Information Flow Security for XML Transformations

We provide a formal definition of information flows in XML transformations and, more generally, in the presence of type driven computations and describe a sound technique to detect transformations that may leak private or confidential information. We also outline a general framework to check middleware-located information flows.

[1]  Colin Runciman,et al.  Haskell and XML: generic combinators or type-based translation? , 1999, ICFP '99.

[2]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[3]  Giuseppe Castagna,et al.  CDuce: an XML-centric general-purpose language , 2003, ICFP '03.

[4]  Jérôme Siméon,et al.  YATL: a Functional and Declarative Language for XML , 2000 .

[5]  Benjamin C. Pierce,et al.  Regular Object Types , 2003, ECOOP.

[6]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[7]  Sabrina De Capitani di Vimercati,et al.  A fine-grained access control system for XML documents , 2002, TSEC.

[8]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[9]  Aske Simon Christensen,et al.  Extending Java for high-level Web service construction , 2002, TOPL.

[10]  Giuseppe Castagna,et al.  CDuce: an XML-centric general-purpose language , 2003, ACM SIGPLAN Notices.

[11]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[12]  Philip Wadler,et al.  An Algebra for XML Query , 2000, FSTTCS.

[13]  Benjamin C. Pierce,et al.  XDuce: A statically typed XML processing language , 2003, TOIT.

[14]  Analysis and caching of dependencies , 1996, ICFP '96.

[15]  Benjamin C. Pierce,et al.  Xduce: a typed xml processing language , 1997 .

[16]  Véronique Benzaken Duce : An XML-Centric General-Purpose Language , 2003 .

[17]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[18]  Giuseppe Castagna,et al.  Semantic subtyping , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[19]  Alban Gabillon,et al.  Regulating Access to XML documents , 2001, DBSec.

[20]  Ernesto Damiani,et al.  Design and implementation of an access control processor for XML documents , 2000, Comput. Networks.

[21]  Sylvain Conchon,et al.  Information flow inference for free , 2000, ICFP '00.

[22]  Geoffrey Smith,et al.  A Type-Based Approach to Program Security , 1997, TAPSOFT.

[23]  Aske Simon Christensen,et al.  Extending Java for High-Level Web Service Construction , 2002 .