Generalizing Permissive-Upgrade in Dynamic Information Flow Analysis

Preventing implicit information flows by dynamic program analysis requires coarse approximations that result in false positives, because a dynamic monitor sees only the executed trace of the program. One widely deployed method is the no-sensitive-upgrade check, which terminates a program whenever a variable's taint is upgraded (made more sensitive) due to a control dependence on tainted data. Although sound, this method is restrictive, e.g., it terminates the program even if the upgraded variable is never used subsequently. To counter this, Austin and Flanagan introduced the permissive-upgrade check, which allows a variable upgrade due to control dependence, but marks the variable "partially-leaked". The program is stopped later if it tries to use the partially-leaked variable. Permissive-upgrade handles the dead-variable assignment problem and remains sound. However, Austin and Flanagan develop permissive-upgrade only for a two-point (low-high) security lattice and indicate a generalization to pointwise products of such lattices. In this paper, we develop a non-trivial and non-obvious generalization of permissive-upgrade to arbitrary lattices. The key difficulty lies in finding a suitable notion of partial leaks that is both sound and permissive and in developing a suitable definition of memory equivalence that allows an inductive proof of soundness.

[1]  Deepak Garg,et al.  Information Flow Control in WebKit's JavaScript Bytecode , 2014, POST.

[2]  Marco Pistoia,et al.  Saving the world wide web from vulnerable JavaScript , 2011, ISSTA '11.

[3]  David A. Schmidt,et al.  Automata-Based Confidentiality Monitoring , 2006, ASIAN.

[4]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[5]  Benjamin C. Pierce,et al.  All Your IFCException Are Belong to Us , 2013, 2013 IEEE Symposium on Security and Privacy.

[6]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[7]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[8]  Deian Stefan,et al.  On Dynamic Flow-Sensitive Floating-Label Systems , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[9]  Gurvan Le Guernic Automaton-based Confidentiality Monitoring of Concurrent Programs , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[10]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[11]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[12]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[13]  Arnar Birgisson,et al.  Boosting the Permissiveness of Dynamic Information-Flow Tracking by Testing , 2012, ESORICS.

[14]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[15]  Andrew C. Myers,et al.  Programming Languages for Information Security , 2002 .

[16]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[17]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.

[18]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[19]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[20]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[21]  David Sands,et al.  On flow-sensitive security types , 2006, POPL '06.

[22]  Andrei Sabelfeld,et al.  Tight Enforcement of Information-Release Policies for Dynamic Languages , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.