research-article

Open access

Multiple Facets for Dynamic Information Flow with Exceptions

Authors:

Thomas H. Austin,

Cormac FlanaganAuthors Info & Claims

ACM Transactions on Programming Languages and Systems (TOPLAS), Volume 39, Issue 3

Article No.: 10, Pages 1 - 56

https://doi.org/10.1145/3024086

Published: 10 May 2017 Publication History

Abstract

JavaScript is the source of many security problems, including cross-site scripting attacks and malicious advertising code. Central to these problems is the fact that code from untrusted sources runs with full privileges. Information flow controls help prevent violations of data confidentiality and integrity.

This article explores faceted values, a mechanism for providing information flow security in a dynamic manner that avoids the stuck executions of some prior approaches, such as the no-sensitive-upgrade technique. Faceted values simultaneously simulate multiple executions for different security levels to guarantee termination-insensitive noninterference. We also explore the interaction of faceted values with exceptions, declassification, and clearance.

References

[1]

Aslan Askarov, Sebastian Hunt, Andrei Sabelfeld, and David Sands. 2008. Termination-insensitive noninterference leaks more than just a bit. In Proceedings of the European Symposium on Research in Computer Security (ESORICS’08). Springer-Verlag, 333--348.

Digital Library

[2]

Aslan Askarov and Andrew Myers. 2010. A semantic framework for declassification and endorsement. In Proceedings of the European Symposium on Programming. 64--84.

Digital Library

[3]

Aslan Askarov and Andrei Sabelfeld. 2009a. Catch me if you can: Permissive yet secure error handling. In Proceedings of the ACM SIGPLAN 4th Workshop on Programming Languages and Analysis for Security (PLAS’09). ACM, New York, NY, 45--57.

Digital Library

[4]

Aslan Askarov and Andrei Sabelfeld. 2009b. Tight enforcement of information-release policies for dynamic languages. In Proceedings of the IEEE Computer Security Foundations Symposium. IEEE Computer Society, Washington, DC, 43--59.

Digital Library

[5]

Thomas H. Austin. 2011. ZaphodFacetes github page. Retreived from https://github.com/taustin/ZaphodFacets.

[6]

Thomas H. Austin and Cormac Flanagan. 2009. Efficient purely-dynamic information flow analysis. In Proceedings of the Workshop on Programming Languages and Analysis for Security.

Digital Library

[7]

Thomas H. Austin and Cormac Flanagan. 2010. Permissive dynamic information flow analysis. In Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security. ACM, 1--12.

Digital Library

[8]

Thomas H. Austin and Cormac Flanagan. 2012. Multiple facets for dynamic information flow, See Field and Hicks {2012}, 165--178.

Digital Library

[9]

Thomas H. Austin, Jean Yang, Cormac Flanagan, and Armando Solar-Lezama. 2013. Faceted execution of policy-agnostic programs. In Proceedings of the Workshop on Programming Languages and Analysis for Security.

Digital Library

[10]

Anindya Banerjee and David A. Naumann. 2002. Secure information flow and pointer confinement in a Java-like language. In Proceedings of the IEEE Computer Security Foundations Workshop. 253--267.

Digital Library

[11]

Abhishek Bichhawat, Vineet Rajani, Deepak Garg, and Christian Hammer. 2014. Generalizing permissive-upgrade in dynamic information flow analysis. In Proceedings of the Workshop on Programming Languages and Analysis for Security.

Digital Library

[12]

Arnar Birgisson, Alejandro Russo, and Andrei Sabelfeld. 2011. Capabilities for information flow. In Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security (PLAS’11). ACM.

Digital Library

[13]

Aaron Bohannon, Benjamin C. Pierce, Vilhelm Sjöberg, Stephanie Weirich, and Steve Zdancewic. 2009. Reactive noninterference. In Proceedings of the ACM Conference on Computer and Communications Security. 79--90.

Digital Library

[14]

R. Capizzi, A. Longo, V. N. Venkatakrishnan, and A. P. Sistla. 2008. Preventing information leaks through shadow executions. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’08). 322--331.

Digital Library

[15]

Stephen Chong and Andrew C. Myers. 2004. Security policies for downgrading. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS’04). ACM, New York, NY, 198--209.

Digital Library

[16]

Ravi Chugh, Jeffrey A. Meister, Ranjit Jhala, and Sorin Lerner. 2009. Staged information flow for JavaScript. In Proceedings of the Conference on Programming Language Design and Implementation.

Digital Library

[17]

Willem De Groef, Dominique Devriese, Nick Nikiforakis, and Frank Piessens. 2012. FlowFox: A web browser with flexible and precise information flow control. In Proceedings of the ACM Conference on Computer and Communications Security, Ting Yu, George Danezis, and Virgil D. Gligor (Eds.). ACM, 748--759.

Digital Library

[18]

Dorothy E. Denning. 1976. A lattice model of secure information flow. Commun. ACM 19, 5 (1976), 236--243.

Digital Library

[19]

Dominique Devriese and Frank Piessens. 2010. Noninterference through secure multi-execution. Proceedings of the IEEE Symposium on Security and Privacy. 109--124.

Digital Library

[20]

Mohan Dhawan and Vinod Ganapathy. 2009. Analyzing information flow in JavaScript-based browser extensions. In Proceedings of the Annual Computer Security Applications Conference.

Digital Library

[21]

Brendan Eich. 2004. Narcissus--JS implemented in JS. (2004). Retrieved from https://github.com/mozilla/narcissus/.

[22]

J. S. Fenton. 1974. Memoryless subsystems. Comput. J. 17, 2 (1974), 143--147.

[23]

John Field and Michael Hicks (Eds.). 2012. Proceedings of the 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’12). ACM.

[24]

Andreas Gal, David Flanagan, and Donovon Preston. 2011. dom.js github page. Retrieved October 2011 from https://github.com/andreasgal/dom.js.

[25]

Andreas Gampe and Jeffery von Ronne. 2011. Information flow control with errors. In Proceedings of the International Workshop on Foundations of Object-Oriented Languages (FOOL’11).

[26]

Gurvan Le Guernic, Anindya Banerjee, Thomas P. Jensen, and David A. Schmidt. 2006. Automata-based confidentiality monitoring. In Proceedings of the Asian Computing Science Conference on Secure Software.

Digital Library

[27]

Christian Hammer and Gregor Snelting. 2009. Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. Int. J. Inf. Sec. 8, 6 (2009), 399--422.

Digital Library

[28]

Daniel Hedin, Luciano Bello, and Andrei Sabelfeld. 2015. Value-sensitive hybrid information flow control for a JavaScript-like language. In Proceedings of the IEEE 28th Computer Security Foundations Symposium (CSF 2015). IEEE, 351--365.

Digital Library

[29]

Daniel Hedin and Andrei Sabelfeld. 2012. Information-flow security for a core of JavaScript. In Proceedings of the Computer Security Foundations Symposium.

Digital Library

[30]

Nevin Heintze and Jon G. Riecke. 1998. The SLam calculus: Programming with secrecy and integrity. In Proceedings of the Symposium on Principles of Programming Languages.

Digital Library

[31]

Catalin Hritcu, Michael Greenberg, Ben Karel, Benjamin C. Pierce, and Greg Morrisett. 2013. All your IFCException are belong to us. In Proceedings of the IEEE Symposium on Security and Privacy. 3--17.

Digital Library

[32]

Sebastian Hunt and David Sands. 2006. On flow-sensitive security types. In Proceedings of the Principles of Programming Languages (POPL’06). 79--90.

Digital Library

[33]

Dongseok Jang, Ranjit Jhala, Sorin Lerner, and Hovav Shacham. 2010. An empirical study of privacy-violating information flows in JavaScript web applications. In Proceedings of the ACM Conference on Computer and Communications Security. 270--283.

Digital Library

[34]

Jif 2010. Jif homepage. Retrieved October 2010 from http://www.cs.cornell.edu/jif/.

[35]

Seth Just, Alan Cleary, Brandon Shirley, and Christian Hammer. 2011. Information flow analysis for javascript. In Proceedings of the Programming Language and Systems Technologies for Internet Clients. ACM, New York, NY, 9--18.

Digital Library

[36]

Vineeth Kashyap, Ben Wiedermann, and Ben Hardekopf. 2011. Timing- and termination-sensitive secure information flow: Exploring a new approach. In Proceedings of IEEE Security and Privacy.

Digital Library

[37]

Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, and Michael Franz. 2013b. Information Flow Tracking meets Just-In-Time Compilation. (2013). (submitted)

[38]

Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, and Michael Franz. 2013a. Towards precise and efficient information flow control in web browsers. In Proceedings of Trust and Trustworthy Computing. 187--195.

[39]

Dave King, Boniface Hicks, Michael Hicks, and Trent Jaeger. 2008. Implicit flows: Can’t live with’em, can’t live without’em. In Proceedings of the International Conference on Information Systems Security. 56--70.

Digital Library

[40]

James C. King. 1976. Symbolic execution and program testing. Commun. ACM 19, 7 (1976), 385--394.

Digital Library

[41]

Clemens Kolbitsch, Benjamin Livshits, Benjamin Zorn, and Christian Seifert. 2011. Rozzle: De-Cloaking Internet Malware. Technical Report MSR-TR-2011-94. Microsoft Research Technical Report.

[42]

Scott Moore, Aslan Askarov, and Stephen Chong. 2012. Precise enforcement of progress-sensitive security. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’12). ACM, 881--893.

Digital Library

[43]

Mozilla Labs Zaphod 2010. Mozilla Labs: Zaphod add-on for the Firefox browser. Retrieved October 2010 from http://mozillalabs.com/zaphod.

[44]

Andrew C. Myers. 1999. JFlow: Practical mostly-static information flow control. In Proceedings of the Symposium on Principles of Programming Languages.

Digital Library

[45]

Andrew C. Myers, Andrei Sabelfeld, and Steve Zdancewic. 2004. Enforcing robust declassification. In Proceedings of the IEEE Computer Security Foundations Workshop. 172--186.

Digital Library

[46]

François Pottier and Vincent Simonet. 2003. Information flow inference for ML. Trans. Program. Lang. Syst. 25, 1 (2003), 117--158.

Digital Library

[47]

Willard Rafnsson and Andrei Sabelfeld. 2011. Limiting information leakage in event-based communication. In Proceedings of the ACM SIGPLAN 4th Workshop on Programming Languages and Analysis for Security (PLAS’11). ACM.

Digital Library

[48]

Willard Rafnsson and Andrei Sabelfeld. 2013. Secure multi-execution: Fine-grained, declassification-aware, and transparent. In Proceedings of the IEEE Computer Security Foundations Symposium. IEEE Computer Society.

Digital Library

[49]

V. Rajani, A. Bichhawat, D. Garg, and C. Hammer. 2015. Information flow control for event handling and the DOM in web browsers. In Proceedings of the 2015 IEEE 28th Computer Security Foundations Symposium (CSF’15). 366--379.

Digital Library

[50]

Martin Rinard, Cristian Cadar, Daniel Dumitran, Daniel M. Roy, Tudor Leu, and William S. Beebee. 2004. Enhancing server availability and security through failure-oblivious computing. In Proceedings of the Symposium on Operating Systems Design and Implementation (OSDI’04). 303--316.

Digital Library

[51]

Alejandro Russo and Andrei Sabelfeld. 2009. Securing timeout instructions in web applications. In Proceedings of the IEEE Computer Security Foundations Symposium.

Digital Library

[52]

Alejandro Russo and Andrei Sabelfeld. 2010. Dynamic vs. static flow-sensitive security analysis. In Proceedings of the IEEE Computer Security Foundations Symposium. IEEE Computer Society.

Digital Library

[53]

Alejandro Russo, Andrei Sabelfeld, and Andrey Chudnov. 2009. Tracking information flow in dynamic tree structures. In Proceedings of the European Symposium on Research in Computer Security (ESORICS’09). 86--103.

Digital Library

[54]

Andrei Sabelfeld and Andrew C. Myers. 2003. Language-based information-flow security. J. Select. Areas Commun. 21, 1 (2003), 5--19.

Digital Library

[55]

Paritosh Shroff, Scott F. Smith, and Mark Thober. 2007. Dynamic dependency monitoring to secure information flow. In Proceedings of the Computer Security Foundations Symposium.

Digital Library

[56]

Deian Stefan, Alejandro Russo, John C. Mitchell, and David Mazières. 2011. Flexible dynamic information flow control in Haskell. In Proceedings of the 4th ACM Symposium on Haskell (Haskell’11). ACM, New York, NY, 95--106.

Digital Library

[57]

M. Vanhoef, W. De Groef, D. Devriese, F. Piessens, and T. Rezk. 2014. Stateful declassification policies for event-driven programs. In Proceedings of the 2014 IEEE 27th Computer Security Foundations Symposium (CSF’14). 293--307.

Digital Library

[58]

Jeffrey Vaughan and Stephen Chong. 2011. Inference of expressive declassification policies. In Proceedings of IEEE Security and Privacy.

Digital Library

[59]

Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Krügel, and Giovanni Vigna. 2007. Cross-site scripting prevention with dynamic data tainting and static analysis.

[60]

Dennis Volpano, Cynthia Irvine, and Geoffrey Smith. 1996. A sound type system for secure flow analysis. J. Comput. Secur. 4, 2--3 (1996), 167--187.

Digital Library

[61]

Webkit.org. 2011. SunSpider JavaScript Benchmark. Retrieved October 2011 from http://www.webkit.org/perf/sunspider/sunspider.html.

[62]

Jean Yang, Kuat Yessenov, and Armando Solar-Lezama. 2012. A language for automatically enforcing privacy policies, See Field and Hicks {2012}, 85--96.

Digital Library

[63]

Alexander Yip, Xi Wang, Nickolai Zeldovich, and M. Frans Kaashoek. 2009. Improving application security with data flow assertions. In Proceedings of the Symposium on Operating Systems Principles (SOSP’09), Jeanna Neefe Matthews and Thomas E. Anderson (Eds.). ACM, 291--304.

Digital Library

[64]

Dante Zanarini, Mauro Jaskelioff, and Alejandro Russo. 2013. Precise enforcement of confidentiality for reactive systems. In Proceedings of the Computer Security Foundations Symposium.

Digital Library

[65]

Steve Zdancewic. 2003. A type system for robust declassification. In Proceedings of the 19th Mathematical Foundations of Programming Semantics Conference.

Digital Library

[66]

Stephan Arthur Zdancewic. 2002. Programming Languages for Information Security. Ph.D. Dissertation. Cornell University.

Digital Library

Cited By

Chen TSiek J(2024)Quest Complete: The Holy Grail of Gradual SecurityProceedings of the ACM on Programming Languages10.1145/36564428:PLDI(1609-1632)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656442
Malindi ZGobingca BNdebele C(2023)Impact of Code-Switching in Learning and Teaching of Mathematics: A South African PerspectiveE-Journal of Humanities, Arts and Social Sciences10.38159/ehass.2023432(181-195)Online publication date: 3-Mar-2023
https://doi.org/10.38159/ehass.2023432
Bichhawat ARajani VGarg DHammer C(2021)Permissive runtime information flow control in the presence of exceptionsJournal of Computer Security10.3233/JCS-21138529:4(361-401)Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.3233/JCS-211385
Show More Cited By

Index Terms

Multiple Facets for Dynamic Information Flow with Exceptions
1. Security and privacy
  1. Systems security
    1. Information flow control
    2. Operating systems security
2. Software and its engineering
  1. Software notations and tools
    1. General programming languages
      1. Language features

Recommendations

Multiple facets for dynamic information flow
POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages

JavaScript has become a central technology of the web, but it is also the source of many security problems, including cross-site scripting attacks and malicious advertising code. Central to these problems is the fact that code from untrusted sources ...
Multiple facets for dynamic information flow
POPL '12

JavaScript has become a central technology of the web, but it is also the source of many security problems, including cross-site scripting attacks and malicious advertising code. Central to these problems is the fact that code from untrusted sources ...
Nonmalleable Information Flow Control
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Noninterference is a popular semantic security condition because it offers strong end-to-end guarantees, it is inherently compositional, and it can be enforced using a simple security type system. Unfortunately, it is too restrictive for real systems. ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Programming Languages and Systems

ACM Transactions on Programming Languages and Systems Volume 39, Issue 3

September 2017

196 pages

ISSN:0164-0925

EISSN:1558-4593

DOI:10.1145/3092741

Editor:
Andrew Myers
Cornell University, USA

Issue’s Table of Contents

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 May 2017

Accepted: 01 December 2016

Revised: 01 November 2016

Received: 01 October 2015

Published in TOPLAS Volume 39, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

NSF

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
484
Total Downloads

Downloads (Last 12 months)84
Downloads (Last 6 weeks)17

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Chen TSiek J(2024)Quest Complete: The Holy Grail of Gradual SecurityProceedings of the ACM on Programming Languages10.1145/36564428:PLDI(1609-1632)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656442
Malindi ZGobingca BNdebele C(2023)Impact of Code-Switching in Learning and Teaching of Mathematics: A South African PerspectiveE-Journal of Humanities, Arts and Social Sciences10.38159/ehass.2023432(181-195)Online publication date: 3-Mar-2023
https://doi.org/10.38159/ehass.2023432
Bichhawat ARajani VGarg DHammer C(2021)Permissive runtime information flow control in the presence of exceptionsJournal of Computer Security10.3233/JCS-21138529:4(361-401)Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.3233/JCS-211385
Polinsky IDatta PBates AEnck WLobo JDi Pietro RChowdhury O(2021)SCIFFS: Enabling Secure Third-Party Security Analytics using Serverless ComputingProceedings of the 26th ACM Symposium on Access Control Models and Technologies10.1145/3450569.3463567(175-186)Online publication date: 11-Jun-2021
https://dl.acm.org/doi/10.1145/3450569.3463567
Prasad SYerraguntla RSharma S(2020)Security Types for Synchronous Data Flow Systems2020 18th ACM-IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE)10.1109/MEMOCODE51338.2020.9315053(1-12)Online publication date: 2-Dec-2020
https://doi.org/10.1109/MEMOCODE51338.2020.9315053
Chakraborty DHammer CBugiel SHung CPapadopoulos G(2019)Secure multi-execution in AndroidProceedings of the 34th ACM/SIGAPP Symposium on Applied Computing10.1145/3297280.3297469(1934-1943)Online publication date: 8-Apr-2019
https://dl.acm.org/doi/10.1145/3297280.3297469
Alpernas KFlanagan CFouladi SRyzhyk LSagiv MSchmitz TWinstein K(2018)Secure serverless computing using dynamic information flow controlProceedings of the ACM on Programming Languages10.1145/32764882:OOPSLA(1-26)Online publication date: 24-Oct-2018
https://dl.acm.org/doi/10.1145/3276488
Toro MGarcia RTanter É(2018)Type-Driven Gradual Security with ReferencesACM Transactions on Programming Languages and Systems10.1145/322906140:4(1-55)Online publication date: 13-Dec-2018
https://dl.acm.org/doi/10.1145/3229061
Imanimehr FFallah M(2018)On transparent value-sensitive run-time monitoring for information flow policiesComputer Languages, Systems and Structures10.1016/j.cl.2018.07.00354:C(273-296)Online publication date: 1-Dec-2018
https://dl.acm.org/doi/10.1016/j.cl.2018.07.003

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Figures

Tables

Media

View Issue’s Table of Contents