Post-dominator analysis for precisely handling implicit flows
Pages 787 - 789
Abstract
Most web applications today use JavaScript for including third-party scripts, advertisements etc., which pose a major security threat in the form of confidentiality and integrity violations. Dynamic information flow control helps address this issue of information stealing. Most of the approaches over-approximate when unstructured control flow comes into picture, thereby raising a lot of false alarms. We utilize the post-dominator analysis technique to determine the context of the program at a given point and prove that this approach is the most precise technique to handle implicit flows.
References
[1]
T. H. Austin and C. Flanagan. Efficient purely-dynamic information flow analysis. In Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, PLAS '09, pages 113--124, 2009.
[2]
T. H. Austin and C. Flanagan. Permissive dynamic information flow analysis. In Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, PLAS '10, pages 3:1--3:12, 2010.
[3]
A. Bichhawat. Exception handling for dynamic information flow control. In Companion Proceedings of the 36th International Conference on Software Engineering, ICSE Companion 2014, pages 718--720, New York, NY, USA, 2014. ACM.
[4]
A. Bichhawat, V. Rajani, D. Garg, and C. Hammer. Information flow control in WebKit's JavaScript bytecode. In Proceedings of the 3rd Conference on Principles of Security and Trust, POST '14, LNCS 8414, pages 159--178, 2014.
[5]
D. E. Denning. A lattice model of secure information flow. Commun. ACM, 19(5):236--243, May 1976.
[6]
D. E. Denning. Cryptography and Data Security. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1982.
[7]
J. A. Goguen and J. Meseguer. Security policies and security models. In Proceedings of the 1982 IEEE Symposium on Security and Privacy, pages 11--20, 1982.
[8]
D. Hedin, A. Birgisson, L. Bello, and A. Sabelfeld. JSFlow: Tracking information flow in JavaScript and its APIs. In Proceedings of the 29th ACM Symposium on Applied Computing, 2014.
[9]
D. Hedin and A. Sabelfeld. Information-flow security for a core of JavaScript. In Proceedings of the 2012 IEEE 25th Computer Security Foundations Symposium, CSF '12, pages 3--18, 2012.
[10]
S. Just, A. Cleary, B. Shirley, and C. Hammer. Information flow analysis for JavaScript. In Proceedings of the 1st ACM SIGPLAN International Workshop on Programming Language and Systems Technologies for Internet Clients, PLASTIC '11, pages 9--18, 2011.
[11]
A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21:5--19, 2003.
[12]
D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. J. Comput. Secur., 4(2-3):167--187, Jan. 1996.
[13]
S. A. Zdancewic. Programming Languages for Information Security. PhD thesis, Cornell University, August 2002.
Index Terms
- Post-dominator analysis for precisely handling implicit flows
Recommendations
Implicit Flows: Can't Live with `Em, Can't Live without `Em
ICISS '08: Proceedings of the 4th International Conference on Information Systems SecurityVerifying that programs trusted to enforce security actually do so is a practical concern for programmers and administrators. However, there is a disconnect between the kinds of tools that have been successfully applied to real software systems (such as ...
Static Information Flow Analysis with Handling of Implicit Flows and a Study on Effects of Implicit Flows vs Explicit Flows
CSMR '10: Proceedings of the 2010 14th European Conference on Software Maintenance and ReengineeringReasoning about information flow can help software engineering. Static information flow inference analysis is a technique which automatically infers information flows based on data or control dependence. It can be utilized for the purposes of general ...
Incremental computation of dominator trees
Data flow analysis based on an incremental approach may require that the dominator tree be correctly maintained at all times. Previous solutions to the problem of incrementally maintaining dominator trees were restricted to reducible flowgraphs. In this ...
Comments
Information & Contributors
Information
Published In
Sponsors
- ACM: Association for Computing Machinery
- SIGSOFT: ACM Special Interest Group on Software Engineering
- IEEE-CS\DATC: IEEE Computer Society
- TCSE: IEEE Computer Society's Tech. Council on Software Engin.
Publisher
IEEE Press
Publication History
Published: 16 May 2015
Check for updates
Qualifiers
- Research-article
Conference
Acceptance Rates
Overall Acceptance Rate 276 of 1,856 submissions, 15%
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 70Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 22 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in