, A., Mitchell, J., Mazières, D.: Flexible dynamic information flow control in haskell. In: 4th Symposium on Haskell (2011)

    Google Scholar 

  32. Venkatakrishnan, V.N., Xu, W., DuVarney, D.C., Sekar, R.: Provably correct runtime enforcement of non-interference properties. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 332–351. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  33. Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. J. Comput. Secur. 4(3), 167–187 (1996)

    Google Scholar 

Download references

Acknowledgments

This work was funded by the European Community under the ProSecuToR project and the Swedish research agencies SSF and VR.

Author information

Authors and Affiliations

  1. Chalmers University of Technology, Gothenburg, Sweden

    Luciano Bello, Daniel Hedin & Andrei Sabelfeld

  2. Mälardalen University, Västerås, Sweden

    Daniel Hedin

Authors
  1. Luciano Bello
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniel Hedin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrei Sabelfeld
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Luciano Bello .

Editor information

Editors and Affiliations

  1. New York University, New York, New York, USA

    Martin Davis

  2. University of the South Pacific, Suva, Fiji

    Ansgar Fehnker

  3. Macquarie University, Sydney, New South Wales, Australia

    Annabelle McIver

  4. The University of Manchester, Manchester, United Kingdom

    Andrei Voronkov

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Bello, L., Hedin, D., Sabelfeld, A. (2015). Value Sensitivity and Observable Abstract Values for Information Flow Control. In: Davis, M., Fehnker, A., McIver, A., Voronkov, A. (eds) Logic for Programming, Artificial Intelligence, and Reasoning. LPAR 2015. Lecture Notes in Computer Science(), vol 9450. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-48899-7_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-48899-7_5

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-48898-0

  • Online ISBN: 978-3-662-48899-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics