基于分阶段元编程的动态类型语言信息流分析

2016 IEEE 29th Computer Security Foundations Symposium (CSF) Pub Date : 2013-06-26 DOI:10.1109/CSF.2013.21

M. Lester, C. Ong, Max Schäfer

{"title":"基于分阶段元编程的动态类型语言信息流分析","authors":"M. Lester, C. Ong, Max Schäfer","doi":"10.1109/CSF.2013.21","DOIUrl":null,"url":null,"abstract":"Web applications written in JavaScript are regularly used for dealing with sensitive or personal data. Consequently, reasoning about their security properties has become an important problem, which is made very difficult by the highly dynamic nature of the language, particularly its support for runtime code generation. As a first step towards dealing with this, we propose to investigate security analyses for languages with more principled forms of dynamic code generation. To this end, we present a static information flow analysis for a dynamically typed functional language with prototype-based inheritance and staged metaprogramming. We prove its soundness, implement it and test it on various examples designed to show its relevance to proving security properties, such as noninterference, in JavaScript. To our knowledge, this is the first fully static information flow analysis for a language with staged metaprogramming, and the first formal soundness proof of a CFA-based information flow analysis for a functional programming language.","PeriodicalId":6500,"journal":{"name":"2016 IEEE 29th Computer Security Foundations Symposium (CSF)","volume":"80 1","pages":"209-223"},"PeriodicalIF":0.0000,"publicationDate":"2013-06-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Information Flow Analysis for a Dynamically Typed Language with Staged Metaprogramming\",\"authors\":\"M. Lester, C. Ong, Max Schäfer\",\"doi\":\"10.1109/CSF.2013.21\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Web applications written in JavaScript are regularly used for dealing with sensitive or personal data. Consequently, reasoning about their security properties has become an important problem, which is made very difficult by the highly dynamic nature of the language, particularly its support for runtime code generation. As a first step towards dealing with this, we propose to investigate security analyses for languages with more principled forms of dynamic code generation. To this end, we present a static information flow analysis for a dynamically typed functional language with prototype-based inheritance and staged metaprogramming. We prove its soundness, implement it and test it on various examples designed to show its relevance to proving security properties, such as noninterference, in JavaScript. To our knowledge, this is the first fully static information flow analysis for a language with staged metaprogramming, and the first formal soundness proof of a CFA-based information flow analysis for a functional programming language.\",\"PeriodicalId\":6500,\"journal\":{\"name\":\"2016 IEEE 29th Computer Security Foundations Symposium (CSF)\",\"volume\":\"80 1\",\"pages\":\"209-223\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2013-06-26\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2016 IEEE 29th Computer Security Foundations Symposium (CSF)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/CSF.2013.21\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 IEEE 29th Computer Security Foundations Symposium (CSF)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CSF.2013.21","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

摘要

用JavaScript编写的Web应用程序通常用于处理敏感或个人数据。因此，对它们的安全属性进行推理已经成为一个重要的问题，由于该语言的高度动态特性，特别是它对运行时代码生成的支持，使得这一问题变得非常困难。作为解决这个问题的第一步，我们建议研究具有更有原则的动态代码生成形式的语言的安全性分析。为此，我们提出了一种基于原型继承和分阶段元编程的动态类型函数语言的静态信息流分析方法。我们证明了它的合理性，实现了它，并在各种示例上测试了它，这些示例旨在展示它与证明JavaScript中的安全属性(如不干扰)的相关性。据我们所知，这是第一个完全静态的信息流分析，用于有阶段元编程的语言，也是第一个对函数式编程语言的基于cfa的信息流分析的正式可靠证明。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

Information Flow Analysis for a Dynamically Typed Language with Staged Metaprogramming

Web applications written in JavaScript are regularly used for dealing with sensitive or personal data. Consequently, reasoning about their security properties has become an important problem, which is made very difficult by the highly dynamic nature of the language, particularly its support for runtime code generation. As a first step towards dealing with this, we propose to investigate security analyses for languages with more principled forms of dynamic code generation. To this end, we present a static information flow analysis for a dynamically typed functional language with prototype-based inheritance and staged metaprogramming. We prove its soundness, implement it and test it on various examples designed to show its relevance to proving security properties, such as noninterference, in JavaScript. To our knowledge, this is the first fully static information flow analysis for a language with staged metaprogramming, and the first formal soundness proof of a CFA-based information flow analysis for a functional programming language.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2016 IEEE 29th Computer Security Foundations Symposium (CSF)

自引率

0.00%

发文量

期刊最新文献

Axioms for Information Leakage Multi-run Side-Channel Analysis Using Symbolic Execution and Max-SMT sElect: A Lightweight Verifiable Remote Voting System Automated Reasoning for Equivalences in the Applied Pi Calculus with Barriers On Modular and Fully-Abstract Compilation