ABSTRACT
Exceptions are a source of information leaks, which are difficult to handle as they allow for non-local control transfer. Existing dynamic information flow control techniques either ignore unstructured control flow or are restrictive. This work presents a more permissive solution for controlling information leaks using program analysis techniques.
- A. Askarov and A. Sabelfeld. Catch me if you can: Permissive yet secure error handling. In Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, PLAS ’09, pages 45–57, 2009. Google ScholarDigital Library
- T. H. Austin and C. Flanagan. Efficient purely-dynamic information flow analysis. In Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, PLAS ’09, pages 113–124, 2009. Google ScholarDigital Library
- T. H. Austin and C. Flanagan. Permissive dynamic information flow analysis. In Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, PLAS ’10, pages 3:1–3:12, 2010. Google ScholarDigital Library
- A. Bichhawat, V. Rajani, D. Garg, and C. Hammer. Information flow control in WebKit’s JavaScript bytecode. In Proceedings of the 3rd Conference on Principles of Security and Trust, POST ’14, LNCS 8414, pages 159–178, 2014.Google ScholarCross Ref
- R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged information flow for JavaScript. In ACM SIGPLAN PLDI, pages 50–62, 2009. Google ScholarDigital Library
- D. E. Denning. A lattice model of secure information flow. Commun. ACM, 19(5):236–243, May 1976. Google ScholarDigital Library
- D. E. Denning. Cryptography and Data Security. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1982.Google Scholar
- M. Dhawan and V. Ganapathy. Analyzing information flow in JavaScript-based browser extensions. In Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC ’09, pages 382–391, 2009. Google ScholarDigital Library
- O. Foundation. Information leakage. https://www.owasp.org/index.php/Information_Leakage, June 2013.Google Scholar
- J. A. Goguen and J. Meseguer. Security policies and security models. In Proceedings of the 1982 IEEE Symposium on Security and Privacy, pages 11–20, 1982.Google ScholarCross Ref
- S. Guarnieri, M. Pistoia, O. Tripp, J. Dolby, S. Teilhet, and R. Berg. Saving the world wide web from vulnerable JavaScript. In Proceedings of the 2011 International Symposium on Software Testing and Analysis, ISSTA ’11, pages 177–187, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- D. Hedin, A. Birgisson, L. Bello, and A. Sabelfeld. JSFlow: Tracking information flow in JavaScript and its APIs. In Proceedings of the 29th ACM Symposium on Applied Computing, 2014.Google ScholarDigital Library
- D. Hedin and A. Sabelfeld. Information-flow security for a core of JavaScript. In Proceedings of the 2012 IEEE 25th Computer Security Foundations Symposium, CSF ’12, pages 3–18, 2012. Google ScholarDigital Library
- S. Just, A. Cleary, B. Shirley, and C. Hammer. Information flow analysis for JavaScript. In Proceedings of the 1st ACM SIGPLAN International Workshop on Programming Language and Systems Technologies for Internet Clients, PLASTIC ’11, pages 9–18, 2011. Google ScholarDigital Library
- T. Lengauer and R. E. Tarjan. A fast algorithm for finding dominators in a flowgraph. ACM Trans. Program. Lang. Syst., 1(1):121–141, Jan. 1979. Google ScholarDigital Library
- W. Masri and A. Podgurski. Algorithms and tool support for dynamic information flow analysis. Information & Software Technology, 51(2):385––404, 2009. Google ScholarDigital Library
- A. C. Myers. JFlow: Practical mostly-static information flow control. In Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL ’99, pages 228–241, 1999. Google ScholarDigital Library
- G. Richards, C. Hammer, S. Jagannathan, F. Zappa Nardelli, and J. Vitek. Flexible access control policies with delimited histories and revocation. In OOPSLA ’13, 2013.Google Scholar
- A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21:5–19, 2003. Google ScholarDigital Library
- D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. J. Comput. Secur., 4(2-3):167–187, Jan. 1996. Google ScholarCross Ref
- B. Xin and X. Zhang. Efficient online detection of dynamic control dependence. In Proceedings of the 2007 International Symposium on Software Testing and Analysis, ISSTA ’07, pages 185–195, 2007. Google ScholarDigital Library
Index Terms
- Exception handling for dynamic information flow control
Recommendations
Permissive runtime information flow control in the presence of exceptions
Information flow control (IFC) has been extensively studied as an approach to mitigate information leaks in applications. A vast majority of existing work in this area is based on static analysis. However, some applications, especially on the Web, are ...
Efficient Java exception handling in just-in-time compilation
Research ArticlesJava uses exceptions to provide elegant error handling capabilities during program execution. However, the presence of exception handlers complicates the job of the just-in-time (JIT) compiler, while exceptions are rarely used in most programs. This ...
Exception analysis and points-to analysis: better together
ISSTA '09: Proceedings of the eighteenth international symposium on Software testing and analysisException analysis and points-to analysis are typically done in complete separation. Past algorithms for precise exception analysis (e.g., pairing throw clauses with catch statements) use pre-computed points-to information. Past points-to analyses ...
Comments