CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

From dynamic to static and back: Riding the roller coaster of information-flow control research

Andrei Sabelfeld (Institutionen för data- och informationsteknik, Datavetenskap (Chalmers)) ; Alejandro Russo (Institutionen för data- och informationsteknik, Datavetenskap (Chalmers))
Lecture Notes in Computer Science. 7th International Andrei Ershov Memorial Conference on Perspectives of System Informatics, PSI 2009, Novosibirsk, 15-19 June 2009 (0302-9743). Vol. 5947 (2009), p. 352-365.
[Konferensbidrag, refereegranskat]

Historically, dynamic techniques are the pioneers of the area of information flow in the 70’s. In their seminal work, Denning and Denning suggest a static alternative for information-flow analysis. Following this work, the 90’s see the domination of static techniques for information flow. The common wisdom appears to be that dynamic approaches are not a good match for security since monitoring a single path misses public side effects that could have happened in other paths. Dynamic techniques for information flow are on the rise again, driven by the need for permissiveness in today’s dynamic applications. But they still involve nontrivial static checks for leaks related to control flow. This paper demonstrates that it is possible for a purely dynamic enforcement to be as secure as Denning-style static information-flow analysis, despite the common wisdom. We do have the trade-off that static techniques have benefits of reducing runtime overhead, and dynamic techniques have the benefits of permissiveness (this, for example, is of particular importance in dynamic applications, where freshly generated code is evaluated). But on the security side, we show for a simple imperative language that both Denning-style analysis and dynamic enforcement have the same assurance: termination-insensitive noninterference.

Nyckelord: information-flow, type systems, monitors

Denna post skapades 2009-05-04. Senast ändrad 2016-07-22.
CPL Pubid: 93390


Läs direkt!

Länk till annan sajt (kan kräva inloggning)

Institutioner (Chalmers)

Institutionen för data- och informationsteknik, Datavetenskap (Chalmers)



Chalmers infrastruktur