Implicit flows in malicious and nonmalicious code

Information-flow technology is a promising approach for ensuring security by design and construction. When tracking information flow, of particular concern are implicit flows, i.e., flows through control flow when computation branches on secret data and performs publicly observed side effects depending on which branch is taken. The large body of literature exercises two extreme views on implicit flows: either track them (striving to show that there are no leaks, and often running into the problem of complex enforcement mechanisms and false alarms), or not track them (which reduces false alarms, but provides weak or no security guarantees). This paper distinguishes between malicious and nonmalicious code. The attacker may exploit implicit flows with malicious code, and so they should be tracked. We show how this can be done by a security type system and by a monitor. For nonmalicious code, we explore a middle ground between the two extremes.We observe that implicit flows are often harmless in nonmalicious code: they cannot be exploited to efficiently leak secrets. To this end, we are able to guarantee strong informationflow properties with a combination of an explicit-flow and a graph-pattern analyses. Initial studies of industrial code (secure logging and data sanitization) suggest that our approach has potential of offering a desired combination of a lightweight analysis, strong security guarantees, and no excessive false alarms.

[1]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[2]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[3]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[4]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[5]  Vincent Simonet The Flow Caml system , 2003 .

[6]  Gavin Lowe,et al.  Quantifying information flow , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[7]  Boniface Hicks,et al.  Trusted declassification:: high-level policy for a security-typed language , 2006, PLAS '06.

[8]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[9]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[10]  David Clark,et al.  Quantitative Analysis of the Leakage of Confidential Data , 2002, QAPL.

[11]  Alfred V. Aho,et al.  The Design and Analysis of Computer Algorithms , 1974 .

[12]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[13]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[14]  Erik Poll,et al.  Explicit information flow properties in JML , 2008 .

[15]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[16]  Dennis M. Volpano Safety versus Secrecy , 1999, SAS.

[17]  Trent Jaeger,et al.  Implicit Flows: Can't Live with 'Em, Can't Live without 'Em , 2008, ICISS.

[18]  Adrian Hilton,et al.  Enforcing security and safety models with an information flow analysis tool , 2004, SIGAda '04.

[19]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[20]  Stephen McCamant,et al.  Quantitative information flow as network flow capacity , 2008, PLDI '08.

[21]  John G. P. Barnes,et al.  High Integrity Software - The SPARK Approach to Safety and Security , 2003 .

[22]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[23]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[24]  Michael R. Clarkson,et al.  Belief in information flow , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[25]  Xin Zheng,et al.  Secure web applications via automatic partitioning , 2007, SOSP.

[26]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[27]  Vitaly Shmatikov,et al.  Inputs of Coma: Static Detection of Denial-of-Service Vulnerabilities , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[28]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.