On-the-Fly Inlining of Dynamic Dependency Monitors for Secure Information Flow | SpringerLink
Skip to main content
Springer Nature Link
Log in

On-the-Fly Inlining of Dynamic Dependency Monitors for Secure Information Flow

  • Conference paper
Formal Aspects of Security and Trust (FAST 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7140))

Included in the following conference series:

Abstract

Information flow analysis (IFA) in the setting of programming languages is steadily veering towards the adoption of dynamic techniques. This is particularly attractive for scripting languages for web applications programming. A common manifestation of dynamic techniques is that of run-time monitors, which should block program execution in the presence of an insecure run. Significant efforts are still required before practical, scalable monitors for secure IFA of industrial scale languages such as JavaScript can be achieved. Such monitors ideally should compensate for the absence of the traces they do not track, should not require modifications of the VM and should provide a fair compromise between security and usability among other things. This paper discusses on-the-fly inlining of monitors that track dependencies as a prospective candidate.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 5719
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 7149
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications

    Google Scholar 

  2. Venkatakrishnan, V.N., Xu, W., Duvarney, D.C., Sekar, R.: Provably correct runtime enforcement of non-interference properties. In: International Conference on Information and Communication Security, pp. 332–351 (2006)

    Google Scholar 

  3. Guernic, G.L., Banerjee, A., Jensen, T.P., Schmidt, D.A.: Automata-Based Confidentiality Monitoring. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435, pp. 75–89. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  4. Guernic, G.L.: Automaton-based confidentiality monitoring of concurrent programs. In: Computer Security Foundations Workshop, pp. 218–232 (2007)

    Google Scholar 

  5. Shroff, P., Smith, S., Thober, M.: Dynamic dependency monitoring to secure information flow. In: Proceedings of the 20th IEEE Computer Security Foundations Symposium, pp. 203–217. IEEE Computer Society, Washington, DC, USA (2007)

    Google Scholar 

  6. Mccamant, S., Ernst, M.D.: Quantitative information flow as network flow capacity. In: SIGPLAN Conference on Programming Language Design and Implementation, pp. 193–205 (2008)

    Google Scholar 

  7. Sabelfeld, A., Russo, A.: From dynamic to static and back: Riding the roller coaster of information-flow control research. In: Ershov. Memorial Conf., pp. 352–365 (2009)

    Google Scholar 

  8. Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: SIGPLAN Conference on Programming Language Design and Implementation, pp. 113–124 (2009)

    Google Scholar 

  9. Askarov, A., Sabelfeld, A.: Tight enforcement of information-release policies for dynamic languages. In: Computer Security Foundations Workshop, pp. 43–59 (2009)

    Google Scholar 

  10. Volpano, D.M., Irvine, C.E., Smith, G.: A sound type system for secure flow analysis. Journal of Computer Security 4, 167–188

    Google Scholar 

  11. Russo, A., Sabelfeld, A.: Dynamic vs. static flow-sensitive security analysis. In: Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium, CSF 2010, pp. 186–199. IEEE Computer Society, Washington, DC, USA (2010)

    Chapter  Google Scholar 

  12. Hunt, S., Sands, D.: On flow-sensitive security types. In: Morrisett, J.G., Jones, S.L.P. (eds.) POPL, pp. 79–90. ACM (2006)

    Google Scholar 

  13. Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. SIGPLAN Not. 44, 20–31 (2009)

    Article  Google Scholar 

  14. Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. In: Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, PLAS 2010, pp. 3:1–3:12. ACM, New York (2010)

    Google Scholar 

  15. Chudnov, A., Naumann, D.A.: Information flow monitor inlining. In: Computer Security Foundations Workshop, pp. 200–214 (2010)

    Google Scholar 

  16. Futoransky, A., Gutesman, E., Waissbein, A.: A dynamic technique for enhancing the security and privacy of web applications. In: Black Hat USA 2007 Briefings, August 1-2, Las Vegas, NV, USA (2007)

    Google Scholar 

  17. Dhawan, M., Ganapathy, V.: Analyzing information flow in javascript-based browser extensions. In: Annual Comp. Sec. App. Conference, pp. 382–391 (2009)

    Google Scholar 

  18. Erlingsson, U.: The Inlined Reference Monitor Approach to Security Policy Enforcement. PhD thesis, Department of Computer Science, Cornell University (2003) TR 2003-1916

    Google Scholar 

  19. Magazinius, J., Russo, R., Sabelfeld, A.: On-the-fly inlining of dynamic security monitors. In: Proc. IFIP International Information Security Conference (2010)

    Google Scholar 

  20. Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for javascript. In: SIGPLAN Conference on Programming Language Design and Implementation, pp. 50–62 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Si6 Labs - CITEDEF - Inst. de Investigac. Cient. y Técnicas para la Defensa, Argentina

    Luciano Bello

  2. ITBA - Instituto Tecnológico Buenos Aires, Argentina

    Luciano Bello & Eduardo Bonelli

  3. CONICET - Consejo Nacional de Investigaciones Científicas y Técnicas, Argentina

    Eduardo Bonelli

  4. UNQ - Univesidad Nacional de Quilmes, Argentina

    Eduardo Bonelli

Authors
  1. Luciano Bello
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eduardo Bonelli
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IMDEA Software Institute, Universidad Politecnica de Madrid, Campus Montegancedo, 28660, Boadilla del Monte, Madrid, Spain

    Gilles Barthe

  2. Carnegie Mellon University, NASA Research Park, Bldg. 23 (MS 23-11), P.O. Box 1, 94035-0001, Moffet Field, CA, USA

    Anupam Datta

  3. Faculty of Mathematics and Computer Science, Embedded Systems Security Group, Technical University of Eindhoven, P.O. Box 513, 5600 MB, Eindhoven, The Netherlands

    Sandro Etalle

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Bello, L., Bonelli, E. (2012). On-the-Fly Inlining of Dynamic Dependency Monitors for Secure Information Flow. In: Barthe, G., Datta, A., Etalle, S. (eds) Formal Aspects of Security and Trust. FAST 2011. Lecture Notes in Computer Science, vol 7140. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29420-4_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-29420-4_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-29419-8

  • Online ISBN: 978-3-642-29420-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation