Article

Implicit Flows: Can't Live with `Em, Can't Live without `Em

Authors:

Boniface Hicks,

Trent JaegerAuthors Info & Claims

ICISS '08: Proceedings of the 4th International Conference on Information Systems Security

Pages 56 - 70

https://doi.org/10.1007/978-3-540-89862-7_4

Published: 16 December 2008 Publication History

Abstract

Verifying that programs trusted to enforce security actually do so is a practical concern for programmers and administrators. However, there is a disconnect between the kinds of tools that have been successfully applied to real software systems (such as taint mode in Perl and Ruby), and information-flow compilers that enforce a variant of the stronger security property of noninterference. Tools that have been successfully used to find security violations have focused on <em>explicit flows</em> of information, where high-security information is directly leaked to output. Analysis tools that enforce noninterference also prevent <em>implicit flows</em> of information, where high-security information can be inferred from a program's flow of control. However, these tools have seen little use in practice, despite the stronger guarantees that they provide.

To better understand why, this paper experimentally investigates the explicit and implicit flows identified by the standard algorithm for establishing noninterference. When applied to implementations of authentication and cryptographic functions, the standard algorithm discovers many real implicit flows of information, but also reports an extremely high number of false alarms, most of which are due to conservative handling of unchecked exceptions (e.g., null pointer exceptions). After a careful analysis of all sources of true and false alarms, due to both implicit and explicit flows, the paper concludes with some ideas to improve the false alarm rate, toward making stronger security analysis more practical.

References

[1]

Black, J., Urtubia, H.: Side-channel attacks on symmetric encryption schemes: The case for authenticated encryption. In: Proceedings of the 11th USENIX Security Symposium (2002).

Digital Library

[2]

Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1-12. Springer, Heidelberg (1998).

Digital Library

[3]

Broadwell, P., Harren, M., Sastry, N.: Scrash: a system for generating secure crash information. In: Proceedings of the 12th conference on USENIX Security Symposium (2003).

Digital Library

[4]

Chalin, P., Kiniry, J.R., Leavens, G.T., Poll, E.: Beyond Assertions: Advanced Specification and Verification with JML and ESC/Java2., pp. 342-363. Springer, Heidelberg (2006).

Digital Library

[5]

Chen, H., Wagner, D., Dean, D.: Setuid demystified. In: Proceedings of the 11th USENIX Security Symposium, pp. 171-190. USENIX Association, Berkeley (2002).

Digital Library

[6]

Chen, K., Wagner, D.: Large-scale analysis of format string vulnerabilities in Debian Linux. In: Proceedings of the 2007 workshop on Programming languages and analysis for security (2007).

Digital Library

[7]

Clarkson, M.R., Chong, S., Myers, A.C.: Civitas: Toward a secure voting system. In: IEEE Symposium on Security and Privacy, pp. 354-368 (2008).

Digital Library

[8]

Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson, G., Saxe, J.B., Stata, R.: Extended static checking for Java. In: PLDI, vol. 37, pp. 234-245 (June 2002).

Digital Library

[9]

FORTIFY SOFTWARE. Fortify, http://www.fortify.com/

[10]

Foster, J.S., Fähndrich, M., Aiken, A.: A theory of type qualifiers. In: PLDI, pp. 192-203 (1999).

Digital Library

[11]

Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, pp. 11-20 (1982).

[12]

Hicks, B., Ahmadizadeh, K., McDaniel, P.: From Languages to Systems: Understanding Practical Application Development in Security-typed Languages. In: Jesshope, C., Egan, C. (eds.) ACSAC 2006. LNCS, vol. 4186. Springer, Heidelberg (2006).

Digital Library

[13]

Johnson, R., Wagner, D.: Finding user/kernel pointer bugs with type inference. In: SSYM 2004: Proceedings of the 13th conference on USENIX Security Symposium, p. 9. USENIX Association, Berkeley (2004).

Digital Library

[14]

King, D., Jaeger, T., Jha, S., Seshia, S.A.: Effective blame for information-flow violations. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086. Springer, Heidelberg (2008).

Digital Library

[15]

Landi, W.: Undecidability of static analysis. ACM Letters on Programming Languages and Systems 1(4), 323-337 (1992).

Digital Library

[16]

Martin, M., Livshits, B., Lam, M.S.: Finding application errors and security flaws using PQL: a program query language. In: OOPLSA, pp. 365-383. ACM, New York (2005).

Digital Library

[17]

McCamant, S., Ernst, M.D.: Quantitative information flow as network flow capacity. In: PLDI, pp. 193-205 (2008).

Digital Library

[18]

Myers, A.C.: JFlow: Practical mostly-static information flow control. In: POPL, pp. 228-241 (January 1999).

Digital Library

[19]

Pottier, F., Simonet, V.: Information flow inference for ML. In: POPL, pp. 319-330. ACM, New York (2002).

Digital Library

[20]

Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1) (2003).

Digital Library

[21]

Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: Proceedings of the 10th conference on USENIX Security Symposium (2001).

Digital Library

[22]

Sharir, M., Pnueli, A.: Two approaches to interprocedural dataflow analysis. In: Program Flow Analysis: Theory and Applications, pp. 189-234. Prentice-Hall, Englewood Cliffs (1981).

[23]

Vaudenay, S.: Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534-546. Springer, Heidelberg (2002).

Digital Library

[24]

Xie, Y., Aiken, A.: Saturn: A scalable framework for error detection using boolean satisfiability. ACM Transactions on Programming Languages and Systems 29(3) (2007).

Digital Library

[25]

Zhang, X., Edwards, A., Jaeger, T.: Using CQUAL for static analysis of authorization hook placement. In: Proceedings of the 11th USENIX Security Symposium, pp. 33-48. USENIX Association, Berkeley (2002).

Digital Library

Cited By

Miltenberger MArzt S(2024)Precisely Extracting Complex Variable Values from Android AppsACM Transactions on Software Engineering and Methodology10.1145/364959133:5(1-56)Online publication date: 4-Jun-2024
https://dl.acm.org/doi/10.1145/3649591
Kan SGao YZhong ZSui Y(2024)Cross-Language Taint Analysis: Generating Caller-Sensitive Native Code Specification for JavaIEEE Transactions on Software Engineering10.1109/TSE.2024.339225450:6(1518-1533)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3392254
Han XMickens JSen SMeng WJensen CCremers CKirda E(2023)Splice: Efficiently Removing a User's Data from In-memory Application StateProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623070(2989-3002)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623070
Show More Cited By

Recommendations

Static Information Flow Analysis with Handling of Implicit Flows and a Study on Effects of Implicit Flows vs Explicit Flows
CSMR '10: Proceedings of the 2010 14th European Conference on Software Maintenance and Reengineering

Reasoning about information flow can help software engineering. Static information flow inference analysis is a technique which automatically infers information flows based on data or control dependence. It can be utilized for the purposes of general ...
Post-dominator analysis for precisely handling implicit flows
ICSE '15: Proceedings of the 37th International Conference on Software Engineering - Volume 2

Most web applications today use JavaScript for including third-party scripts, advertisements etc., which pose a major security threat in the form of confidentiality and integrity violations. Dynamic information flow control helps address this issue of ...
Cryptographically-masked flows

Cryptographic operations are essential for many security-critical systems. Reasoning about information flow in such systems is challenging because typical (noninterference-based) information-flow definitions allow no flow from secret to public data. ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

ICISS '08: Proceedings of the 4th International Conference on Information Systems Security

December 2008

305 pages

ISBN:9783540898610

Editors:
R. Sekar
Department of Computer Science, Stony Brook University, Stony Brook, USA NY 11794-4400
,
Arun K. Pujari
Department of Computer and Information Sciences, University of Hyderabad, Hyderabad, India 500 046

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 16 December 2008

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

33
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Miltenberger MArzt S(2024)Precisely Extracting Complex Variable Values from Android AppsACM Transactions on Software Engineering and Methodology10.1145/364959133:5(1-56)Online publication date: 4-Jun-2024
https://dl.acm.org/doi/10.1145/3649591
Kan SGao YZhong ZSui Y(2024)Cross-Language Taint Analysis: Generating Caller-Sensitive Native Code Specification for JavaIEEE Transactions on Software Engineering10.1109/TSE.2024.339225450:6(1518-1533)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3392254
Han XMickens JSen SMeng WJensen CCremers CKirda E(2023)Splice: Efficiently Removing a User's Data from In-memory Application StateProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623070(2989-3002)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623070
Hough KBell J(2021)A Practical Approach for Dynamic Taint Tracking with Control-flow RelationshipsACM Transactions on Software Engineering and Methodology10.1145/348546431:2(1-43)Online publication date: 24-Dec-2021
https://dl.acm.org/doi/10.1145/3485464
Mordahl AWei SCadar CZhang X(2021)The impact of tool configuration spaces on the evaluation of configurable taint analysis for AndroidProceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3460319.3464823(466-477)Online publication date: 11-Jul-2021
https://dl.acm.org/doi/10.1145/3460319.3464823
Staicu CSchoepe DBalliu MPradel MSabelfeld AMardziel PVazou N(2019)An Empirical Study of Information Flows in Real-World JavaScriptProceedings of the 14th ACM SIGSAC Workshop on Programming Languages and Analysis for Security10.1145/3338504.3357339(45-59)Online publication date: 15-Nov-2019
https://dl.acm.org/doi/10.1145/3338504.3357339
Parker JVazou NHicks M(2019)LWeb: information flow security for multi-tier web applicationsProceedings of the ACM on Programming Languages10.1145/32903883:POPL(1-30)Online publication date: 2-Jan-2019
https://dl.acm.org/doi/10.1145/3290388
He DLi HWang LMeng HZheng HLiu JHu SLi LXue JZimmermann TLawall JMarinov D(2019)Performance-boosting sparsification of the IFDS algorithm with applications to taint analysisProceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE.2019.00034(267-279)Online publication date: 10-Nov-2019
https://dl.acm.org/doi/10.1109/ASE.2019.00034
Bastys IPiessens FSabelfeld AAlvim MDelaune S(2018)Prudent Design Principles for Information Flow ControlProceedings of the 13th Workshop on Programming Languages and Analysis for Security10.1145/3264820.3264824(17-23)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3264820.3264824
Austin TSchmitz TFlanagan C(2017)Multiple Facets for Dynamic Information Flow with ExceptionsACM Transactions on Programming Languages and Systems10.1145/302408639:3(1-56)Online publication date: 10-May-2017
https://dl.acm.org/doi/10.1145/3024086
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents