LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks
Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture
Proceedings of the 2007 ACM symposium on Applied computing
Raksha: a flexible information flow architecture for software security
Proceedings of the 34th annual international symposium on Computer architecture
Sound and precise analysis of web applications for injection vulnerabilities
Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
A Smart Fuzzer for x86 Executables
SESS '07 Proceedings of the Third International Workshop on Software Engineering for Secure Systems
Dytan: a generic dynamic taint analysis framework
Proceedings of the 2007 international symposium on Software testing and analysis
Secure web applications via automatic partitioning
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism
Proceedings of the 14th ACM conference on Computer and communications security
CANDID: preventing sql injection attacks using dynamic candidate evaluations
Proceedings of the 14th ACM conference on Computer and communications security
Dynamic pharming attacks and locked same-origin policies for web browsers
Proceedings of the 14th ACM conference on Computer and communications security
Understanding and visualizing full systems with data flow tomography
Proceedings of the 13th international conference on Architectural support for programming languages and operating systems
Efficient fine-grained binary instrumentationwith applications to taint-tracking
Proceedings of the 6th annual IEEE/ACM international symposium on Code generation and optimization
SIF: enforcing confidentiality and integrity in web applications
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Dynamic taint propagation: Finding vulnerabilities without attacking
Information Security Tech. Report
Quantitative information flow as network flow capacity
Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
Dynamic multi-process information flow tracking for web application security
Proceedings of the 2007 ACM/IFIP/USENIX international conference on Middleware companion
ISCA '08 Proceedings of the 35th Annual International Symposium on Computer Architecture
XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
On the Limits of Information Flow Techniques for Malware Analysis and Containment
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Efficient and extensible security enforcement using dynamic data flow analysis
Proceedings of the 15th ACM conference on Computer and communications security
Building secure web applications with automatic partitioning
Communications of the ACM - Inspiring Women in Computing
Real-world buffer overflow protection for userspace & kernelspace
SS'08 Proceedings of the 17th conference on Security symposium
Complete information flow tracking from the gates up
Proceedings of the 14th international conference on Architectural support for programming languages and operating systems
Static analysis for inference of explicit information flow
Proceedings of the 8th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
Pointless tainting?: evaluating the practicality of pointer tainting
Proceedings of the 4th ACM European conference on Computer systems
Proceedings of the 41st annual IEEE/ACM International Symposium on Microarchitecture
Testudo: Heavyweight security analysis via statistical sampling
Proceedings of the 41st annual IEEE/ACM International Symposium on Microarchitecture
SQLProb: a proxy-based architecture towards preventing SQL injection attacks
Proceedings of the 2009 ACM symposium on Applied Computing
Go with the flow: profiling copies to find runtime bloat
Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
Measuring channel capacity to distinguish undue influence
Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security
The user is not the enemy: fighting malware by tracking user intentions
Proceedings of the 2008 workshop on New security paradigms
Information protection via environmental data tethers
NSPW '07 Proceedings of the 2007 Workshop on New Security Paradigms
PIFT: efficient dynamic information flow tracking using secure page allocation
WESS '09 Proceedings of the 4th Workshop on Embedded Systems Security
Finding bugs in exceptional situations of JNI programs
Proceedings of the 16th ACM conference on Computer and communications security
Proceedings of the 2009 ACM workshop on Scalable trusted computing
Efficient character-level taint tracking for Java
Proceedings of the 2009 ACM workshop on Secure web services
Speculation for Parallelizing Runtime Checks
SSS '09 Proceedings of the 11th International Symposium on Stabilization, Safety, and Security of Distributed Systems
DROP: Detecting Return-Oriented Programming Malicious Code
ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
User-input dependence analysis via graph reachability
User-input dependence analysis via graph reachability
CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks
ACM Transactions on Information and System Security (TISSEC)
Alhambra: a system for creating, enforcing, and testing browser security policies
Proceedings of the 19th international conference on World wide web
SpyShield: preserving privacy from spy add-ons
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Strict control dependence and its effect on dynamic information flow analyses
Proceedings of the 19th international symposium on Software testing and analysis
HotSec'09 Proceedings of the 4th USENIX conference on Hot topics in security
Baggy bounds checking: an efficient and backwards-compatible defense against out-of-bounds errors
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
DBTaint: cross-application information flow tracking via databases
WebApps'10 Proceedings of the 2010 USENIX conference on Web application development
xJS: practical XSS prevention for web application development
WebApps'10 Proceedings of the 2010 USENIX conference on Web application development
FIRM: capability-based inline mediation of Flash behaviors
Proceedings of the 26th Annual Computer Security Applications Conference
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
WebAppArmor: a framework for robust prevention of attacks on web applications
ICISS'10 Proceedings of the 6th international conference on Information systems security
Strengthening XSRF defenses for legacy web applications using whitebox analysis and transformation
ICISS'10 Proceedings of the 6th international conference on Information systems security
TaintEraser: protecting sensitive data leaks using application-level taint tracking
ACM SIGOPS Operating Systems Review
SessionShield: lightweight protection against session hijacking
ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Transactions on computational science XI
Do you know where your data are?: secure data capsules for deployable data protection
HotOS'13 Proceedings of the 13th USENIX conference on Hot topics in operating systems
Proceedings of the 38th annual international symposium on Computer architecture
GuardRails: a data-centric web application security framework
WebApps'11 Proceedings of the 2nd USENIX conference on Web application development
PHP Aspis: using partial taint tracking to protect against injection attacks
WebApps'11 Proceedings of the 2nd USENIX conference on Web application development
SIFT: a low-overhead dynamic information flow tracking architecture for SMT processors
Proceedings of the 8th ACM International Conference on Computing Frontiers
Towards client-side HTML security policies
HotSec'11 Proceedings of the 6th USENIX conference on Hot topics in security
Silverline: toward data confidentiality in storage-intensive cloud applications
Proceedings of the 2nd ACM Symposium on Cloud Computing
Preventing web application injections with complementary character coding
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
A systematic analysis of XSS sanitization in web application frameworks
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Combining Discretionary Policy with Mandatory Information Flow in Operating Systems
ACM Transactions on Information and System Security (TISSEC)
Context-sensitive auto-sanitization in web templating languages using type qualifiers
Proceedings of the 18th ACM conference on Computer and communications security
SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications
Proceedings of the 18th ACM conference on Computer and communications security
Taint-exchange: a generic system for cross-process and cross-host taint tracking
IWSEC'11 Proceedings of the 6th International conference on Advances in information and computer security
Provably correct runtime enforcement of non-interference properties
ICICS'06 Proceedings of the 8th international conference on Information and Communications Security
Defining code-injection attacks
POPL '12 Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Proceedings of the Second Asia-Pacific Workshop on Systems
Dataflow Tomography: Information Flow Tracking For Understanding and Visualizing Full Systems
ACM Transactions on Architecture and Code Optimization (TACO)
libdft: practical dynamic data flow tracking for commodity systems
VEE '12 Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments
Automatically preparing safe SQL queries
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
Secure code generation for web applications
ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
Taint-enhanced anomaly detection
ICISS'11 Proceedings of the 7th international conference on Information Systems Security
Minemu: the world's fastest taint tracker
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Runtime countermeasures for code injection attacks against C and C++ programs
ACM Computing Surveys (CSUR)
Automated code injection prevention for web applications
TOSCA'11 Proceedings of the 2011 international conference on Theory of Security and Applications
SafeWeb: a middleware for securing ruby-based web applications
Middleware'11 Proceedings of the 12th ACM/IFIP/USENIX international conference on Middleware
Proceedings of the Tenth International Symposium on Code Generation and Optimization
Towards a taint mode for cloud computing web applications
Proceedings of the 7th Workshop on Programming Languages and Analysis for Security
Uncovering performance problems in Java applications with reference propagation profiling
Proceedings of the 34th International Conference on Software Engineering
STING: finding name resolution vulnerabilities in programs
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Static secure page allocation for light-weight dynamic information flow tracking
Proceedings of the 2012 international conference on Compilers, architectures and synthesis for embedded systems
ADEL: an automatic detector of energy leaks for smartphone applications
Proceedings of the eighth IEEE/ACM/IFIP international conference on Hardware/software codesign and system synthesis
Exploiting split browsers for efficiently protecting user data
Proceedings of the 2012 ACM Workshop on Cloud computing security workshop
Adaptive defenses for commodity software through virtual application partitioning
Proceedings of the 2012 ACM conference on Computer and communications security
FlowFox: a web browser with flexible and precise information flow control
Proceedings of the 2012 ACM conference on Computer and communications security
DTAM: dynamic taint analysis of multi-threaded programs for relevancy
Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering
SafeWeb: a middleware for securing ruby-based web applications
Proceedings of the 12th International Middleware Conference
Architecture-Independent dynamic information flow tracking
CC'13 Proceedings of the 22nd international conference on Compiler Construction
Practical information flow for legacy web applications
Proceedings of the 8th Workshop on Implementation, Compilation, Optimization of Object-Oriented Languages, Programs and Systems
TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones
Communications of the ACM
POSTER: CRYPTSERVER: strong data protection in commodity LAMP servers
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Diglossia: detecting code injection attacks with precision and efficiency
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
25 million flows later: large-scale detection of DOM-based XSS
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Techniques for efficient in-memory checkpointing
Proceedings of the 9th Workshop on Hot Topics in Dependable Systems
Automated detection of parameter tampering opportunities and vulnerabilities in web applications
Journal of Computer Security
| Hi-index | 0.02 |
Policy-based confinement, employed in SELinux and specification-based intrusion detection systems, is a popular approach for defending against exploitation of vulnerabilities in benign software. Conventional access control policies employed in these approaches are effective in detecting privilege escalation attacks. However, they are unable to detect attacks that "hijack" legitimate access privileges granted to a program, e.g., an attack that subverts an FTP server to download the password file. (Note that an FTP server would normally need to access the password file for performing user authentication.) Some of the common attack types reported today, such as SQL injection and cross-site scripting, involve such subversion of legitimate access privileges. In this paper, we present a new approach to strengthen policy enforcement by augmenting security policies with information about the trustworthiness of data used in securitysensitive operations. We evaluated this technique using 9 available exploits involving several popular software packages containing the above types of vulnerabilities. Our technique sucessfully defeated these exploits.