CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

Implicit flows in malicious and nonmalicious code

Alejandro Russo (Institutionen för data- och informationsteknik (Chalmers)) ; Andrei Sabelfeld (Institutionen för data- och informationsteknik (Chalmers)) ; Li Keqin
Proceedings of the 2009 Marktoberdorf Summer School, IOS Press (2009)
[Konferensbidrag, refereegranskat]

Information-flow technology is a promising approach for ensuring security by design and construction. When tracking information flow, of particular concern are implicit flows, i.e., flows through control flow when computation branches on secret data and performs publicly observed side effects depending on which branch is taken. The large body of literature exercises two extreme views on implicit flows: either track them (striving to show that there are no leaks, and often running into the problem of complex enforcement mechanisms and false alarms), or not track them (which reduces false alarms, but provides weak or no security guarantees). This paper distinguishes between malicious and nonmalicious code. The attacker may exploit implicit flows with malicious code, and so they should be tracked. We show how this can be done by a security type system and by a monitor. For nonmalicious code, we explore a middle ground between the two extremes.We observe that implicit flows are often harmless in nonmalicious code: they cannot be exploited to efficiently leak secrets. To this end, we are able to guarantee strong informationflow properties with a combination of an explicit-flow and a graph-pattern analyses. Initial studies of industrial code (secure logging and data sanitization) suggest that our approach has potential of offering a desired combination of a lightweight analysis, strong security guarantees, and no excessive false alarms.

Nyckelord: Security, noninterference, implicit flows, static analysis, monitoring



Denna post skapades 2009-10-12. Senast ändrad 2015-12-17.
CPL Pubid: 100051

 

Läs direkt!


Länk till annan sajt (kan kräva inloggning)


Institutioner (Chalmers)

Institutionen för data- och informationsteknik (Chalmers)

Ämnesområden

Datalogi

Chalmers infrastruktur