JFlow: practical mostly-static information flow control
Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Protecting privacy using the decentralized label model
ACM Transactions on Software Engineering and Methodology (TOSEM)
Secure Information Flow and CPS
ESOP '01 Proceedings of the 10th European Symposium on Programming Languages and Systems
Secure Information Flow and Pointer Confinement in a Java-like Language
CSFW '02 Proceedings of the 15th IEEE workshop on Computer Security Foundations
Secure program execution via dynamic information flow tracking
ASPLOS XI Proceedings of the 11th international conference on Architectural support for programming languages and operating systems
Practical Information-flow Control in Web-Based Information Systems
CSFW '05 Proceedings of the 18th IEEE workshop on Computer Security Foundations
Dynamic Taint Propagation for Java
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Flow-insensitive type qualifiers
ACM Transactions on Programming Languages and Systems (TOPLAS)
Remote timing attacks are practical
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Finding security vulnerabilities in java applications with static analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Dynamic multi-process information flow tracking for web application security
Proceedings of the 2007 ACM/IFIP/USENIX international conference on Middleware companion
Fable: A Language for Enforcing User-defined Security Policies
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Pointless tainting?: evaluating the practicality of pointer tainting
Proceedings of the 4th ACM European conference on Computer systems
Cross-tier, label-based security enforcement for web applications
Proceedings of the 2009 ACM SIGMOD International Conference on Management of data
Improving application security with data flow assertions
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
DBTaint: cross-application information flow tracking via databases
WebApps'10 Proceedings of the 2010 USENIX conference on Web application development
Proceedings of the 17th ACM conference on Computer and communications security
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Taint-exchange: a generic system for cross-process and cross-host taint tracking
IWSEC'11 Proceedings of the 6th International conference on Advances in information and computer security
Self-certification: bootstrapping certified typecheckers in F* with Coq
POPL '12 Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Enforcing stateful authorization and information flow policies in fine
ESOP'10 Proceedings of the 19th European conference on Programming Languages and Systems
Minemu: the world's fastest taint tracker
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
| Hi-index | 0.00 |
The popularity of web applications, coupled with the data they operate on, makes them prime targets for hackers that want to misuse them. To make matters worse, a lot of these applications, have not been implemented with security in mind, while refactoring an existing, large web application to implement a security or privacy policy is prohibitively difficult. This paper presents LabelFlow, an extension of PHP that simplifies implementation of security policies in web applications. To enforce a policy, LabelFlow tracks the propagation of information throughout the application, transparently and efficiently, both in the PHP runtime and through persistent storage. We provide strong theoretical guarantees for the policy enforcement in LabelFlow; we define its semantics for a simple calculus and prove that it protects against information leaks. We used LabelFlow to add and enforce access control policies in three popular real-world large scale web applications: MediaWiki, Wordpress and OpenCart. LabelFlow requires minimal code changes of 50--100 lines of code per application, while incurring little execution overhead of up to 5.6% at worst.