A sound type system for secure flow analysis
Journal of Computer Security
Certification of programs for secure information flow
Communications of the ACM
SAS '99 Proceedings of the 6th International Symposium on Static Analysis
Eliminating Covert Flows with Minimum Typings
CSFW '97 Proceedings of the 10th IEEE workshop on Computer Security Foundations
High Integrity Software: The SPARK Approach to Safety and Security
High Integrity Software: The SPARK Approach to Safety and Security
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Enforcing security and safety models with an information flow analysis tool
Proceedings of the 2004 annual ACM SIGAda international conference on Ada: The engineering of correct and reliable software for real-time & distributed systems using Ada and related technologies
On flow-sensitive security types
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Dynamic Dependency Monitoring to Secure Information Flow
CSF '07 Proceedings of the 20th IEEE Computer Security Foundations Symposium
Automaton-based Confidentiality Monitoring of Concurrent Programs
CSF '07 Proceedings of the 20th IEEE Computer Security Foundations Symposium
Expressive Declassification Policies and Modular Static Enforcement
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
On the Limits of Information Flow Techniques for Malware Analysis and Containment
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Termination-Insensitive Noninterference Leaks More Than Just a Bit
ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
Secure Information Flow as a Safety Property
Formal Aspects in Security and Trust
Tight Enforcement of Information-Release Policies for Dynamic Languages
CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
Securing Timeout Instructions in Web Applications
CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
Automata-based confidentiality monitoring
ASIAN'06 Proceedings of the 11th Asian computing science conference on Advances in computer science: secure software and related issues
Provably correct runtime enforcement of non-interference properties
ICICS'06 Proceedings of the 8th international conference on Information and Communications Security
Language-based information-flow security
IEEE Journal on Selected Areas in Communications
Permissive dynamic information flow analysis
PLAS '10 Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security
Information flow enforcement in monadic libraries
Proceedings of the 7th ACM SIGPLAN workshop on Types in language design and implementation
Flexible dynamic information flow control in Haskell
Proceedings of the 4th ACM symposium on Haskell
Information flow analysis for javascript
Proceedings of the 1st ACM SIGPLAN international workshop on Programming language and systems technologies for internet clients
Limiting information leakage in event-based communication
Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security
Capabilities for information flow
Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security
Decentralized delimited release
APLAS'11 Proceedings of the 9th Asian conference on Programming Languages and Systems
Runtime enforcement of information flow security in tree manipulating processes
ESSoS'12 Proceedings of the 4th international conference on Engineering Secure Software and Systems
A taint mode for python via a library
NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
Addressing covert termination and timing channels in concurrent information flow systems
Proceedings of the 17th ACM SIGPLAN international conference on Functional programming
On-the-Fly inlining of dynamic dependency monitors for secure information flow
FAST'11 Proceedings of the 8th international conference on Formal Aspects of Security and Trust
Secure multi-execution through static program transformation
FMOODS'12/FORTE'12 Proceedings of the 14th joint IFIP WG 6.1 international conference and Proceedings of the 32nd IFIP WG 6.1 international conference on Formal Techniques for Distributed Systems
Monitoring temporal information flow
ISoLA'12 Proceedings of the 5th international conference on Leveraging Applications of Formal Methods, Verification and Validation: technologies for mastering change - Volume Part I
Position paper: Sapper -- a language for provable hardware policy enforcement
Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security
Testing noninterference, quickly
Proceedings of the 18th ACM SIGPLAN international conference on Functional programming
A verified information-flow architecture
Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
| Hi-index | 0.00 |
Historically, dynamic techniques are the pioneers of the area of information flow in the 70's. In their seminal work, Denning and Denning suggest a static alternative for information-flow analysis. Following this work, the 90's see the domination of static techniques for information flow. The common wisdom appears to be that dynamic approaches are not a good match for security since monitoring a single path misses public side effects that could have happened in other paths. Dynamic techniques for information flow are on the rise again, driven by the need for permissiveness in today's dynamic applications. But they still involve nontrivial static checks for leaks related to control flow. This paper demonstrates that it is possible for a purely dynamic enforcement to be as secure as Denning-style static information-flow analysis, despite the common wisdom. We do have the trade-off that static techniques have benefits of reducing runtime overhead, and dynamic techniques have the benefits of permissiveness (this, for example, is of particular importance in dynamic applications, where freshly generated code is evaluated). But on the security side, we show for a simple imperative language that both Denning-style analysis and dynamic enforcement have the same assurance: termination-insensitive noninterference.