论文信息 - A proof-producing machine-code analyzer for secure information flow

A proof-producing machine-code analyzer for secure information flow

An approach enabling end-users to verify that a downloaded untrusted code will not leak confidential data to unauthorized parties is presented. The approach certifies RISC-style assembly programs for secure information flow by statically analyzing the code based on the idea of Proof Carrying Code (PCC). The proofs that untrusted code does not leak sensitive information are generated and checked on the host machine and if they are valid, then the untrusted code can be installed and executed safely. The proposed security analyzer operates directly on the machinecode requiring only the inputs and outputs of the code be annotated with security levels. The generated proofs serve as evidence that give end-users a guarantee about the security of the untrusted code.

[1] Ricardo Medel,et al. Non-Interference for a Typed Assembly Language , 2005 .

[2] Andrew C. Myers,et al. Secure Information Flow via Linear Continuations , 2002, High. Order Symb. Comput..

[3] Nicoletta De Francesco,et al. Combining Abstract Interpretation and Model Checking for Analysing Security Properties of Java Bytecode , 2002, VMCAI.

[4] Andrew C. Myers,et al. Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[5] Jean-Louis Lanet,et al. Checking Secure Interactions of Smart Card Applets: Extended Version , 2002, J. Comput. Secur..

[6] Fausto Spoto,et al. Information Flow Analysis for Java Bytecode , 2005, VMCAI.

[7] Gilles Barthe,et al. Non-interference for a JVM-like language , 2005, TLDI '05.

[8] Peter J. Denning,et al. Certification of programs for secure information flow , 1977, CACM.

[9] Gilles Barthe,et al. Security types preserving compilation , 2004, Comput. Lang. Syst. Struct..

[10] Dachuan Yu,et al. A Typed Assembly Language for Confidentiality , 2006, ESOP.

[11] Ricardo Medel,et al. A typed assembly language for secure information flow analysis , 2004 .

[12] Marco Avvenuti,et al. Java bytecode verification for secure information flow , 2003, SIGP.

[13] J. Meseguer,et al. Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[14] Ramlan Mahmod,et al. Information Flow Type System for Proof Carrying Code , 2007 .