Authentication in distributed systems: theory and practice
SOSP '91 Proceedings of the thirteenth ACM symposium on Operating systems principles
JFlow: practical mostly-static information flow control
Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Proceedings of the 27th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Information flow inference for free
ICFP '00 Proceedings of the fifth ACM SIGPLAN international conference on Functional programming
Certification of programs for secure information flow
Communications of the ACM
Protecting privacy using the decentralized label model
ACM Transactions on Software Engineering and Methodology (TOSEM)
JML (poster session): notations and tools supporting detailed design in Java
OOPSLA '00 Addendum to the 2000 proceedings of the conference on Object-oriented programming, systems, languages, and applications (Addendum)
Information flow inference for ML
POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
A Type-Based Approach to Program Security
TAPSOFT '97 Proceedings of the 7th International Joint Conference CAAP/FASE on Theory and Practice of Software Development
Integrating Flexible Support for Security Policies into the Linux Operating System
Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference
High Integrity Software: The SPARK Approach to Safety and Security
High Integrity Software: The SPARK Approach to Safety and Security
A New Type System for Secure Information Flow
CSFW '01 Proceedings of the 14th IEEE workshop on Computer Security Foundations
CSFW '01 Proceedings of the 14th IEEE workshop on Computer Security Foundations
Terra: a virtual machine-based platform for trusted computing
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Enforcing Robust Declassification
CSFW '04 Proceedings of the 17th IEEE workshop on Computer Security Foundations
Practical Information-flow Control in Web-Based Information Systems
CSFW '05 Proceedings of the 18th IEEE workshop on Computer Security Foundations
Dimensions and Principles of Declassification
CSFW '05 Proceedings of the 18th IEEE workshop on Computer Security Foundations
Labels and event processes in the asbestos operating system
Proceedings of the twentieth ACM symposium on Operating systems principles
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
20th ACM Symposium on Operating Systems Principles
Proceedings of the twentieth ACM symposium on Operating systems principles
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Managing Policy Updates in Security-Typed Languages
CSFW '06 Proceedings of the 19th IEEE workshop on Computer Security Foundations
CSFW '06 Proceedings of the 19th IEEE workshop on Computer Security Foundations
A Framework for Building Privacy-Conscious Composite Web Services
ICWS '06 Proceedings of the IEEE International Conference on Web Services
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
A General Dynamic Information Flow Tracking Framework for Security Applications
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Processes in KaffeOS: isolation, resource management, and sharing in java
OSDI'00 Proceedings of the 4th conference on Symposium on Operating System Design & Implementation - Volume 4
Finding security vulnerabilities in java applications with static analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Static detection of security vulnerabilities in scripting languages
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Implementing multiple protection domains in java
ATEC '98 Proceedings of the annual conference on USENIX Annual Technical Conference
A design for a security-typed language with certificate-based declassification
ESOP'05 Proceedings of the 14th European conference on Programming Languages and Systems
Security-typed languages for implementation of cryptographic protocols: a case study
ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security
Language-based information-flow security
IEEE Journal on Selected Areas in Communications
Secure web applications via automatic partitioning
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Information flow control for standard OS abstractions
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Manageable fine-grained information flow
Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008
Effective blame for information-flow violations
Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering
Privacy-preserving browser-side scripting with BFlow
Proceedings of the 4th ACM European conference on Computer systems
Cross-tier, label-based security enforcement for web applications
Proceedings of the 2009 ACM SIGMOD International Conference on Management of data
Improving application security with data flow assertions
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
Fabric: a platform for secure distributed computation and storage
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
Ripley: automatically securing web 2.0 applications through replicated execution
Proceedings of the 16th ACM conference on Computer and communications security
Neon: system support for derived data management
Proceedings of the 6th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Fine-grained privilege separation for web applications
Proceedings of the 19th international conference on World wide web
Content cloaking: preserving privacy with Google Docs and other web applications
Proceedings of the 2010 ACM Symposium on Applied Computing
Tracking information flow in dynamic tree structures
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
A more precise security type system for dynamic security tests
PLAS '10 Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security
Nemesis: preventing authentication & access control vulnerabilities in web applications
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Dartmouth internet security testbed (DIST: building a campus-wide wireless testbed
CSET'09 Proceedings of the 2nd conference on Cyber security experimentation and test
Retaining sandbox containment despite bugs in privileged memory-safe code
Proceedings of the 17th ACM conference on Computer and communications security
Symbolic security analysis of ruby-on-rails web applications
Proceedings of the 17th ACM conference on Computer and communications security
Enforcing request integrity in web applications
DBSec'10 Proceedings of the 24th annual IFIP WG 11.3 working conference on Data and applications security and privacy
Static checking of dynamically-varying security policies in database-backed applications
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Unifying facets of information integrity
ICISS'10 Proceedings of the 6th international conference on Information systems security
Designing and Implementing the OP and OP2 Web Browsers
ACM Transactions on the Web (TWEB)
Automating information flow control in component-based distributed systems
Proceedings of the 14th international ACM Sigsoft symposium on Component based software engineering
Distributed middleware enforcement of event flow security policy
Proceedings of the ACM/IFIP/USENIX 11th International Conference on Middleware
Static detection of access control vulnerabilities in web applications
SEC'11 Proceedings of the 20th USENIX conference on Security
Emerson: accessible scripting for applications in an extensible virtual world
Proceedings of the 10th SIGPLAN symposium on New ideas, new paradigms, and reflections on programming and software
A model of information flow control to determine whether malfunctions cause the privacy invasion
Proceedings of the First Workshop on Measurement, Privacy, and Mobility
Runtime enforcement of information flow security in tree manipulating processes
ESSoS'12 Proceedings of the 4th international conference on Engineering Secure Software and Systems
Scalable integrity-guaranteed AJAX
APWeb'12 Proceedings of the 14th Asia-Pacific international conference on Web Technologies and Applications
SCUTA: a server-side access control system for web applications
Proceedings of the 17th ACM symposium on Access Control Models and Technologies
A multi-tier semantics for Hop
Higher-Order and Symbolic Computation
Abstractions for usable information flow control in Aeolus
USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference
Enemy of the state: a state-aware black-box web vulnerability scanner
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Hails: protecting data privacy in untrusted web applications
OSDI'12 Proceedings of the 10th USENIX conference on Operating Systems Design and Implementation
Towards fully automatic placement of security sanitizers and declassifiers
POPL '13 Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
WEBLOG: a declarative language for secure web development
Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security
IFDB: decentralized information flow control for databases
Proceedings of the 8th ACM European Conference on Computer Systems
GlassTube: a lightweight approach to web application integrity
Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security
A survey on server-side approaches to securing web applications
ACM Computing Surveys (CSUR)
| Hi-index | 0.00 |
SIF (Servlet Information Flow) is a novel software framework for building high-assurance web applications, using language-based information-flow control to enforce security. Explicit, end-to-end confidentiality and integrity policies can be given either as compile-time program annotations, or as run-time user requirements. Compile-time and run-time checking efficiently enforce these policies. Information flow analysis is known to be useful against SQL injection and cross-site scripting, but SIF prevents inappropriate use of information more generally: the flow of confidential information to clients is controlled, as is the flow of low-integrity information from clients. Expressive policies allow users and application providers to protect information from one another. SIF moves trust out of the web application, and into the framework and compiler. This provides application deployers with stronger security assurance. Language-based information flow promises cheap, strong information security. But until now, it could not effectively enforce information security in highly dynamic applications. To build SIF, we developed new language features that make it possible to write realistic web applications. Increased assurance is obtained with modest enforcement overhead.