Hybrid Static-Runtime Information Flow and Declassification Enforcement

There are different paradigms for enforcing information flow and declassification policies. These approaches can be divided into static analyzers and runtime enforcers. Each class has its own strengths and weaknesses, each being able to enforce a different set of policies. In this paper, we introduce a hybrid static-runtime enforcement mechanism that works on unannotated program code and supports information-flow control, as well as declassification policies. Our approach manages to enforce realistic policies, as shown by our three running examples, all within the context of a mobile device application, which cannot be handled separately by static or runtime approaches, and are also not covered by current access control models of mobile platforms such as Android or iOS. We also show that including an intermediate step (called preload check) makes both the static analysis system independent (in terms of security labels) and the runtime enforcer lightweight. Finally, we implement our runtime enforcer and run experiments that show that its overhead is so low that the approach can be rolled out on current mobile systems.

[1]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[2]  Daniel Le Métayer,et al.  Compile-Time Detection of Information Flow in Sequential Programs , 1994, ESORICS.

[3]  Kevin W. Hamlen,et al.  Certified In-lined Reference Monitoring on .NET , 2006, PLAS '06.

[4]  Xi Wang,et al.  Improving application security with data flow assertions , 2009, SOSP '09.

[5]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[6]  William Landi,et al.  Undecidability of static analysis , 1992, LOPL.

[7]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[8]  Torben Amtoft,et al.  Information Flow Analysis in Logical Form , 2004, SAS.

[9]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[10]  Fred B. Schneider,et al.  A Language-Based Approach to Security , 2001, Informatics.

[11]  Michael Hicks,et al.  Fable: A Language for Enforcing User-defined Security Policies , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[12]  Mauro Conti,et al.  MOSES: supporting operation modes on smartphones , 2012, SACMAT '12.

[13]  German Florez-Larrahondo,et al.  Aspect oriented programming with hidden markov models to verify design use cases , 2009, AOSD '09.

[14]  Gurvan Le Guernic Automaton-based Confidentiality Monitoring of Concurrent Programs , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[15]  Steve Zdancewic,et al.  Run-time principals in information-flow type systems , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[16]  Andrew C. Myers,et al.  Sharing Mobile Code Securely with Information Flow Control , 2012, 2012 IEEE Symposium on Security and Privacy.

[17]  Kevin W. Hamlen,et al.  Computability classes for enforcement mechanisms , 2006, TOPL.

[18]  Jay Ligatti,et al.  A Theory of Runtime Enforcement, with Results , 2010, ESORICS.

[19]  Anindya Banerjee,et al.  Expressive Declassification Policies and Modular Static Enforcement , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[20]  Mauro Conti,et al.  CRêPE: A System for Enforcing Fine-Grained Context-Related Policies on Android , 2012, IEEE Transactions on Information Forensics and Security.

[21]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[22]  Andrew C. Myers,et al.  A Semantic Framework for Declassification and Endorsement , 2010, ESOP.

[23]  Boniface Hicks,et al.  Trusted declassification:: high-level policy for a security-typed language , 2006, PLAS '06.

[24]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[25]  Mauro Conti,et al.  Demonstrating the effectiveness of MOSES for separation of execution modes , 2012, CCS '12.

[26]  Jerry den Hartog,et al.  Towards Static Flow-Based Declassification for Legacy and Untrusted Programs , 2010, 2010 IEEE Symposium on Security and Privacy.

[27]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[28]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[29]  Lujo Bauer,et al.  Run-Time Enforcement of Nonsafety Policies , 2009, TSEC.

[30]  Marco Pistoia,et al.  A language for information flow: dynamic tracking in multiple interdependent dimensions , 2009, PLAS '09.

[31]  Andrei Sabelfeld,et al.  Tight Enforcement of Information-Release Policies for Dynamic Languages , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[32]  Andrew C. Myers,et al.  A Model for Delimited Information Release , 2003, ISSS.

[33]  Torben Amtoft,et al.  A logic for information flow in object-oriented programs , 2006, POPL '06.

[34]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[35]  Andrew C. Myers,et al.  End-to-End Enforcement of Erasure and Declassification , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[36]  G. Ramalingam,et al.  The undecidability of aliasing , 1994, TOPL.

[37]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[38]  Mahesh Viswanathan,et al.  Java-MaC: a Run-time Assurance Tool for Java Programs , 2001, RV@CAV.

[39]  Peng Li,et al.  Arrows for secure information flow , 2010, Theor. Comput. Sci..

[40]  Ahmad-Reza Sadeghi,et al.  Poster: control-flow integrity for smartphones , 2011, CCS '11.

[41]  Peng Liu,et al.  LeakProber: a framework for profiling sensitive data leakage paths , 2011, CODASPY '11.

[42]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[43]  Lujo Bauer,et al.  Composing expressive runtime security policies , 2009, TSEM.

[44]  Kevin W. Hamlen,et al.  Securing untrusted code via compiler-agnostic binary rewriting , 2012, ACSAC '12.

[45]  Zou Wei,et al.  A hybrid security framework of mobile code , 2004, Proceedings of the 28th Annual International Computer Software and Applications Conference, 2004. COMPSAC 2004..

[46]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[47]  Scott F. Smith,et al.  Dynamic Dependency Monitoring to Secure Information Flow , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[48]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[49]  Marianne Winslett,et al.  A Trust Management Approach for Flexible Policy Management in Security-Typed Languages , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[50]  Andrew S. Tanenbaum,et al.  A Virtual Machine Based Information Flow Control System for Policy Enforcement , 2008, Electron. Notes Theor. Comput. Sci..

[51]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[52]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[53]  Andrei Sabelfeld,et al.  Gradual Release: Unifying Declassification, Encryption and Key Release Policies , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[54]  David A. Schmidt,et al.  Automata-Based Confidentiality Monitoring , 2006, ASIAN.

[55]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[56]  Frank Piessens,et al.  Security Monitor Inlining for Multithreaded Java , 2009, ECOOP.

[57]  Andrei Sabelfeld,et al.  Localized delimited release: combining the what and where dimensions of information release , 2007, PLAS '07.

[58]  Kevin W. Hamlen,et al.  Security Policy Enforcement by Automated Program-rewriting , 2006 .

[59]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[60]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[61]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.