Dynamic vs. Static Flow-Sensitive Security Analysis

This paper seeks to answer fundamental questions about trade-offs between static and dynamic security analysis. It has been previously shown that flow-sensitive static information-flow analysis is a natural generalization of flow-insensitive static analysis, which allows accepting more secure programs. It has been also shown that sound purely dynamic information-flow enforcement is more permissive than static analysis in the flow-insensitive case. We argue that the step from flow-insensitive to flow-sensitive is fundamentally limited for purely dynamic information-flow controls. We prove impossibility of a sound purely dynamic information-flow monitor that accepts programs certified by a classical flow-sensitive static analysis. A side implication is impossibility of permissive dynamic instrumented security semantics for information flow, which guides us to uncover an unsound semantics from the literature. We present a general framework for hybrid mechanisms that is parameterized in the static part and in the reaction method of the enforcement (stop, suppress, or rewrite) and give security guarantees with respect to termination-insensitive noninterference for a simple language with output.

[1]  David Sands,et al.  On flow-sensitive security types , 2006, POPL '06.

[2]  David A. Schmidt,et al.  Automata-Based Confidentiality Monitoring , 2006, ASIAN.

[3]  Alejandro Russo,et al.  On-the-fly inlining of dynamic security monitors , 2010, Comput. Secur..

[4]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[5]  Sophia Antipolis,et al.  Secure Information Flow as a Safety Property , 2009 .

[6]  Glynn Winskel,et al.  The formal semantics of programming languages - an introduction , 1993, Foundation of computing series.

[7]  Jean-Pierre Banâtre,et al.  Information flow control in a parallel language framework , 1993, [1993] Proceedings Computer Security Foundations Workshop VI.

[8]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[9]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[10]  David A. Naumann,et al.  Information Flow Monitor Inlining , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[11]  Vincent Simonet The Flow Caml system , 2003 .

[12]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[13]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[14]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[15]  Andrei Sabelfeld,et al.  Tight Enforcement of Information-Release Policies for Dynamic Languages , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[16]  Gérard Boudol,et al.  Secure Information Flow as a Safety Property , 2009, Formal Aspects in Security and Trust.

[17]  Jonas Magazinius,et al.  A lattice-based approach to mashup security , 2010, ASIACCS '10.

[18]  Dennis M. Volpano Safety versus Secrecy , 1999, SAS.

[19]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[20]  R. Sekar,et al.  On the Limits of Information Flow Techniques for Malware Analysis and Containment , 2008, DIMVA.

[21]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[22]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[23]  John G. P. Barnes,et al.  High Integrity Software - The SPARK Approach to Safety and Security , 2003 .

[24]  Gurvan Le Guernic Automaton-based Confidentiality Monitoring of Concurrent Programs , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[25]  Geoffrey Smith,et al.  Eliminating covert flows with minimum typings , 1997, Proceedings 10th Computer Security Foundations Workshop.

[26]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[27]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[28]  Kevin W. Hamlen,et al.  Computability classes for enforcement mechanisms , 2006, TOPL.

[29]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[30]  Gregory R. Andrews,et al.  An Axiomatic Approach to Information Flow in Programs , 1980, TOPL.

[31]  Adrian Hilton,et al.  Enforcing security and safety models with an information flow analysis tool , 2004 .

[32]  Michael R. Clarkson,et al.  Civitas: Toward a Secure Voting System , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[33]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[34]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[35]  Koen Claessen,et al.  A library for light-weight information-flow security in haskell , 2008, Haskell '08.

[36]  Xin Zheng,et al.  Secure web applications via automatic partitioning , 2007, SOSP.

[37]  John McLean,et al.  The specification and modeling of computer security , 1990, Computer.

[38]  Alejandro Russo,et al.  Securing Timeout Instructions in Web Applications , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[39]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[40]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[41]  H. Stamer Security-Typed Languages for Implementation of Cryptographic Protocols : A Case Study , 2007 .

[42]  Boniface Hicks,et al.  From Languages to Systems: Understanding Practical Application Development in Security-typed Languages , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[43]  Scott F. Smith,et al.  Dynamic Dependency Monitoring to Secure Information Flow , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[44]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[45]  Wei Xu,et al.  Provably Correct Runtime Enforcement of Non-interference Properties , 2006, ICICS.

[46]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[47]  Peter Ørbæk Can you Trust your Data? , 1995, TAPSOFT.

[48]  U. Norell,et al.  Towards a practical programming language based on dependent type theory , 2007 .

[49]  Alejandro Russo,et al.  Tracking Information Flow in Dynamic Tree Structures , 2009, ESORICS.

[50]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.