skip to main content
10.1145/1363686.1363776acmconferencesArticle/Chapter ViewAbstractPublication PagessacConference Proceedingsconference-collections
research-article

Type-based information flow analysis for bytecode languages with variable object field policies

Published: 16 March 2008 Publication History

Abstract

Static, type-based information flow analysis techniques targeted at Java and JVM-like code typically assume a global security policy on object fields: all fields are assigned a fixed security level. In essence they are treated as standard variables. However different objects may be created under varying security contexts, particularly for widely used classes such as wrapper or collection classes. This entails an important loss in precision of the analysis. We present a flow-sensitive type system for statically detecting illegal flows of information in a JVM-like language that allows the level of a field to vary at different object creation points. Also, we prove a noninterference result for this language.

References

[1]
A. Banerjee and D. A. Naumann. Secure information flow and pointer confinement in a java-like language. In Proceedings of the Fifteenth IEEE Computer Security Foundations Workshop (CSFW), pages 253--267. IEEE Computer Society Press, 2002.
[2]
A. Banerjee and D. A. Naumann. Stack-based access control and secure information flow. Journal of Functional Programming, 15(2):131--177, 2005. Special Issue on Language-Based Security.
[3]
G. Barthe, A. Basu, and T. Rezk. Security types preserving compilation. Journal of Computer Languages, Systems and Structures, 2005.
[4]
G. Barthe, D. Pichardie, and T. Rezk. A Certified Lightweight Non-Interference Java Bytecode Verifier. In Proc. of ESOP'01, volume 4421 of LNCS. Springer-Verlag, 2007.
[5]
G. Barthe and T. Rezk. Non-interference for a JVM-like language. In Proc. of TLDI '05, pages 103--112, New York, NY, USA, 2005. ACM Press.
[6]
G. Barthe, T. Rezk, and D. A. Naumann. Deriving an information flow checker and certifying compiler for java. in S&P, pages 230--242. IEEE Computer Society, 2006.
[7]
G. Barthe, T. Rezk, A. Russo, and A. Sabelfeld. Security of multithreaded programs by compilation. In Proc. of the 12th ESORICS, LNCS. Springer-Verlag, 2007. To appear.
[8]
F. Bavera and E. Bonelli. www.lifia.info.unlp.edu.ar/~eduardo/publications/jvmsLong.pdf, 2007.
[9]
J. A. Goguen and J. Meseguer. Security policies and security models. In Proc. IEEE Symp. on Security and Privacy, pages 11--20, April, 1982.
[10]
X. Leroy. Bytecode verification for java smart card. Software Practice and Experience, 32:319--340, 2002.
[11]
T. Lindholm and F. Yellin. The Java(TM) Virtual Machine Specification. Addison Wesley, 1999.
[12]
A. Sabelfeld and A. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1), 2003.
[13]
D. Volpano and G. Smith. A type-based approach to program security. In Proc. of TAPSOFT'97, volume 1214 of LNCS, pages 607--621, 1997.

Cited By

View all

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SAC '08: Proceedings of the 2008 ACM symposium on Applied computing
March 2008
2586 pages
ISBN:9781595937537
DOI:10.1145/1363686
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 March 2008

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Conference

SAC '08
Sponsor:
SAC '08: The 2008 ACM Symposium on Applied Computing
March 16 - 20, 2008
Fortaleza, Ceara, Brazil

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25
The 40th ACM/SIGAPP Symposium on Applied Computing
March 31 - April 4, 2025
Catania , Italy

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)0
  • Downloads (Last 6 weeks)0
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2015)GhostRiderACM SIGARCH Computer Architecture News10.1145/2786763.269438543:1(87-101)Online publication date: 14-Mar-2015
  • (2015)GhostRiderACM SIGPLAN Notices10.1145/2775054.269438550:4(87-101)Online publication date: 14-Mar-2015
  • (2015)GhostRiderProceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/2694344.2694385(87-101)Online publication date: 14-Mar-2015
  • (2014)Automated abstract certification of non-interference with object aliasing in rewriting logic2014 9th Computing Colombian Conference (9CCC)10.1109/ColumbianCC.2014.6955344(192-199)Online publication date: Sep-2014
  • (2010)Abstract Certification of Global Non-interference in Rewriting LogicFormal Methods for Components and Objects10.1007/978-3-642-17071-3_6(105-124)Online publication date: 2010
  • (2009)Abstract certification of global non-interference in rewriting logicProceedings of the 8th international conference on Formal methods for components and objects10.5555/1939101.1939112(105-124)Online publication date: 4-Nov-2009

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media