Abstract
In typical Web applications, the access control at the database management system is not effective due to the dependency on application behavior. That is, once the information is retrieved, a careless application can easily leak the information to undesirable parties. In addition, database accounts are often shared for multiple Web users in order to allow connection pooling. We propose DIFCA-J (Dynamic Information Flow Control Architecture for Java), to keep track of and control fine-grained information propagation through execution of the program. DIFCA-J allows controlling the information flow at run-time, without needing to modify the source code of the target application or the Java VMs.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Sabelfeld, A., Myers, A.C.: Language-Based Information Flow Security. IEEE Journal on Selected Areas in Communications 21(1) (2003)
Haldar, V., Chandra, D., Franz, M.: Dynamic Taint Propagation for Java. In: Srikanthan, T., Xue, J., Chang, C.-H. (eds.) ACSAC 2005. LNCS, vol. 3740, Springer, Heidelberg (2005)
Haldar, V., Chandra, D., Franz, M.: Practical, Dynamic Information Flow for Virtual Machines. In: PLID (2005)
Franz, M.: Moving Trust Out of Application Programs: A Software Architecture Based on Multi-Level Security Virtual Machines (TR. 06-10), UC Irvine (2006)
Erlingsson, U., Schneider, F.B.: IRM Enforcement of Java Stack Inspection. In: IEEE Sympo. on S&P, IEEE Computer Society Press, Los Alamitos (2000)
Application Privacy Monitoring for JDBC (APM4JDBC): IBM AlphaWorks
Biba, K.: Integrity Considerations for Secure Computer Systems (MTR-3153). Technical report, MITRE (1975)
Bell, D.E., LaPadula, L.J.: Secure Computer System: Unified Exposition and Multics Interpretation (MTR-2997 Rev. 1). Technical report, MITRE (1976)
Denning, D.E.: The lattice model of secure information flow. Communications of the ACM 19(5), 236–243 (1976)
Myers, A.C.: JFlow: Practical Mostly-Static Information Flow Control. In: POPL (1999)
Beres, Y., Dalton, C.: Dynamic Label Binding at Run-time. In: New Security Paradigms Workshop (NSPW) (2003)
Lindholm, T., Yellin, F.: The Java Virtual Machine Specification. Addison-Wesley, Reading (1999)
Li, P., Zdancewic, S.: Downgrading policies and relaxed noninterference. In: POPL’05. Symposium on Principles of Programming Languages (2005)
Apache Byte Code Engineering Library (BCEL), http://jakarta.apache.org/bcel/
Kobayashi, N., Shirane, K.: Type-based Information Flow Analysis for Low-Level Languages. In: APLAS 2002 (2002)
Barthe, G., Basu, A., Rezk, T.: Security Types Preserving Compilation. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, Springer, Heidelberg (2004)
Barthe, G., Naumann, D.A., Rezk, T.: Deriving an Information Flow Checker and Certifying Compiler for Java. In: IEEE Sympo. on S&P, IEEE Computer Society Press, Los Alamitos (2006)
Genaim, S., Spoto, F.: Information Flow Analysis for Java Bytecode. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, Springer, Heidelberg (2005)
Zdancewic, S., et al.: Untrusted Hosts and Confidentiality: Secure Program Partitioning. In: SOSP. Symposium on Operating Systems Principles (2001)
Zheng, L., Chong, S., Myers, A.C., Zdancewic, S.: Using replication and partitioning to build secure distributed systems. In: IEEE Sympo. on S&P, IEEE Computer Society Press, Los Alamitos (2003)
Hicks, B., et al.: From Languages to Systems: Understanding Practical Application Development in Security-typed Languages. In: Jesshope, C., Egan, C. (eds.) ACSAC 2006. LNCS, vol. 4186, Springer, Heidelberg (2006)
Li, P., Zdancewic, S.: Practical Information-flow Control in Web-based Information Systems. In: CSFW (2005)
Myers, A.C., Sabelfeld, A.: Enforcing Robust Declassification. In: CSFW (2004)
Gong, L., et al.: Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2, USITS (1997)
Guernic, G.L., et al.: Automata-based Confidentiality Monitoring. In: ASIAN’06. Annual Asian Computing Science Conference (2006)
Shroff, P., Smith, S.F., Thober, M.: Dynamic Dependency Monitoring to Secure Information Flow. In: IEEE Computer Security Foundations Symposium, IEEE Computer Society Press, Los Alamitos (2007)
Barthe, G., Rezk, T.: Non-interference for a JVM-like language. In: TLDI (2005)
Yu, D., Islam, N.: A Typed Assembly Language for Confidentiality. In: Sestoft, P. (ed.) ESOP 2006 and ETAPS 2006. LNCS, vol. 3924, Springer, Heidelberg (2006)
Denning, D.E.: Cryptography and Data Security. Addison-Wesley, Reading (1982)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Yoshihama, S., Yoshizawa, T., Watanabe, Y., Kudoh, M., Oyanagi, K. (2007). Dynamic Information Flow Control Architecture for Web Applications. In: Biskup, J., López, J. (eds) Computer Security – ESORICS 2007. ESORICS 2007. Lecture Notes in Computer Science, vol 4734. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74835-9_18
Download citation
DOI: https://doi.org/10.1007/978-3-540-74835-9_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-74834-2
Online ISBN: 978-3-540-74835-9
eBook Packages: Computer ScienceComputer Science (R0)