Tight Enforcement of Information-Release Policies for Dynamic Languages

被引:42
作者
Askarov, Aslan [1 ]
Sabelfeld, Andrei [2 ]
机构
[1] Cornell Univ, Dept Comp Sci, Ithaca, NY 14853 USA
[2] Chalmers Univ Technol, Dept Comp Sci & Engn, Gothenburg, Sweden
来源
PROCEEDINGS OF THE 22ND IEEE COMPUTER SECURITY FOUNDATIONS SYMPOSIUM | 2009年
关键词
DECLASSIFICATION;
D O I
10.1109/CSF.2009.22
中图分类号
TP301 [理论、方法];
学科分类号
081202 ;
摘要
This paper studies the problem of securing information release in dynamic languages. We propose (i) an intuitive framework for information-release policies expressing both what can be released by an application and where in the code this release may take place and (ii) tight and modular enforcement by hybrid mechanisms that combine monitoring with on-the-fly static analysis for a language with dynamic code evaluation and communication primitives. The policy framework and enforcement mechanisms support both termination-sensitive and insensitive security policies.
引用
收藏
页码:43 / +
页数:3
相关论文
共 44 条
[1]  
[Anonymous], CROSS SITE SCRIPTING
[2]  
ASKAROV A, 2009, TIGHT ENFORCEMENT IN
[3]   Localized Delimited Release: Combining the What and Where Dimensions of Information Release [J].
Askarov, Aslan ;
Sabelfeld, Andrei .
PLAS'07: PROCEEDINGS OF THE 2007 ACM SIGPLAN WORKSHOP ON PROGRAMMING LANGUAGES AND ANALYSIS FOR SECURITY, 2007, :53-60
[4]   Gradual release: Unifying declassification, encryption and key release policies [J].
Askarov, Aslan ;
Sabelfeld, Andrei .
2007 IEEE SYMPOSIUM ON SECURITY AND PRIVACY, PROCEEDINGS, 2007, :207-+
[5]  
Askarov A, 2008, LECT NOTES COMPUT SC, V5283, P333
[6]   Expressive declassification policies and modular static enforcement [J].
Banerjee, Anindya ;
Naumann, David A. ;
Rosenberg, Stan .
PROCEEDINGS OF THE 2008 IEEE SYMPOSIUM ON SECURITY AND PRIVACY, 2008, :339-+
[7]  
BARTHE G, 2008, P IEEE COMP SERV FDN
[8]  
BOUDOL G, 2009, LNCS, P20
[9]  
CHANDRA D, 2007, P ANN COMP SEC APPL, P463, DOI DOI 10.1109/ACSAC.2007.37
[10]  
CHONG S, 2007, P ACM S OP SYST PRIN, P31
12345