Filters








29,254 Hits in 4.1 sec

Dynamic vs. Static Flow-Sensitive Security Analysis

Alejandro Russo, Andrei Sabelfeld
2010 2010 23rd IEEE Computer Security Foundations Symposium  
It has been previously shown that flow-sensitive static information-flow analysis is a natural generalization of flowinsensitive static analysis, which allows accepting more secure programs.  ...  We prove impossibility of a sound purely dynamic information-flow monitor that accepts programs certified by a classical flow-sensitive static analysis.  ...  Hunt and Sands [25] have shown that flow-sensitive static information-flow analysis is a natural generalization of flow-insensitive static analysis, which allows accepting more secure programs.  ... 
doi:10.1109/csf.2010.20 dblp:conf/csfw/RussoS10 fatcat:5nxov6n47rehlhqfozdtb4td3y

Taming the dynamic behavior of JavaScript

Shiyi Wei, Barbara G. Ryder
2014 Proceedings of the companion publication of the 2014 ACM SIGPLAN conference on Systems, Programming, and Applications: Software for Humanity - SPLASH '14  
Our Solution for Dynamic Object Behavior:! State-sensitive Points-to Analysis [2]!  ...  Partially flow-sensitive analysis via State-Preserving Block Graph (SPBG) Calling context: an approximation of the object state of the receiver object Extended points-to graph with annotations Points-to  ... 
doi:10.1145/2660252.2660393 dblp:conf/oopsla/WeiR14 fatcat:lm6qkep6wnbclmafkpjkbevvgu

Value Sensitivity and Observable Abstract Values for Information Flow Control [chapter]

Luciano Bello, Daniel Hedin, Andrei Sabelfeld
2015 Lecture Notes in Computer Science  
Flow-, context-, and object-sensitive techniques have been suggested to improve the precision of static information flow control and dynamic monitors have been explored to leverage the knowledge about  ...  This paper explores value sensitivity to boost the permissiveness of information flow control. We show that both dynamic and hybrid information flow mechanisms benefit from value sensitivity.  ...  analysis but also the static counterpart is improved by value sensitivity.  ... 
doi:10.1007/978-3-662-48899-7_5 fatcat:va2gfs5kyjd6rpcgh3szwqcnde

Optimal Unification of Static and Dynamic Features for Smartphone Security Analysis

Sumit Kumar, S. Indu, Gurjit Singh Walia
2023 Intelligent Automation and Soft Computing  
To address these issues, an optimal unification of static and dynamic features for smartphone security analysis is proposed.  ...  Also, static analysis approaches fail to detect run-time behaviors of malicious apps.  ...  We propose a hybrid solution that combines both static and dynamic analysis to overcome the limitations of static and dynamic analysis.  ... 
doi:10.32604/iasc.2023.024469 fatcat:b4vafpvoxrh5bmebikyj3zfike

Value-Sensitive Hybrid Information Flow Control for a JavaScript-Like Language

Daniel Hedin, Luciano Bello, Andrei Sabelfeld
2015 2015 IEEE 28th Computer Security Foundations Symposium  
Purely static analysis falls short of addressing dynamic language features such as dynamic objects and dynamic code evaluation, while purely dynamic analysis suffers from inability to predict side effects  ...  This paper develops a value-sensitive hybrid mechanism for tracking information flow in a JavaScriptlike language.  ...  Static vs. dynamic information flow control. Much progress has been made on information flow control for more and more expressive languages.  ... 
doi:10.1109/csf.2015.31 dblp:conf/csfw/HedinBS15 fatcat:4krpgr3345gkbpifajz4x6five

Static Analysis for Efficient Hybrid Information-Flow Control

Scott Moore, Stephen Chong
2011 2011 IEEE 24th Computer Security Foundations Symposium  
Hybrid information-flow monitors use a combination of static analysis and dynamic mechanisms to provide precise strong information security guarantees.  ...  First, a simple static analysis can determine when it is sound for a monitor to stop tracking the security level of certain variables.  ...  Static analysis We use a simple flow-sensitive security type system [22] to determine when a variable cannot cause a security violation.  ... 
doi:10.1109/csf.2011.17 dblp:conf/csfw/MooreC11 fatcat:wjryaocuojal5kynwqfn2xxfse

Control-Flow Integrity: Precision, Security, and Performance [article]

Nathan Burow, Scott A. Carr, Joseph Nash, Per Larsen, Michael Franz, Stefan Brunthaler, Mathias Payer
2017 arXiv   pre-print
Control-flow hijacking attacks exploit memory corruption vulnerabilities to divert program execution away from the intended control flow.  ...  We compare a broad range of CFI mechanisms using a unified nomenclature based on (i) a qualitative discussion of the conceptual security guarantees, (ii) a quantitative security evaluation, and (iii) an  ...  .4a: flow-sensitive analysis -SAP.F.4b: context-sensitive analysis -SAP.F.5: context-and flow-sensitive analysis -SAP.F.6: dynamic analysis (optimistic) The following classification summarizes prior work  ... 
arXiv:1602.04056v3 fatcat:gef4lo4tafb6dhmylmg2eomotq

Survey on JavaScript security policies and their enforcement mechanisms in a web browser

Nataliia Bielova
2013 The Journal of Logic and Algebraic Programming  
Among all the works on web browser security, we survey dynamic techniques based on runtime monitoring as well as secure information flow techniques.  ...  The dynamism of web applications is provided by the use of web scripts, and in particular JavaScript, that accesses this information through a browserprovided set of APIs.  ...  Static vs. dynamic vs. hybrid analysis Initially, the enforcement techniques for secure information flow were based on purely static analysis, like Denning-style enforcement [18] and it was proven to  ... 
doi:10.1016/j.jlap.2013.05.001 fatcat:5pntdqk5fnasnpmjvfgsgkk5za

We Are Family: Relating Information-Flow Trackers [chapter]

Musard Balliu, Daniel Schoepe, Andrei Sabelfeld
2017 Lecture Notes in Computer Science  
This flexibility facilitates a secure app store architecture, where the static stage of verification is performed by the app store and the dynamic stage is deployed on the client.  ...  The framework is deployed in a staged fashion, statically embedding a dynamic monitor, being parametric in security policies, as they do not need to be fixed until the final deployment.  ...  Russo and Sabelfeld [43] discuss trade-offs between static and dynamic flow-sensitive analysis. We leverage their flow-sensitive monitor.  ... 
doi:10.1007/978-3-319-66402-6_9 fatcat:rntfzahwurdnpotvcyqagvxyvq

Practical blended taint analysis for JavaScript

Shiyi Wei, Barbara G. Ryder
2013 Proceedings of the 2013 International Symposium on Software Testing and Analysis - ISSTA 2013  
However, the latter pose challenges to static analyses aimed at finding security vulnerabilities, (e.g., taint analysis).  ...  We present blended taint analysis, an instantiation of our general-purpose analysis framework for JavaScript, to illustrate how a combined dynamic/static analysis approach can deal with dynamic features  ...  Many security problems can be formalized as information flow problems [3] which seek to preserve the integrity of data (i.e., not allow untrusted values to affect a sensitive value or operation) and  ... 
doi:10.1145/2483760.2483788 dblp:conf/issta/WeiR13 fatcat:yxodxt4ofna2lj27sjjwseavja

Challenges in Defining a Programming Language for Provably Correct Dynamic Analyses [chapter]

Eric Bodden, Andreas Follner, Siegfried Rasthofer
2012 Lecture Notes in Computer Science  
Codana analyses form security monitors; they allow programmers to proactively protect their programs from security threats such as insecure information flows, buffer overflows and access-control violations  ...  This is difficult as, nevertheless, Codana must comprise sufficiently expressive language constructs to cover a large class of security-relevant dynamic analyses.  ...  Based on the specification, the approach then automatically generates an appropriate flow-sensitive and path-sensitive static analysis for C/C++ programs.  ... 
doi:10.1007/978-3-642-34026-0_2 fatcat:nwu6moz6hnaatguzdzf6k3vp2a

Cross Site Scripting: Detection Approaches in Web Application

Abdalla Wasef, Zarul Fitri
2016 International Journal of Advanced Computer Science and Applications  
XSS can be considered as one of the most popular type of threat in web security application.  ...  Thus, security vulnerabilities headed to various type of attacks in web applications. Amongst those is Cross Site Scripting also known as XSS.  ...  The data flow analysis approach is deployed to gather dynamic data from the source code. Static taint analysis is a special case of such type of analysis. B.  ... 
doi:10.14569/ijacsa.2016.071021 fatcat:kzwxlkshifbdvaclcknei6ffzq

POSTER: CRYPTSERVER

Zhaofeng Chen, Xinshu Dong, Prateek Saxena, Zhenkai Liang
2013 Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security - CCS '13  
Modern web applications store sensitive data on their servers. Such data is prone to theft resulting from exploits against vulnerabilities in the server software stacks.  ...  As a step towards making this approach practical, we develop an assistance tool to identify the portion of server-side logic that requires computation over sensitive data.  ...  Application #Pages #PSLs vs. Total #Constant/Static PSL #Uniq PSLs vs. Names of Sensitive Fields w/ PSLs #OPs Arguments vs.  ... 
doi:10.1145/2508859.2512525 dblp:conf/ccs/ChenDSL13 fatcat:q6bge5oelfcl7pfmary54ae6ki

Security Wrappers for Information-Flow Control in Active Object Languages with Futures [article]

Farzane Karami, Olaf Owe, Gerardo Schneider
2020 arXiv   pre-print
The security policies of a wrapper are formalized based on a notion of security levels.  ...  At run-time, future components will be wrapped upon need, while only objects of unsafe classes will be wrapped, using static checking to limit the number of unsafe classes and thereby reducing run-time  ...  Dynamic vs. static flow-sensitive security analysis. In Computer Security Foundations Symposium (CSF), 2010 23rd IEEE, pages 186-199. IEEE, 2010. 20. Andrei Sabelfeld and Andrew C Myers.  ... 
arXiv:2002.10900v1 fatcat:jhvm4tnkkvfjresc2ehwe42q4m

JSFlow

Daniel Hedin, Arnar Birgisson, Luciano Bello, Andrei Sabelfeld
2014 Proceedings of the 29th Annual ACM Symposium on Applied Computing - SAC '14  
This paper presents JSFlow, a security-enhanced JavaScript interpreter for fine-grained tracking of information flow.  ...  We find that different sites intended to provide similar services effectuate rather different security policies for the user's sensitive information: some ensure it does not leave the browser, others share  ...  Arnar Birgisson is a recipient of the Google Europe Fellowship in Computer Security, and this research is supported in part by this Google Fellowship.  ... 
doi:10.1145/2554850.2554909 dblp:conf/sac/HedinBBS14 fatcat:ldqgkcivkzg6lp2rt62ihk7fza
« Previous Showing results 1 — 15 out of 29,254 results