In this paper, we introduce a notion of restricted revocable delegation and study its consequences in language-based security. In particular, we add this notion by means of delegate and revoke commands to a simple imperative programming language. We then define an operational semantics for our programming language, in the Natural Semantics style of Gilles Kahn. We briefly discuss our initial ideas about the security properties of the semantics, which are extensions of existing variations of the renowned non-interference property, e.g., in the context of delimited information release.
{"title":"Restricted delegation and revocation in language-based security: (position paper)","authors":"Doaa Hassan, M. Mousavi, M. Reniers","doi":"10.1145/1814217.1814222","DOIUrl":"https://doi.org/10.1145/1814217.1814222","url":null,"abstract":"In this paper, we introduce a notion of restricted revocable delegation and study its consequences in language-based security. In particular, we add this notion by means of delegate and revoke commands to a simple imperative programming language. We then define an operational semantics for our programming language, in the Natural Semantics style of Gilles Kahn. We briefly discuss our initial ideas about the security properties of the semantics, which are extensions of existing variations of the renowned non-interference property, e.g., in the context of delimited information release.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-06-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134570528","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Modern Web applications combine and use JavaScript-based content from multiple untrusted sources. Without proper isolation, such content can compromise the security and privacy of these Web applications. Prior techniques for isolating untrusted JavaScript code do so by restricting dangerous constructs and inlining security checks into third-party code.� This paper presents a new approach that extends the JavaScript language to make isolation a language-level primitive. We propose to extend the language using a new transaction construct that allows a Web application to speculatively execute untrusted code and isolate its changes. The Web application can then inspect these speculative actions and commit them only if they comply with the application's security policies. We discuss use-cases that can benefit from JavaScript support for transactions, present a formalization of JavaScript transactions and conclude with implementation considerations.
{"title":"The case for JavaScript transactions: position paper","authors":"Mohan Dhawan, Chung-chieh Shan, V. Ganapathy","doi":"10.1145/1814217.1814223","DOIUrl":"https://doi.org/10.1145/1814217.1814223","url":null,"abstract":"Modern Web applications combine and use JavaScript-based content from multiple untrusted sources. Without proper isolation, such content can compromise the security and privacy of these Web applications. Prior techniques for isolating untrusted JavaScript code do so by restricting dangerous constructs and inlining security checks into third-party code.\u0000 This paper presents a new approach that extends the JavaScript language to make isolation a language-level primitive. We propose to extend the language using a new transaction construct that allows a Web application to speculatively execute untrusted code and isolate its changes. The Web application can then inspect these speculative actions and commit them only if they comply with the application's security policies. We discuss use-cases that can benefit from JavaScript support for transactions, present a formalization of JavaScript transactions and conclude with implementation considerations.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-06-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127932711","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Joe-E is a subset of the Java language, with additional restrictions enforced by a static source-code verifier. We explore several semantic properties of classes relating to immutability and object identity that can be declared by the programmer and are checked by the Joe-E verifier. We present the simple, modular analyses we use to verify these properties and describe how they are useful in performing security reviews of applications.
{"title":"Class properties for security review in an object-capability subset of Java: (short paper)","authors":"A. Mettler, D. Wagner","doi":"10.1145/1814217.1814224","DOIUrl":"https://doi.org/10.1145/1814217.1814224","url":null,"abstract":"Joe-E is a subset of the Java language, with additional restrictions enforced by a static source-code verifier. We explore several semantic properties of classes relating to immutability and object identity that can be declared by the programmer and are checked by the Joe-E verifier. We present the simple, modular analyses we use to verify these properties and describe how they are useful in performing security reviews of applications.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"110 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-06-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127980571","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
P. Berthomé, K. Heydemann, Xavier Kauffmann-Tourkestansky, Jean-François Lalande
Smart card programs are subject to physical attacks that disturb the execution of the embedded code. These attacks enable attackers to steal valuable information or to force a malicious behavior upon the attacked code. This paper proposes a methodology to check interval security properties on smart card source codes. The goal is to identify critical attacks that violate these security properties. The verification takes place at source-level and considers all possible attacks thanks to a proposed source-level model of physical attacks. The paper defines an equivalence relation between attacks and shows that a code can be divided into areas where attacks are equivalent. Thus, verifying an interval security property considering all the possible attacks requires to verify as many codes as the number of equivalence classes. This paper provides a reduction algorithm to define the classes i.e. the minimal number of attacked codes that covers all possible attacks. The paper also proposes a solution to make the property verification possible for large codes or codes having unknown source parts.
{"title":"Attack model for verification of interval security properties for smart card C codes","authors":"P. Berthomé, K. Heydemann, Xavier Kauffmann-Tourkestansky, Jean-François Lalande","doi":"10.1145/1814217.1814219","DOIUrl":"https://doi.org/10.1145/1814217.1814219","url":null,"abstract":"Smart card programs are subject to physical attacks that disturb the execution of the embedded code. These attacks enable attackers to steal valuable information or to force a malicious behavior upon the attacked code. This paper proposes a methodology to check interval security properties on smart card source codes. The goal is to identify critical attacks that violate these security properties. The verification takes place at source-level and considers all possible attacks thanks to a proposed source-level model of physical attacks. The paper defines an equivalence relation between attacks and shows that a code can be divided into areas where attacks are equivalent. Thus, verifying an interval security property considering all the possible attacks requires to verify as many codes as the number of equivalence classes. This paper provides a reduction algorithm to define the classes i.e. the minimal number of attacked codes that covers all possible attacks. The paper also proposes a solution to make the property verification possible for large codes or codes having unknown source parts.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-06-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131487167","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Information flow controls can be used to protect both data confidentiality and data integrity. The certification of the security degree of a program that runs in untrusted environments still remains an open problem in language-based security. The notion of robustness asserts that an active attacker, who can modify program code in some fixed points (holes), is not able to disclose more private information than a passive attacker, who merely observes public data. In this paper, we extend a method recently proposed for checking declassified non-interference in presence of passive attackers only, in order to check robustness by means of the weakest precondition semantics. In particular, this semantics simulates the kind of analysis that can be performed by an attacker, i.e., from the public output towards the private input. The choice of the semantics lets us distinguish between different attacks models. In this paper, we also introduce relative robustness that is a relaxed notion of robustness for restricted classes of attacks.
{"title":"A weakest precondition approach to active attacks analysis","authors":"Musard Balliu, Isabella Mastroeni","doi":"10.1145/1554339.1554348","DOIUrl":"https://doi.org/10.1145/1554339.1554348","url":null,"abstract":"Information flow controls can be used to protect both data confidentiality and data integrity. The certification of the security degree of a program that runs in untrusted environments still remains an open problem in language-based security. The notion of robustness asserts that an active attacker, who can modify program code in some fixed points (holes), is not able to disclose more private information than a passive attacker, who merely observes public data. In this paper, we extend a method recently proposed for checking declassified non-interference in presence of passive attackers only, in order to check robustness by means of the weakest precondition semantics. In particular, this semantics simulates the kind of analysis that can be performed by an attacker, i.e., from the public output towards the private input. The choice of the semantics lets us distinguish between different attacks models. In this paper, we also introduce relative robustness that is a relaxed notion of robustness for restricted classes of attacks.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"40 14","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-06-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131500480","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper proposes a nonintrusive encryption mechanism for protecting data confidentiality on the Web. The core idea is to encrypt confidential data before sending it to untrusted sites and use keystores on the Web to manage encryption keys without intervention from users. A formal language-based information flow model is used to prove the soundness of the mechanism.
{"title":"Securing nonintrusive web encryption through information flow","authors":"Lantian Zheng, A. Myers","doi":"10.1145/1375696.1375712","DOIUrl":"https://doi.org/10.1145/1375696.1375712","url":null,"abstract":"This paper proposes a nonintrusive encryption mechanism for protecting data confidentiality on the Web. The core idea is to encrypt confidential data before sending it to untrusted sites and use keystores on the Web to manage encryption keys without intervention from users. A formal language-based information flow model is used to prove the soundness of the mechanism.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"2016 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-06-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127377337","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper explores two fundamental issues in Language based security. The first is to provide a quantitative definition of information leakage valid in several attacker's models. We consider attackers with different capabilities; the strongest one is able to observe the value of the low variables at each step during the execution of a program; the weakest one can only observe a single low value at some stage of the execution.� We will provide a uniform definition of leakage, based on Information Theory, that will allow us to formalize and prove some intuitive relationships between the amount leaked by the same program in different models.� The second issue is Channel Capacity, which in security terms amounts to answering the questions: given a program and an observational model, what is the maximum amount that the program can leak? And which input distribution causes the maximum leakage?� To answer those questions we will introduce techniques from constrained non-linear optimization, mainly Lagrange multipliers and we will show how they provide a workable solution in all observational models considered. In the simplest setting, i.e. under minimal constraints, we will show that channel capacity is achieved by any input distribution which induces a uniform distribution on the observables.
{"title":"Lagrange multipliers and maximum information leakage in different observational models","authors":"P. Malacaria, Han Chen","doi":"10.1145/1375696.1375713","DOIUrl":"https://doi.org/10.1145/1375696.1375713","url":null,"abstract":"This paper explores two fundamental issues in Language based security. The first is to provide a quantitative definition of information leakage valid in several attacker's models. We consider attackers with different capabilities; the strongest one is able to observe the value of the low variables at each step during the execution of a program; the weakest one can only observe a single low value at some stage of the execution.\u0000 We will provide a uniform definition of leakage, based on Information Theory, that will allow us to formalize and prove some intuitive relationships between the amount leaked by the same program in different models.\u0000 The second issue is Channel Capacity, which in security terms amounts to answering the questions: given a program and an observational model, what is the maximum amount that the program can leak? And which input distribution causes the maximum leakage?\u0000 To answer those questions we will introduce techniques from constrained non-linear optimization, mainly Lagrange multipliers and we will show how they provide a workable solution in all observational models considered. In the simplest setting, i.e. under minimal constraints, we will show that channel capacity is achieved by any input distribution which induces a uniform distribution on the observables.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"100 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-06-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131778570","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Covert channels can result in unauthorized information flows when exploited by malicious software. To address this problem, we present a precise, formal definition for covert channels, which relies on control flow dependency tracing through program execution, and extends Dennings' and subsequent classic work in secure information flow [9][40][30]. A formal security Domain Model (DM) for conducting static analysis of programs to identify covert channel vulnerabilities is described. The DM is comprised of an Invariant Model, which defines the generic concepts of program state, information flow, and covert channel rules; and an Implementation Model, which specifies the behavior of a target program. The DM is compiled from a representation of the program, written in a domain-specific Implementation Modeling Language (IML), and a specification of the security policy written in Alloy. The Alloy Analyzer tool is used to perform static analysis of the DM to automatically detect potential covert channel vulnerabilities and security policy violations in the target program.
{"title":"A security domain model to assess software for exploitable covert channels","authors":"Alan B. Shaffer, M. Auguston, C. Irvine, T. Levin","doi":"10.1145/1375696.1375703","DOIUrl":"https://doi.org/10.1145/1375696.1375703","url":null,"abstract":"Covert channels can result in unauthorized information flows when exploited by malicious software. To address this problem, we present a precise, formal definition for covert channels, which relies on control flow dependency tracing through program execution, and extends Dennings' and subsequent classic work in secure information flow [9][40][30]. A formal security Domain Model (DM) for conducting static analysis of programs to identify covert channel vulnerabilities is described. The DM is comprised of an Invariant Model, which defines the generic concepts of program state, information flow, and covert channel rules; and an Implementation Model, which specifies the behavior of a target program. The DM is compiled from a representation of the program, written in a domain-specific Implementation Modeling Language (IML), and a specification of the security policy written in Alloy. The Alloy Analyzer tool is used to perform static analysis of the DM to automatically detect potential covert channel vulnerabilities and security policy violations in the target program.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-06-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129131284","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Automated static code analysis is an efficient technique to increase the quality of software during early development. This paper presents a case study in which mature software with known vulnerabilities is subjected to a static analysis tool. The value of the tool is estimated based on reported failures from customers. An average of 17% cost savings would have been possible if the static analysis tool was used. The tool also had a 30% success rate in detecting known vulnerabilities and at the same time found 59 new vulnerabilities in the three examined products.
{"title":"Evaluating the cost reduction of static code analysis for software security","authors":"D. Baca, B. Carlsson, L. Lundberg","doi":"10.1145/1375696.1375707","DOIUrl":"https://doi.org/10.1145/1375696.1375707","url":null,"abstract":"Automated static code analysis is an efficient technique to increase the quality of software during early development. This paper presents a case study in which mature software with known vulnerabilities is subjected to a static analysis tool. The value of the tool is estimated based on reported failures from customers. An average of 17% cost savings would have been possible if the static analysis tool was used. The tool also had a 30% success rate in detecting known vulnerabilities and at the same time found 59 new vulnerabilities in the three examined products.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-06-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129226716","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Not long after the introduction of stored-program computing machines, the first high-level language compilers appeared. The need for automatically and efficiently mapping abstract concepts from high-level languages onto low-level assembly languages has been recognized ever since. A compiler has a unique ability to gather and analyze large amounts of data in a manner that would be an unwieldy manual endeavor. It is this property that makes known compiler techniques and technology ideally suited for the purposes of software protection against reverse engineering and tampering attacks. In this paper, we present a code transformation infrastructure combined with build-time security techniques that are used to integrate protection into otherwise vulnerable machine programs. We show the applicability of known compiler techniques such as aliasanalysis, whole program analysis, data-flow analysis, and control-flow analysis and how these capabilities provide the basis for program transformations that provide comprehensive software protection. These methods are incorporated in an extensible framework allowing efficient development of new code transformations, as part of a larger suite of security tools for the creation of robust applications. We describe a number of successful applications of these tools.
{"title":"A compiler-based infrastructure for software-protection","authors":"C. Liem, Y. Gu, H. Johnson","doi":"10.1145/1375696.1375702","DOIUrl":"https://doi.org/10.1145/1375696.1375702","url":null,"abstract":"Not long after the introduction of stored-program computing machines, the first high-level language compilers appeared. The need for automatically and efficiently mapping abstract concepts from high-level languages onto low-level assembly languages has been recognized ever since. A compiler has a unique ability to gather and analyze large amounts of data in a manner that would be an unwieldy manual endeavor. It is this property that makes known compiler techniques and technology ideally suited for the purposes of software protection against reverse engineering and tampering attacks. In this paper, we present a code transformation infrastructure combined with build-time security techniques that are used to integrate protection into otherwise vulnerable machine programs. We show the applicability of known compiler techniques such as aliasanalysis, whole program analysis, data-flow analysis, and control-flow analysis and how these capabilities provide the basis for program transformations that provide comprehensive software protection. These methods are incorporated in an extensible framework allowing efficient development of new code transformations, as part of a larger suite of security tools for the creation of robust applications. We describe a number of successful applications of these tools.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"22 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-06-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116967187","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: