Filters








109,983 Hits in 5.7 sec

A Permission-Dependent Type System for Secure Information Flow Analysis [article]

Hongxu Chen, Alwen Tiu, Zhiwu Xu, Yang Liu
2017 arXiv   pre-print
We introduce a novel type system for enforcing secure information flow in an imperative language.  ...  We take inspiration from a type system by Banerjee and Naumann (BN) to allow security types to be dependent on the permissions of the applications.  ...  A Permission-Dependent Type System for Secure Information Flow Analysis 1:17 dependent noninterference.  ... 
arXiv:1709.09623v1 fatcat:twzprcwjprffbjzboulhflcaem

A Permission-Dependent Type System for Secure Information Flow Analysis

Hongxu Chen, Alwen Tiu, Zhiwu Xu, Yang Liu
2018 2018 IEEE 31st Computer Security Foundations Symposium (CSF)  
We introduce a novel type system for enforcing secure information flow in an imperative language.  ...  We take inspiration from a type system by Banerjee and Naumann to allow security types to be dependent on the permissions of the applications.  ...  A SECURE INFORMATION FLOW TYPE SYSTEM In this section, we present the proposed information flow type system.  ... 
doi:10.1109/csf.2018.00023 dblp:conf/csfw/ChenTXL18 fatcat:izwnkyhlxfbdll5o2o2mkz73eu

Security policy analysis using deductive spreadsheets

Anu Singh, C. R. Ramakrishnan, I. V. Ramakrishnan, Scott D. Stoller, David S. Warren
2007 Proceedings of the 2007 ACM workshop on Formal methods in security engineering - FMSE '07  
This approach is introduced with a simple example of analyzing information flow allowed by RBAC policies and then applied in two case studies: analysis of computer system configurations and analysis of  ...  This paper explores the use of deductive spreadsheets for security policy analysis.  ...  Information-flow analysis determines possible information flows between security contexts or types.  ... 
doi:10.1145/1314436.1314443 dblp:conf/ccs/SinghRRSW07 fatcat:xzi4fnfgtneztfqq5uyc2yxdny

On modeling system-centric information for role engineering

Dongwan Shin, Gail-Joon Ahn, Sangrae Cho, Seunghun Jin
2003 Proceedings of the eighth ACM symposium on Access control models and technologies - SACMAT '03  
Not only can the information model provide those different authorities with a method for both analysis of resources and communication of knowledge in the RE process, but it can also help lay a foundation  ...  Afterwards, we discuss two informational flow types among authorities involved in RE process, forward information flow (FIF) and backward information flow (BIF), together with the introduction of an information  ...  This work was partially supported at the Laboratory of Information of Integration, Security and Privacy at the University of North Carolina at Charlotte by the grants from National Science Foundation (  ... 
doi:10.1145/775412.775434 dblp:conf/sacmat/ShinACJ03 fatcat:c4czxddgkjboheu22lm56qs25u

On modeling system-centric information for role engineering

Dongwan Shin, Gail-Joon Ahn, Sangrae Cho, Seunghun Jin
2003 Proceedings of the eighth ACM symposium on Access control models and technologies - SACMAT '03  
Not only can the information model provide those different authorities with a method for both analysis of resources and communication of knowledge in the RE process, but it can also help lay a foundation  ...  Afterwards, we discuss two informational flow types among authorities involved in RE process, forward information flow (FIF) and backward information flow (BIF), together with the introduction of an information  ...  This work was partially supported at the Laboratory of Information of Integration, Security and Privacy at the University of North Carolina at Charlotte by the grants from National Science Foundation (  ... 
doi:10.1145/775433.775434 fatcat:2fktlkbi5fe4rlkcg2ialcqzaq

Cassandra

Steffen Lortz, Heiko Mantel, Artem Starostin, Timo Bähr, David Schneider, Alexandra Weber
2014 Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices - SPSM '14  
We have proven that Cassandra's security analysis soundly detects all potential information leaks, i.e., all flows of information that violate a user's privacy policy.  ...  Cassandra performs the security analysis of apps on a server.  ...  Keller for contributing to an early version of Cassandra and the anonymous reviewers for providing valuable comments.  ... 
doi:10.1145/2666620.2666631 dblp:conf/ccs/LortzMSBSW14 fatcat:mw3ohk73vvdmbd3i64rzez5ekq

Dynamic vs. Static Flow-Sensitive Security Analysis

Alejandro Russo, Andrei Sabelfeld
2010 2010 23rd IEEE Computer Security Foundations Symposium  
A side implication is impossibility of permissive dynamic instrumented security semantics for information flow, which guides us to uncover an unsound semantics from the literature.  ...  It has been previously shown that flow-sensitive static information-flow analysis is a natural generalization of flowinsensitive static analysis, which allows accepting more secure programs.  ...  Acknowledgments Thanks are due to Aslan Askarov, Arnar Birgisson, Andrey Chudnov, and Michael Hicks for interesting discussions. This work was funded by the Swedish research agencies SSF and VR.  ... 
doi:10.1109/csf.2010.20 dblp:conf/csfw/RussoS10 fatcat:5nxov6n47rehlhqfozdtb4td3y

The Transitivity of Trust Problem in the Interaction of Android Applications [article]

Steffen Bartsch and Karsten Sohr and Michaela Bunke and Oliver Hofrichter and Bernhard Berger
2012 arXiv   pre-print
Instead, the information flow needs to be policed for the composite system of applications in a transparent and usable manner.  ...  In this paper, we propose to employ static analysis based on the software architecture and focused data flow analysis to scalably detect information flows between components.  ...  In another approach, type-based security combines annotations with dependence graph-based information flow control [27] .  ... 
arXiv:1204.1458v1 fatcat:ugbmbbqgb5gm3a2mlgfdej6lbm

Information flow based defensive chain for data leakage detection and prevention: a survey [article]

Ning Xi, Chao Chen, Jun Zhang, Cong Sun, Shigang Liu, Pengbin Feng, Jianfeng Ma
2021 arXiv   pre-print
Research communities and industries have proposed many Information Flow Control (IFC) techniques for data leakage detection and prevention, including secure modeling, type system, static analysis, dynamic  ...  We propose an information flow based defensive chain, which provides a new framework to systematically understand various IFC techniques for data leakage detection and prevention in Mobile and IoT applications  ...  [107] proposed a security type system which integrates Denning's lattice-based secure information flow (SIF) framework into LUSTRE, which is a high-level abstract programming model for IoT apps.  ... 
arXiv:2106.04951v1 fatcat:apib4mmp3va43dv5he7xu3aay4

Finding Tizen security bugs through whole-system static analysis [article]

Daniel Song, Jisheng Zhao, Michael Burke, Dragoş Sbîrlea, Dan Wallach, Vivek Sarkar
2015 arXiv   pre-print
In this research, we describe the design and engineering of a static analysis engine which drives a full information flow analysis for apps and a control flow analysis for the full library stack.  ...  With our tools, we found several unexpected behaviors in the Tizen system, including paths through the system libraries that did not have inline security checks.  ...  They did not build a tool to detect flow vulnerabilities. They identify security risks for colluding applications in modern permission-based operating systems.  ... 
arXiv:1504.05967v1 fatcat:aegk3dxdtrgdnorhwndqoobwlm

Beyond Stack Inspection: A Unified Access-Control and Information-Flow Security Model

Marco Pistoia, Anindya Banerjee, David A. Naumann
2007 2007 IEEE Symposium on Security and Privacy (SP '07)  
In this paper, we formally introduce Information-Based Access Control (IBAC), a novel security model that verifies that all and only the code responsible for a security-sensitive operation is sufficiently  ...  Its purpose is to use stack inspection to verify that all the code responsible for a security-sensitive action is sufficiently authorized to perform that action.  ...  Banerjee and Naumann [6] augment such a type system with an effect analysis for SBAC, and allow that a procedure's labeling may depend on the permissions authorized for it at runtime; noninterference  ... 
doi:10.1109/sp.2007.10 dblp:conf/sp/PistoiaBN07 fatcat:6klbjk245ja3nfieq7mxwwdbwe

A Hardware Design Language for Timing-Sensitive Information-Flow Security

Danfeng Zhang, Yao Wang, G. Edward Suh, Andrew C. Myers
2015 SIGPLAN notices  
SecVerilog is Verilog, extended with expressive type annotations that enable precise reasoning about information flow.  ...  We introduce a hardware design language, SecVerilog, which makes it possible to statically analyze information flow at the hardware level.  ...  Acknowledgments We thank Tao Chen, Chinawat Isradisaikul, Jed Liu, Dan Lo, Derek Lockhart, Stephen Longfield, Tom Magrino, Matthew Milano and the anonymous reviewers for their helpful suggestions.  ... 
doi:10.1145/2775054.2694372 fatcat:c2fvcf2jwzhzvg2hqqzfdlsmtm

A Hardware Design Language for Timing-Sensitive Information-Flow Security

Danfeng Zhang, Yao Wang, G. Edward Suh, Andrew C. Myers
2015 SIGARCH Computer Architecture News  
SecVerilog is Verilog, extended with expressive type annotations that enable precise reasoning about information flow.  ...  We introduce a hardware design language, SecVerilog, which makes it possible to statically analyze information flow at the hardware level.  ...  Acknowledgments We thank Tao Chen, Chinawat Isradisaikul, Jed Liu, Dan Lo, Derek Lockhart, Stephen Longfield, Tom Magrino, Matthew Milano and the anonymous reviewers for their helpful suggestions.  ... 
doi:10.1145/2786763.2694372 fatcat:kwvx44e2rbcr3k56ioidocat6u

Typing illegal information flows as program effects

Ana Almeida Matos, José Fragoso Santos
2012 Proceedings of the 7th Workshop on Programming Languages and Analysis for Security - PLAS '12  
We present a type and effect system for determining the least permissive relaxation of a given confidentiality policy that allows to type a program, given a fixed security labeling.  ...  Specification of information flow policies is classically based on a security labeling and a lattice of security levels that establishes how information can flow between security levels.  ...  Acknowledgments The authors would like to thank the Indes team at INRIA and all anonymous reviewers for discussions and comments that have improved the final outcome of the paper.  ... 
doi:10.1145/2336717.2336718 dblp:conf/pldi/MatosS12 fatcat:l7gnpj6yzvgo5iuimyd54a2tnq

History-Based Access Control and Secure Information Flow [chapter]

Anindya Banerjee, David A. Naumann
2005 Lecture Notes in Computer Science  
The static analysis is a type and effects analysis where the chief novelty is the use of security types dependent on permission state.  ...  The main contributions of this paper are to provide a semantics for history-based access control and a static analysis for confidentiality that takes history-based access control into account.  ...  With respect to security type systems, the chief technical novelty was the use of a permission-dependent security type system and the formalization of noninterference for such a type system.  ... 
doi:10.1007/978-3-540-30569-9_2 fatcat:qj4gum6n3jawfbtgisvkyhxqau
« Previous Showing results 1 — 15 out of 109,983 results