1,463 Hits in 4.6 sec

Explicit Secrecy: A Policy for Taint Tracking

Daniel Schoepe, Musard Balliu, Benjamin C. Pierce, Andrei Sabelfeld
2016 2016 IEEE European Symposium on Security and Privacy (EuroS&P)  
We propose explicit secrecy, a generic framework capturing the essence of explicit flows, i.e., the data flows tracked by tainting.  ...  To further understanding of what is achieved by taint tracking tools, both dynamic and static, we obtain soundness results with respect to explicit secrecy for the tainting engine cores of a collection  ...  Static Analysis for Taint Tracking Lastly, we present a static analysis for enforcing explicit secrecy for imperative programs with a heap.  ... 
doi:10.1109/eurosp.2016.14 dblp:conf/eurosp/SchoepeBPS16 fatcat:cgiie4alujc7pdgn2arxocdvw4

Making information flow explicit in HiStar

Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières
2011 Communications of the ACM  
HiStar is a new operating system designed to minimize the amount of code that must be trusted.  ...  HiStar provides strict information flow control, which allows users to specify precise data security policies without unduly limiting the structure of applications.  ...  ACKNOWLEDGMENTS We thank Hector Garcia-Molina, Michael Freedman, Ramesh Chandra, Constantine Sapuntzakis, Jim Chow, the anonymous reviewers, and our shepherd, Rob Pike, for their feedback.  ... 
doi:10.1145/2018396.2018419 fatcat:cfyia3pesnesthcyxvgvigtiwq

Secrecy Despite Compromise: Types, Cryptography, and the Pi-Calculus [chapter]

Andrew D. Gordon, Alan Jeffrey
2005 Lecture Notes in Computer Science  
Checking Conditional Secrecy by Typing Our main technical contribution is the first system of secrecy types for a process calculus that supports multiple, dynamicallygenerated security levels, together  ...  A realistic threat model for cryptographic protocols or for languagebased security should include a dynamically growing population of principals (or security levels), some of which may be compromised,  ...  Thanks also to Tony Hoare and the anonymous reviewers for useful comments.  ... 
doi:10.1007/11539452_17 fatcat:s4x4nhbsgbd7pp4jslqyjptite

Against Secrecy: The Social Cost of International Dispute Settlement

Emilie Marie Hafner-Burton, Sergio Puig, David G. Victor
2017 Social Science Research Network  
purposes. 53 Overall, in the domestic context, the assessment and balancing of policy goals for and against secrecy has led to something akin to a presumption for the openness of settlements.  ...  we believe that, for investors, the incentives for secrecy will depend on why the firm is filing a case.  ... 
doi:10.2139/ssrn.2720706 fatcat:chuzcyo4hjdabasczlrcpqcqem

Scientific Secrecy and 'Spin': The Sad, Sleazy Saga of the Trials of Remune

Susan Haack
2005 Social Science Research Network  
The authors of a national survey concluded that "academic institutions rarely ensure that their investigators have full participation in the design of the trials, unimpeded access to trial data, and the  ...  a product (or a policy); for such pressure damages the fragile social mechanisms that sustain the scientific ethos of honest investigation and encourage the free exchange of ideas and information.  ...  scientific findings being kept secret; I shall also set aside questions about journals' financial-disclosure policies, since, desirable as they are, such policies cannot by themselves prevent industry  ... 
doi:10.2139/ssrn.692042 fatcat:6vy7zfpmanf2ndrcadz56uzdwq

We Are Family: Relating Information-Flow Trackers [chapter]

Musard Balliu, Daniel Schoepe, Andrei Sabelfeld
2017 Lecture Notes in Computer Science  
This paper proposes a framework for exploring the middle ground in the range of enforcement from tainting (tracking data flows only) to fully-fledged information-flow control (tracking both data and control  ...  tainting techniques, useful for bug finding yet lacking formal assurance.  ...  Information-Flow Policies Contrasting noninterference [28] , Volpano [57] introduces weak secrecy, a security condition for taint tracking.  ... 
doi:10.1007/978-3-319-66402-6_9 fatcat:rntfzahwurdnpotvcyqagvxyvq

Let's Face It: Faceted Values for Taint Tracking [chapter]

Daniel Schoepe, Musard Balliu, Frank Piessens, Andrei Sabelfeld
2016 Lecture Notes in Computer Science  
We present a general framework and establish its soundness with respect to explicit secrecy, a policy for preventing insecure data leaks, and its precision showing that runs of secure programs are never  ...  Precision of taint tracking is key for its success in practice: being a vulnerability analysis, false positives must be low for the analysis to be practical.  ...  Re-purposing faceted values to track explicit flows results in a powerful mechanism for a policy that the original faceted values were not intended for: explicit secrecy [33] , a policy that captures  ... 
doi:10.1007/978-3-319-45744-4_28 fatcat:jscyfz6j2jal3fp5ayjy5mq75i

Improving Automated Symbolic Analysis of Ballot Secrecy for E-Voting Protocols: A Method Based on Sufficient Conditions

Lucca Hirschi, Cas Cremers
2019 2019 IEEE European Symposium on Security and Privacy (EuroS&P)  
We advance the state-of-the-art in automated symbolic analysis of ballot secrecy for e-voting protocols by proposing a method based on analysing three conditions that together imply ballot secrecy.  ...  E.g., for the LEE protocol, we obtain a speedup of over two orders of magnitude.  ...  They show that proving ballot secrecy for some specific finite-scenarios implies ballot secrecy for the general, unbounded case.  ... 
doi:10.1109/eurosp.2019.00052 dblp:conf/eurosp/HirschiC19 fatcat:iu5ewkotnnfhbi3znfskxpxzky

Information Flow Control for Secure Cloud Computing

Jean Bacon, David Eyers, Thomas F. J.-M. Pasquier, Jatinder Singh, Ioannis Papagiannis, Peter Pietzuch
2014 IEEE Transactions on Network and Service Management  
As a result, there is potential for decentralised IFC to achieve better cloud security than is available today.  ...  In this paper we describe the properties of cloud computing-Platform-as-a-Service clouds in particular-and review a range of IFC models and implementations to identify opportunities for using IFC within  ...  Runtime taint tracking is a simple technique for developers to understand and use.  ... 
doi:10.1109/tnsm.2013.122313.130423 fatcat:oczijxwkfvdtrgar6nvab4ypem

LUCON: Data Flow Control for Message-Based IoT Systems [article]

Julian Schütte, Gerd Stefan Brost
2018 arXiv   pre-print
Policy enforcement is based on a dynamic taint analysis at runtime and an upfront static verification of message routes against policies.  ...  In this paper, we introduce LUCON, a data-centric security policy framework for distributed systems that considers data flows by controlling how messages may be routed across services and how they are  ...  ACKNOWLEDGEMENT This work as been funded by the Federal Ministry for Economic Affairs and Energy (BMWi) in the project CAR-BITS (01MD16004B).  ... 
arXiv:1805.05887v1 fatcat:cxr4dihyifbbxdmgdssr3tasfy

In-Depth Enforcement of Dynamic Integrity Taint Analysis

Sepehr Amir-Mohammadian, Christian Skalka
2016 Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security - PLAS'16  
We then use this policy to establish correctness conditions for a program rewriting algorithm that instruments code for the analysis.  ...  We develop a model of dynamic integrity taint analysis for Java that addresses imperfect sanitization with an in-depth approach.  ...  [22] define a general model for runtime enforcement of policies using taint tracking for an intermediate language.  ... 
doi:10.1145/2993600.2993610 dblp:conf/ccs/Amir-Mohammadian16 fatcat:cgj2cxbxrrezjmol4lffgyfdry

SpanDex: Secure Password Tracking for Android

Landon P. Cox, Peter Gilbert, Geoffrey Lawler, Valentin Pistol, Ali Razeen, Bi Wu, Sai Cheemalapati
2014 USENIX Security Symposium  
Experiments with a SpanDex prototype using 50 popular Android apps and an analysis of a large list of leaked passwords predicts that for 90% of users, an attacker would need over 80 login attempts to guess  ...  Today the same attacker would need only one attempt for all users.  ...  Acknowledgements We would like to thank the anonymous reviewers for their helpful comments.  ... 
dblp:conf/uss/CoxGLPRWC14 fatcat:5tzgnojk65hvvkzwb2y2eqeyke

Practical DIFC Enforcement on Android

Adwait Nadkarni, Benjamin Andow, William Enck, Somesh Jha
2016 USENIX Security Symposium  
A natural solution is the integration of secrecy guarantees into the OS. In this paper, we describe the challenges for decentralized information flow control (DIFC) enforcement on Android.  ...  The fundamental lack of secrecy guarantees in smartphone OSes, such as Android, exposes this data to the risk of unauthorized exfiltration.  ...  Fine-grained Taint Tracking on Android: Taint-Droid [13] detects private data leaks via fine-grained taint tracking on Android, but is vulnerable to implicit flows.  ... 
dblp:conf/uss/NadkarniAEJ16 fatcat:duua7m72jrf2xdadafh4gefpna

Middleware-based Security for Hyperconnected Applications in Future In-Car Networks

Alexandre Bouard, Dennis Burgkhardt, Claudia Eckert
2013 EAI Endorsed Transactions on Mobile Communications and Applications  
In addition, today's automotive applications are mostly developed for a specific platform and for a precise car model.  ...  At a functional level, limited communications technologies (e.g., Controller area network (CAN), EAI European Alliance for Innovation A lack of input validation of some ECUs allows to bypass authentication  ...  Taint sinks are programs and memory locations, where the presence of a taint is checked and where a policy may be enforced.  ... 
doi:10.4108/mca.1.3.e7 fatcat:3ap33miyb5bkvhmx5rsp5pm2te

Practical Fine-Grained Information Flow Control Using Laminar

Donald E. Porter, Michael D. Bond, Indrajit Roy, Kathryn S. Mckinley, Emmett Witchel
2014 ACM Transactions on Programming Languages and Systems  
Programmers express security policies by labeling data with secrecy and integrity labels and access the labeled data in security methods.  ...  Decentralized Information Flow Control (DIFC) is a promising model for writing programs with powerful, end-to-end security guarantees.  ...  ACKNOWLEDGMENTS We thank the anonymous reviewers, David Mazières, Eddie Kohler, Maxwell Krohn, and Nickolai Zeldovich for their feedback on earlier drafts of this document.  ... 
doi:10.1145/2638548 fatcat:rwjvwxuxs5d53d6v2e2dti6hke
« Previous Showing results 1 — 15 out of 1,463 results