Permissive runtime information flow control in the presence of exceptions
Abstract
Information flow control (IFC) has been extensively studied as an approach to mitigate information leaks in applications. A vast majority of existing work in this area is based on static analysis. However, some applications, especially on the Web, are developed using dynamic languages like JavaScript where static analyses for IFC do not scale well. As a result, there has been a growing interest in recent years to develop dynamic or runtime information flow analysis techniques. In spite of the advances in the field, runtime information flow analysis has not been at the helm of information flow security, one of the reasons being that the analysis techniques and the security property related to them (non-interference) over-approximate information flows (particularly implicit flows), generating many false positives.
In this paper, we present a sound and precise approach for handling implicit leaks at runtime. In particular, we present an improvement and enhancement of the so-called permissive-upgrade strategy, which is widely used to tackle implicit leaks in dynamic information flow control. We improve the strategy’s permissiveness and generalize it. Building on top of it, we present an approach to handle implicit leaks when dealing with complex features like unstructured control flow and exceptions in higher-order languages. We explain how we address the challenge of handling unstructured control flow using immediate post-dominator analysis. We prove that our approach is sound and precise.
References
[1]
Content Security Policy 1.0, http://www.w3.org/TR/CSP/.
[2]
M. Algehed and C. Flanagan, Transparent IFC enforcement: Possibility and (in)efficiency results, in: 2020 IEEE 33rd Computer Security Foundations Symposium (CSF), 2020, pp. 65–78.
[3]
M. Algehed, A. Russo and C. Flanagan, Optimising faceted secure multi-execution, in: 2019 IEEE 32nd Computer Security Foundations Symposium (CSF), 2019, pp. 1–16.
[4]
A. Askarov, S. Hunt, A. Sabelfeld and D. Sands, Termination-insensitive noninterference leaks more than just a bit, in: Proc. European Symposium on Research in Computer Security, 2008, pp. 333–348.
[5]
A. Askarov and A. Sabelfeld, Tight enforcement of information-release policies for dynamic languages, in: Proc. IEEE Computer Security Foundations Symposium, 2009, pp. 43–59.
[6]
A. Askarov and A. Sabelfeld, Catch me if you can: Permissive yet secure error handling, in: Proc. ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, 2009, pp. 45–57. ISBN 978-1-60558-645-8.
[7]
T.H. Austin and C. Flanagan, Efficient purely-dynamic information flow analysis, in: Proc. ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, 2009, pp. 113–124. ISBN 978-1-60558-645-8.
[8]
T.H. Austin and C. Flanagan, Permissive dynamic information flow analysis, in: Proc. 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, 2010, pp. 3:1–3:12. ISBN 978-1-60558-827-8.
[9]
T.H. Austin and C. Flanagan, Multiple facets for dynamic information flow, in: Proc. 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2012, pp. 165–178. ISBN 978-1-4503-1083-3.
[10]
T.H. Austin, T. Schmitz and C. Flanagan, Multiple facets for dynamic information flow with exceptions, ACM Trans. Program. Lang. Syst. 39(3) (2017).
[11]
A. Barth, The web origin concept, http://tools.ietf.org/html/rfc6454.
[12]
A. Bedford, S. Chong, J. Desharnais, E. Kozyri and N. Tawbi, A progress-sensitive flow-sensitive inlined information-flow control monitor, Computers & Security 71 (2017), 114–131.
[13]
A. Bichhawat, V. Rajani, D. Garg and C. Hammer, Generalizing permissive-upgrade in dynamic information flow analysis, in: Proc. Workshop on Programming Languages and Analysis for Security, 2014, pp. 15–24.
[14]
A. Bichhawat, V. Rajani, D. Garg and C. Hammer, Information flow control in WebKit’s JavaScript bytecode, in: Proc. Principles of Security and Trust, 2014, pp. 159–178.
[15]
A. Birgisson, D. Hedin and A. Sabelfeld, Boosting the permissiveness of dynamic information-flow tracking by testing, in: Computer Security – ESORICS 2012, LNCS, Vol. 7459, Springer, Berlin Heidelberg, 2012, pp. 55–72. ISBN 978-3-642-33166-4.
[16]
P. Buiras, D. Stefan and A. Russo, On dynamic flow-sensitive floating-label systems, in: Proc. 2014 IEEE 27th Computer Security Foundations Symposium, CSF’14, IEEE Computer Society, 2014, pp. 65–79.
[17]
R. Chugh, J.A. Meister, R. Jhala and S. Lerner, Staged information flow for JavaScript, in: Proc. 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, 2009, pp. 50–62.
[18]
D. Crockford, ADSafe, http://adsafe.org/.
[19]
A.A. de Amorim, M. Fredrikson and L. Jia, Reconciling noninterference and gradual typing, in: Proceedings of the 35th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS’20, Association for Computing Machinery, New York, NY, USA, 2020, pp. 116–129. ISBN 9781450371049.
[20]
D.E. Denning, A lattice model of secure information flow, Commun. ACM 19(5) (1976), 236–243.
[21]
D.E. Denning and P.J. Denning, Certification of programs for secure information flow, Commun. ACM 20(7) (1977), 504–513.
[22]
D.E.R. Denning, Cryptography and Data Security, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1982. ISBN 0-201-10150-5.
[23]
D. Devriese and F. Piessens, Noninterference through secure multi-execution, in: Proc. 2010 IEEE Symposium on Security and Privacy, 2010, pp. 109–124. ISBN 978-0-7695-4035-1.
[24]
M. Dhawan and V. Ganapathy, Analyzing information flow in JavaScript-based browser extensions, in: Proc. 2009 Annual Computer Security Applications Conference, ACSAC’09, 2009, pp. 382–391. ISBN 978-0-7695-3919-5.
[25]
T. Disney and C. Flanagan, Gradual information flow typing, in: Proceedings of the 2nd International Workshop on Scripts to Programs Evolution, STOP’11, 2011.
[26]
X. Dong, Z. Chen, H. Siadati, S. Tople, P. Saxena and Z. Liang, Protecting sensitive web content from client-side vulnerabilities with CRYPTONS, in: Proc. 2013 ACM SIGSAC Conference on Computer and Communications Security, 2013, pp. 1311–1324.
[27]
Facebook. FBJS, https://developers.facebook.com/docs/javascript.
[28]
L. Fennell and P. Thiemann, Gradual security typing with references, in: Proceedings of the 2013 IEEE 26th Computer Security Foundations Symposium, CSF’13, IEEE Computer Society, Washington, DC, USA, 2013, pp. 224–239. ISBN 978-0-7695-5031-2.
[29]
L. Fennell and P. Thiemann, LJGS: Gradual security types for object-oriented languages, in: 30th European Conference on Object-Oriented Programming, ECOOP, 2016, 2016, pp. 9:1–9:26.
[30]
J.S. Fenton, Memoryless subsystems, The Computer Journal 17(2) (1974), 143.
[31]
J.A. Goguen and J. Meseguer, Security policies and security models, in: Proc. 1982 IEEE Symposium on Security and Privacy, 1982, pp. 11–20.
[32]
Google Caja – A source-to-source translator for securing JavaScript-based web content, Online; accessed 25-Apr-2017.
[33]
S. Guarnieri, M. Pistoia, O. Tripp, J. Dolby, S. Teilhet and R. Berg, Saving the world wide web from vulnerable JavaScript, in: Proc. 2011 International Symposium on Software Testing and Analysis, ISSTA’11, 2011, pp. 177–187. ISBN 978-1-4503-0562-4.
[34]
G.L. Guernic, A. Banerjee, T. Jensen and D.A. Schmidt, Automata-based confidentiality monitoring, in: Proc. Asian Computing Science Conference on Secure Software, 2006, pp. 75–89.
[35]
C. Hammer and G. Snelting, Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs, International Journal of Information Security 8(6) (2009), 399–422.
[36]
D. Hedin, L. Bello and A. Sabelfeld, Value-sensitive hybrid information flow control for a JavaScript-like language, in: Proc. 2015 IEEE 28th Computer Security Foundations Symposium, CSF’15, 2015, pp. 351–365.
[37]
D. Hedin, A. Birgisson, L. Bello and A. Sabelfeld, JSFlow: Tracking information flow in JavaScript and its APIs, in: Proc. ACM Symposium on Applied Computing, 2014, pp. 1663–1671.
[38]
D. Hedin and A. Sabelfeld, Information-flow security for a core of JavaScript, in: Proc. 25th IEEE Computer Security Foundations Symposium, 2012, pp. 3–18. ISBN 978-0-7695-4718-3.
[39]
C. Hritcu, M. Greenberg, B. Karel, B.C. Pierce and G. Morrisett, All your IFCException are belong to us, in: Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP’13, IEEE Computer Society, USA, 2013, pp. 3–17. ISBN 9780769549774.
[40]
S. Hunt and D. Sands, On flow-sensitive security types, in: Proc. ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2006, pp. 79–90.
[41]
D. Jang, R. Jhala, S. Lerner and H. Shacham, An empirical study of privacy-violating information flows in JavaScript web applications, in: Proc. 17th ACM Conference on Computer and Communications Security, 2010, pp. 270–283.
[42]
S. Just, A. Cleary, B. Shirley and C. Hammer, Information flow analysis for JavaScript, in: Proc. 1st ACM SIGPLAN International Workshop on Programming Language and Systems Technologies for Internet Clients, 2011, pp. 9–18. ISBN 978-1-4503-1171-7.
[43]
G. Le Guernic, Automaton-based confidentiality monitoring of concurrent programs, in: Proc. IEEE Computer Security Foundations Symposium, 2007, pp. 218–232.
[44]
T. Lengauer and R.E. Tarjan, A fast algorithm for finding dominators in a flowgraph, ACM Trans. Program. Lang. Syst. 1(1) (1979), 121–141.
[45]
M.T. Louw, K.T. Ganesh and V.N. Venkatakrishnan, AdJail: Practical enforcement of confidentiality and integrity policies on web advertisements, in: Proc. 19th USENIX Conference on Security, 2010, pp. 24–24.
[46]
W. Masri and A. Podgurski, Algorithms and tool support for dynamic information flow analysis, Information & Software Technology 51(2) (2009), 385–404.
[47]
L.A. Meyerovich and B. Livshits, ConScript: Specifying and enforcing fine-grained security policies for JavaScript in the browser, in: Proc. 2010 IEEE Symposium on Security and Privacy, 2010, pp. 481–496.
[48]
A.C. Myers, JFlow: Practical mostly-static information flow control, in: Proc. 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL’99, 1999, pp. 228–241.
[49]
F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel and G. Vigna, Cross-site scripting prevention with dynamic data tainting and static analysis, in: Proc. Network and Distributed System Security Symposium, 2007.
[50]
N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. Van Acker, W. Joosen, C. Kruegel, F. Piessens and G. Vigna, You are what you include: Large-scale evaluation of remote Javascript inclusions, in: Proc. 2012 ACM Conference on Computer and Communications Security, CCS’12, 2012, pp. 736–747.
[51]
F. Pottier and V. Simonet, Information flow inference for ML, ACM Trans. Program. Lang. Syst. 25(1) (2003), 117–158.
[52]
W. Rafnsson and A. Sabelfeld, Secure multi-execution: Fine-grained, declassification-aware, and transparent, in: Proc. 2013 IEEE 26th Computer Security Foundations Symposium, 2013, pp. 33–48.
[53]
G. Richards, C. Hammer, B. Burg and J. Vitek, The eval that men do – a large-scale study of the use of eval in JavaScript applications, in: ECOOP’11, M. Mezzini, ed., LNCS, Vol. 6813, 2011, pp. 52–78. ISBN 978-3-642-22654-0.
[54]
G. Richards, C. Hammer, F. Zappa Nardelli, S. Jagannathan and J. Vitek, Flexible access control for Javascript, in: Proc. 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages & Applications, OOPSLA’13, 2013, pp. 305–322. ISBN 978-1-4503-2374-1.
[55]
A. Russo and A. Sabelfeld, Dynamic vs. static flow-sensitive security analysis, in: Proc. 2010 IEEE 23rd Computer Security Foundations Symposium, 2010, pp. 186–199.
[56]
A. Sabelfeld and A.C. Myers, Language-based information-flow security, IEEE Journal on Selected Areas in Communications 21 (2003), 5–19.
[57]
A. Sabelfeld and A. Russo, From dynamic to static and back: Riding the roller coaster of information-flow control research, in: Proc. Perspectives of Systems Informatics, 2010, pp. 352–365.
[58]
T. Schmitz, M. Algehed, C. Flanagan and A. Russo, Faceted secure multi execution, in: ACM CCS, 2018, pp. 1617–1634. ISBN 9781450356930.
[59]
A.L. Scull Pupo, L. Christophe, J. Nicolay, C. de Roover and E. Gonzalez, Boix, Practical Information Flow Control for Web Applications, R. Verification, C. Colombo and M. Leucker, eds, Springer International Publishing, Cham, 2018, pp. 372–388. ISBN 978-3-030-03769-7.
[60]
D. Stefan, D. Mazières, J.C. Mitchell and A. Russo, Flexible dynamic information flow control in the presence of exceptions, J. Funct. Program. 27 (2017), e5.
[61]
D. Stefan, E.Z. Yang, P. Marchenko, A. Russo, D. Herman, B. Karp and D. Mazières, Protecting users by confining JavaScript with COWL, in: Proc. USENIX Symposium on Operating Systems Design and Implementation, 2014, pp. 131–146.
[62]
M. Toro, R. Garcia and E. Tanter, Type-driven gradual security with references, ACM Trans. Program. Lang. Syst. 40(4) (2018), 16:1–16:55.
[63]
S. Van Acker, P. De Ryck, L. Desmet, F. Piessens and W. Joosen, WebJail: Least-privilege integration of third-party components in web mashups, in: Proc. 27th Annual Computer Security Applications Conference, 2011, pp. 307–316.
[64]
P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Krügel and G. Vigna, Cross site scripting prevention with dynamic data tainting and static analysis, in: Proceeding of the Network and Distributed System Security Symposium, 2007, https://www.isoc.org/isoc/conferences/ndss/07/papers/cross-site-scripting_prevention.pdf.
[65]
D. Volpano, C. Irvine and G. Smith, A sound type system for secure flow analysis, J. Comput. Secur. 4(2–3) (1996), 167–187.
[66]
B. Xin and X. Zhang, Efficient online detection of dynamic control dependence, in: Proc. 2007 International Symposium on Software Testing and Analysis, 2007, pp. 185–195. ISBN 978-1-59593-734-6.
[67]
J. Yang, K. Yessenov and A. Solar-Lezama, A language for automatically enforcing privacy policies, in: Proc. 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL’12, 2012, pp. 85–96.
[68]
S.A. Zdancewic, Programming Languages for Information Security, PhD thesis, Cornell University, 2002.
[69]
Y. Zhou and D. Evans, Protecting private web content from embedded scripts, in: Proc. 16th European Conference on Research in Computer Security, 2011, pp. 60–79.
Index Terms
- Permissive runtime information flow control in the presence of exceptions
Index terms have been assigned to the content through auto-classification.
Recommendations
Exception handling for dynamic information flow control
ICSE Companion 2014: Companion Proceedings of the 36th International Conference on Software EngineeringExceptions are a source of information leaks, which are difficult to handle as they allow for non-local control transfer. Existing dynamic information flow control techniques either ignore unstructured control flow or are restrictive. This work ...
Complexity of Points-To Analysis of Java in the Presence of Exceptions
At each program point, points-to analysis for statically typed object-oriented programming languages (e.g., Java, C++) determines those objects to which a reference may refer (or a pointer may point) during execution. Points-to analysis is necessary for ...
Generalizing Permissive-Upgrade in Dynamic Information Flow Analysis
PLAS'14: Proceedings of the Ninth Workshop on Programming Languages and Analysis for SecurityPreventing implicit information flows by dynamic program analysis requires coarse approximations that result in false positives, because a dynamic monitor sees only the executed trace of the program. One widely deployed method is the no-sensitive-...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
© 2021 – IOS Press. All rights reserved.
Publisher
IOS Press
Netherlands
Publication History
Published: 01 January 2021
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 05 Jan 2025