Typestate: A programming language concept for enhancing software reliability
IEEE Transactions on Software Engineering
ACM Transactions on Information and System Security (TISSEC)
SAFKASI: a security mechanism for language-based systems
ACM Transactions on Software Engineering and Methodology (TOSEM)
Stack inspection: Theory and variants
ACM Transactions on Programming Languages and Systems (TOPLAS)
Labeled Lambda-Calculus and a Generalized Notion of Strictness (An Extended Abstract)
ACSC '95 Proceedings of the 1995 Asian Computing Science Conference on Algorithms, Concurrency and Knowledge
The inlined reference monitor approach to security policy enforcement
The inlined reference monitor approach to security policy enforcement
Dynamic Taint Propagation for Java
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Certified In-lined Reference Monitoring on .NET
Proceedings of the 2006 workshop on Programming languages and analysis for security
PLURAL: checking protocol compliance under aliasing
Companion of the 30th international conference on Software engineering
Aspect-oriented in-lined reference monitors
Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security
Provably Correct Runtime Monitoring
FM '08 Proceedings of the 15th international symposium on Formal Methods
TAJ: effective taint analysis of web applications
Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
Practical API Protocol Checking with Access Permissions
Genoa Proceedings of the 23rd European Conference on ECOOP 2009 --- Object-Oriented Programming
Security Monitor Inlining for Multithreaded Java
Genoa Proceedings of the 23rd European Conference on ECOOP 2009 --- Object-Oriented Programming
Efficient character-level taint tracking for Java
Proceedings of the 2009 ACM workshop on Secure web services
Provably correct inline monitoring for multithreaded Java-like programs
Journal of Computer Security - EU-Funded ICT Research on Trust and Security
Efficient monitoring of parametric context-free patterns
Automated Software Engineering
A theory of runtime enforcement, with results
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
All your droid are belong to us: a survey of current android attacks
WOOT'11 Proceedings of the 5th USENIX conference on Offensive technologies
A survey of mobile malware in the wild
Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices
FLAVOR: A Formal Language for a Posteriori Verification of Legal Rules
POLICY '11 Proceedings of the 2011 IEEE International Symposium on Policies for Distributed Systems and Networks
Allen linear (interval) temporal logic – translation to LTL and monitor synthesis
CAV'06 Proceedings of the 18th international conference on Computer Aided Verification
Inlined monitors for security policy enforcement in web applications
Proceedings of the 17th Panhellenic Conference on Informatics
Hi-index | 0.00 |
Current approaches to security policy monitoring are based on linear control flow constraints such as 'runQuery' may be evaluated only after 'sanitize'. However, realistic security policies must be able to conveniently capture data flow constraints as well. An example is a policy stating that arguments to the function 'runQuery' must be either constants, outputs of a function 'sanitize', or concatenations of any such values. We present a novel approach to security policy monitoring that uses tree automata to capture constraints on the way data is processed along an execution. We present a »-calculus based model of the framework, investigate some of the models meta-properties, and show how it can be implemented using labels corresponding to automaton states to reflect the computational histories of each data item. We show how a standard denotational semantics induces the expected monitoring regime on a simple "while" language. Finally we implement the framework for the Dalvik VM using TaintDroid as the underlying data flow tracking mechanism, and evaluate its functionality and performance on five case studies.