Fine-Grained Information Flow Analysis and Enforcement in a Java Virtual Machine

We have implemented an information flow framework for the Java virtual machine that combines static and dynamic techniques to capture not only explicit flows, but also implicit ones resulting from control flow. Unlike other approaches that freeze policies at time of compilation, our system truly separates policy and enforcement mechanism and thereby permits policy changes even while a program is running. Ahead of execution, we run a static analysis that annotates an executable with information-flow information. During execution, we then use the annotations to safely update the labels of variables that lie in alternative paths of execution while enforcing the policy currently in place. Our framework doesn't require access to source code and is fully backward-compatible with existing Java class files. Preliminary benchmark results suggest that the run-time overhead of information flow techniques such as ours is well within acceptable range for many application domains.

[1]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[2]  R. Rhode Secure Multilevel Virtual Computer Systems. , 1975 .

[3]  Analysis and caching of dependencies , 1996, ICFP '96.

[4]  Daniel Le Métayer,et al.  An approach to information security in distributed systems , 1995, Proceedings of the Fifth IEEE Computer Society Workshop on Future Trends of Distributed Computing Systems.

[5]  Clark Weissman Secure computer operation with virtual machine partitioning , 1975, AFIPS '75.

[6]  Timothy J. Harvey,et al.  AS imple, Fast Dominance Algorithm , 1999 .

[7]  L.,et al.  SECURE COMPUTER SYSTEMS : MATHEMATICAL FOUNDATIONS , 2022 .

[8]  Lawrence Robinson,et al.  Proving multilevel security of a system design , 1977, SOSP '77.

[9]  Lorna Smith,et al.  Benchmarking Java Grande Applications , 2000 .

[10]  Flemming Nielson,et al.  Static Analysis for Secrecy and Non-interference in Networks of Processes , 2001, PaCT.

[11]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[12]  Guilherme Ottoni,et al.  RIFLE: An Architectural Framework for User-Centric Information-Flow Security , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[13]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[14]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[15]  Flemming Nielson,et al.  Static Analysis for the pi-Calculus with Applications to Security , 2001, Inf. Comput..

[16]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[17]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[18]  Henk Barendregt,et al.  The Lambda Calculus: Its Syntax and Semantics , 1985 .

[19]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[20]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[21]  M. Franz,et al.  Practical , Dynamic Information-flow for Virtual Machines , 2005 .

[22]  Geoffrey Smith,et al.  Eliminating covert flows with minimum typings , 1997, Proceedings 10th Computer Security Foundations Workshop.

[23]  Jeffrey S. Fenton Information Protection Systems , 1973 .

[24]  Andrew C. Myers,et al.  Mostly-static decentralized information flow control , 1999 .

[25]  Michael Franz,et al.  Dynamic taint propagation for Java , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[26]  Harold T. Hodes,et al.  The | lambda-Calculus. , 1988 .

[27]  Jean-Pierre Banâtre,et al.  Information flow control in a parallel language framework , 1993, [1993] Proceedings Computer Security Foundations Workshop VI.

[28]  Jonathan K. Millen,et al.  Security Kernel validation in practice , 1976, CACM.

[29]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[30]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[31]  Nicoletta De Francesco,et al.  Using standard verifier to check secure information flow in Java bytecode , 2002, Proceedings 26th Annual International Computer Software and Applications.

[32]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[33]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[34]  Maribel Fernández The Lambda Calculus , 2009 .

[35]  Ken Kennedy,et al.  AS imple, Fast Dominance Algorithm , 1999 .

[36]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[37]  Jonathan K. Millen Information Flow Analysis of Formal Specifications , 1981, 1981 IEEE Symposium on Security and Privacy.

[38]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.