CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

Tracking Dependencies for Security and Privacy

Arnar Birgisson (Institutionen för data- och informationsteknik, Programvaruteknik (Chalmers))
Göteborg : Chalmers University of Technology, 2013. ISBN: 978-91-7385-929-5.

Information Flow Control is a well established field of research, providing a suite of theoretical and practical results. However, adoption to real world systems has yet to catch up. This thesis seeks to expand the boundaries of this field, in particular with the aim of making Information Flow Control more applicable to real world scenarios. To this end, it studies several areas for improvement. These range from fundamental notions of policies for specifying limitations on data dependencies induced by programs, to mechanisms for enforcing such policies both statically and dynamically. We aim to push the current state of the art by identifying and addressing areas where current policy definitions and enforcement mechanisms fall short in terms of providing information confidentiality and integrity. On the policy side, we examine existing, incomparable notions of integrity. We present a generalized integrity framework that features a range of integrity facets including correctness to data dependency. We demonstrate how all the facets at once can be enforced by a single execution monitor. We also consider information leaked in multiple runs, which traditional non-interference policies address poorly. Employing a knowledge-based policy, we show that only minor adjustments are needed to standard type systems to cover the multi-run case. We apply data-dependency policies and tracking to provide a flexible programming model on top of differentially private databases. On the enforcement side, we demonstrate how a language endowed with capabilities can directly enforce information flow control policies using such primitives, through a program transformation. The thesis then considers the permissiveness of dynamic monitors, and shows that it can be improved mechanically through the use of random testing and program rewriting. Following that, we explore the challenges, and their solutions, of implementing a dynamic monitor for the full language of JavaScript, including its built-in libraries and APIs. Finally, we develop a framework of integrity-protected capabilities that support attenuated delegation and contextual bindings. In particular, contextual bindings allow the capability to encode dependencies between the invokers context, the resource it refers to and the hosts context, that must be satisfied for proper authorization. We show that our construction applies well to cheap but powerful authentication protocols for distributed systems and cloud services.

Nyckelord: Software Security, Programming Languages, Web Security

Den här publikationen ingår i följande styrkeområden:

Läs mer om Chalmers styrkeområden  

Denna post skapades 2013-10-23. Senast ändrad 2013-11-15.
CPL Pubid: 185548


Institutioner (Chalmers)

Institutionen för data- och informationsteknik, Programvaruteknik (Chalmers)


Informations- och kommunikationsteknik

Chalmers infrastruktur

Relaterade publikationer

Inkluderade delarbeten:

Unifying Facets of Information Integrity

Capabilities for information flow

Multi-run security

Position Paper: Differential Privacy with Information Flow Control

Boosting the Permissiveness of Dynamic Information-Flow Tracking by Testing


Datum: 2013-11-25
Tid: 10:00
Lokal: VV12, Sven Hultins gata 6, Chalmers.
Opponent: Prof. Michael Hicks, Department of Computer Science, University of Maryland, USA.

Ingår i serie

Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie 3610