Abstract
Software security has been traditionally enforced at the level of operating systems. However, operating systems have become increasingly large and complex, and it is very difficult--if not impossible--to enforce software security solely through them. Moreover, operating-system security allows dealing primarily with access-control policies on resources such as files and network connections. However, attacks may happen at both lower and higher levels of abstraction, and may target the internal behavior of applications, such as today's Web-based applications. Therefore, defenses must offer protection at the level of applications. Language-based security is the area of research that studies how to enforce application-level security using programming-language and program-analysis techniques. This area of research has become very active with the advent of Web applications. In 2006, the ACM SIGPLAN has introduced a new yearly forum entirely dedicated to the discussion of language-based-security research: Programming Languages and Analysis for Security (PLAS). This paper is a three-year survey of PLAS papers that discusses the progress made in the area of language-based security.
- Martin Abadi and Phillip Rogaway. Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption). Journal of Cryptology, 20(3):395--395, 2007. Google Scholar
Digital Library
- Torben Amtoft, Sruthi Bandhakavi, and Anindya Banerjee. A Logic for Information Flow in Object-Oriented Programs. In 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 2006), pages 91--102, January 2006. Google Scholar
Digital Library
- Aslan Askarov and Andrei Sabelfeld. Localized Delimited Release: Combining the What and Where Dimensions of Information Release. In 2nd Workshop on Programming Languages and Analysis for Security (PLAS 2007), pages 53--60, San Diego, CA, USA, June 2007. Google Scholar
Digital Library
- Anindya Banerjee, David A. Naumann, and Stan Rosenberg. Towards a Logical Account of Declassification. In 2nd Workshop on Programming Languages and Analysis for Security (PLAS 2007), pages 61--66, San Diego, CA, USA, June 2007. Google Scholar
Digital Library
- Han Chen and Pasquale Malacaria. Quantitative Analysis of Leakage for Multi-threaded Programs. In 2nd Workshop on Programming Languages and Analysis for Security (PLAS 2007), pages 31--40, San Diego, CA, USA, June 2007. Google Scholar
Digital Library
- Dorothy E. Denning. A Lattice Model of Secure Information Flow. Communications of the ACM, 19(5):236--243, May 1976. Google Scholar
Digital Library
- Dorothy E. Denning and Peter J. Denning. Certification of Programs for Secure Information Flow. Communications of the ACM, 20(7):504--513, July 1977. Google Scholar
Digital Library
- Eclipse Project, http://www.eclipse.org.Google Scholar
- Úlfar Erlingsson. The Inlined Reference Monitor Approach to Security Policy Enforcement. PhD thesis, Cornell University, Ithaca, New York, January 2004. Google Scholar
Digital Library
- Riccardo Focardi and Matteo Centenaro. Information Flow Security of Multi-threaded Distributed Programs. In 3rd Workshop on Programming Languages and Analysis for Security (PLAS 2008), pages 113--124, Tucson, AZ, USA, June 2008. Google Scholar
Digital Library
- Cédric Fournet and Andrew D. Gordon. Stack Inspection: Theory and Variants. ACM Transactions on Programming Languages and Systems (TOPLAS), 25(3):360--399, 2003. Google Scholar
Digital Library
- Timothy Fraser, Nick L. Petroni Jr., and William A. Arbaugh. Applying Flow-sensitive CQUAL to Verify MINIX Authorization Check Placement. In 1st Workshop on Programming Languages and Analysis for Security (PLAS 2006), pages 3--6, Ottawa, ON, Canada, 2006. Google Scholar
Digital Library
- Adam Freeman and Allen Jones. Programming .NET Security. O'Reilly & Associates, Inc., Sebastopol, CA, USA, June 2003. Google Scholar
Digital Library
- Vinod Ganapathy, Dave King, Trent Jaeger, and Somesh Jha. Mining Security-Sensitive Operations in Legacy Code Using Concept Analysis. In 29th International Conference on Software Engineering (ICSE 2007), pages 458--467, Minneapolis, MN, USA, May 2007. Google Scholar
Digital Library
- Joseph A. Goguen and José Meseguer. Security Policies and Security Models. In 1982 IEEE Symposium on Security and Privacy, pages 11--20, Oakland, CA, USA, May 1982. IEEE Computer Society Press.Google Scholar
- Li Gong, Marianne Mueller, Hemma Prafullchandra, and Roland Schemers. Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2. In USENIX Symposium on Internet Technologies and Systems, Monterey, CA, USA, December 1997. Google Scholar
Digital Library
- Kevin W. Hamlen and Micah Jones. Aspect-oriented In-lined Reference Monitors. In 3rd Workshop on Programming Languages and Analysis for Security (PLAS 2008), pages 11--20, Tucson, AZ, USA, June 2008. Google Scholar
Digital Library
- Kevin W. Hamlen, Greg Morrisett, and Fred B. Schneider. Certified In-lined Reference Monitoring on .NET. In 1st Workshop on Programming Languages and Analysis for Security (PLAS 2006), pages 7--16, Ottawa, ON, Canada, 2006. Google Scholar
Digital Library
- Christian Hammer, Rüdiger Schaade, and Gregor Snelting. Static Path Conditions for Java. In 3rd Workshop on Programming Languages and Analysis for Security (PLAS 2008), pages 57--66, Tucson, AZ, USA, June 2008. Google Scholar
Digital Library
- Boniface Hicks, Dave King, and Patrick McDaniel. Jifclipse: Development Tools for Security-typed Languages. In 2nd Workshop on Programming Languages and Analysis for Security (PLAS 2007), pages 1--10, San Diego, CA, USA, June 2007. Google Scholar
Digital Library
- Boniface Hicks, Dave King, Patrick McDaniel, and Michael Hicks. Trusted Declassification: High-level Policy for a Security-typed Language. In 1st Workshop on Programming Languages and Analysis for Security (PLAS 2006), pages 65--74, 2006. Google Scholar
Digital Library
- Katia Hristova, Tom Rothamel, Yanhong A. Liu, and Scott D. Stoller. Efficient Type Inference for Secure Information Flow. In 1st Workshop on Programming Languages and Analysis for Security (PLAS 2006), pages 85--94, Ottawa, ON, Canada, 2006. Google Scholar
Digital Library
- Daniel Jackson. Alloy: a Lightweight Object Modelling Notation. ACM Trans. Softw. Eng. Methodol., 11(2):256--290, 2002. Google Scholar
Digital Library
- Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Precise Alias Analysis for Static Detection of Web Application Vulnerabilities. In 1st Workshop on Programming Languages and Analysis for Security (PLAS 2006), pages 27--36, Ottawa, ON, Canada, 2006. Google Scholar
Digital Library
- Larry Koved, Marco Pistoia, and Aaron Kershenbaum. Access Rights Analysis for Java. In 17th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA 2002), pages 359--372, Seattle, WA, USA, November 2002. ACM Press. Google Scholar
Digital Library
- Charlie Lai, Li Gong, Larry Koved, Anthony J. Nadalin, and Roland Schemers. User Authentication and Authorization in the Java TM Platform. In 15th Annual Computer Security Applications Conference (ACSAC 1999), pages 285--290, Scottsdale, AZ, USA, December 1999. IEEE Computer Security. Google Scholar
Digital Library
- Benjamin Livshits and Monica S. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis. In 14th USENIX Security Symposium, Baltimore, MD, USA, July 2005. Google Scholar
Digital Library
- Benjamin Livshits and Úlfar Erlingsson. Using Web Application Construction Frameworks to Protect against Code Injection Attacks. In 2nd Workshop on Programming Languages and Analysis for Security (PLAS 2007), pages 95--104, San Diego, CA, USA, June 2007. Google Scholar
Digital Library
- Pasquale Malacaria and Han Chen. Lagrange Multipliers and Maximum Information Leakage in Different Observational Models. In 3rd Workshop on Programming Languages and Analysis for Security (PLAS 2008), pages 135--146, Tucson, AZ, USA, June 2008. Google Scholar
Digital Library
- Stephen McCamant and Michael D. Ernst. A Simulation-based Proof Technique for Dynamic Information Flow. In 2nd Workshop on Programming Languages and Analysis for Security (PLAS 2007), pages 41--46, San Diego, CA, USA, June 2007. Google Scholar
Digital Library
- Stephen McCamant and Michael D. Ernst. Quantitative Information Flow as Network Flow Capacity. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2008), pages 193--205, Tucson, AZ, USA, June 2008. Google Scholar
Digital Library
- Gary McGraw and Edward W. Felten. Securing Java: Getting Down to Business with Mobile Code. John Wiley & Sons, Inc., New York, NY, USA, January 1999. Google Scholar
Digital Library
- Andrew C. Myers. JFlow: Practical Mostly-static Information Flow Control. In 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 1999), pages 228--241, San Antonio, TX, USA, January 1999. Google Scholar
Digital Library
- Janus Dam Nielsen and Michael I. Schwartzbach. A Domain-specific Programming Language for Secure Multiparty Computation. In 2nd Workshop on Programming Languages and Analysis for Security (PLAS 2007), pages 21--30, San Diego, CA, USA, June 2007. Google Scholar
Digital Library
- Open Web Application Security Project (OWASP), http://www.owasp.org.Google Scholar
- Marco Pistoia, Anindya Banerjee, and David A. Naumann. Beyond Stack Inspection: A Unified Access Control and Information Flow Security Model. In 28th IEEE Symposium on Security and Privacy, pages 149--163, Oakland, CA, USA, May 2007. Google Scholar
Digital Library
- Marco Pistoia, Stephen J. Fink, Robert J. Flynn, and Eran Yahav. When Role Models Have Flaws: Static Validation of Enterprise Security Policies. In 29th International Conference on Software Engineering (ICSE 2007), pages 478--488, Minneapolis, MN, USA, May 2007. Google Scholar
Digital Library
- Marco Pistoia, Duane Reller, Deepak Gupta, Milind Nagnur, and Ashok K. Ramani. Java 2 Network Security. Prentice Hall PTR, Upper Saddle River, NJ, USA, second edition, August 1999. Google Scholar
Digital Library
- Andrei Sabelfeld and David Sands. Probabilistic Noninterference for Multi-Threaded Programs. In 13th IEEE Computer Security Foundations Workshop (CSFW 2000), pages 200--214, Cambridge, England, UK, June 2000. IEEE Computer Society. Google Scholar
Digital Library
- Andrei Sabelfeld and David Sands. Dimensions and Principles of Declassification. In 18th IEEE Computer Security Foundations Workshop (CSFW 2005), pages 255--269, Aix-en-Provence, France, June 2005. Google Scholar
Digital Library
- Jerome H. Saltzer and Michael D. Schroeder. The Protection of Information in Computer Systems. Proceedings of the IEEE, 63(9):1278--1308, September 1975.Google Scholar
Cross Ref
- Fred B. Schneider. Enforceable security policies. ACM Transactions on Information and System Security, 3(1):30--50, 2000. Google Scholar
Digital Library
- Alan B. Shaffer, Mikhail Auguston, Cynthia E. Irvine, and Timothy E. Levin. A Security Domain Model to Assess Software for Exploitable Covert Channels. In 3rd Workshop on Programming Languages and Analysis for Security (PLAS 2008), pages 45--56, Tucson, AZ, USA, June 2008. Google Scholar
Digital Library
- Scott F. Smith and Mark Thober. Refactoring Programs to Secure Information Flows. In 1st Workshop on Programming Languages and Analysis for Security (PLAS 2006), pages 75--84, Ottawa, ON, Canada, 2006. Google Scholar
Digital Library
- Scott F. Smith and Mark Thober. Improving Usability of Information Flow Security in Java. In 2nd Workshop on Programming Languages and Analysis for Security (PLAS 2007), pages 11--20, San Diego, CA, USA, June 2007. Google Scholar
Digital Library
- Nikhil Swamy, Brian J. Corcoran, and Michael Hicks. Fable: A Language for Enforcing User-defined Security Policies. In 2008 IEEE Symposium on Security and Privacy, pages 369--383, Oakland, CA, USA, May 2008. Google Scholar
Digital Library
- Nikhil Swamy and Michael Hicks. Verified Enforcement of Stateful Information Release Policies. In 3rd Workshop on Programming Languages and Analysis for Security (PLAS 2008), pages 21--32, Tucson, AZ, USA, June 2008. Google Scholar
Digital Library
- Hiroshi Unno, Naoki Kobayashi, and Akinori Yonezawa. Combining Type-based Analysis and Model Checking for Finding Counterexamples against Non-interference. In 1st Workshop on Programming Languages and Analysis for Security (PLAS 2006), pages 17--26, Ottawa, ON, Canada, 2006. Google Scholar
Digital Library
- Dennis Volpano, Cynthia Irvine, and Geoffrey Smith. A Sound Type System for Secure Flow Analysis. Journal of Computer Security, 4(2-3):167--187, January 1996. Google Scholar
Digital Library
- Gary Wassermann and Zhendong Su. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2007), pages 32--41, San Diego, CA, USA, June 2007. ACM. Google Scholar
Digital Library
- Gary Wassermann and Zhendong Su. Static Detection of Cross-site Scripting Vulnerabilities. In 30th International Conference on Software Engineering (ICSE 2008), pages 171--180, Leipzig, Germany, May 2008. Google Scholar
Digital Library
- Xiaolan Zhang, Antony Edwards, and Trent Jaeger. Using CQUAL for Static Analysis of Authorization Hook Placement. In 11th USENIX Security Symposium, San Francisco, CA, USA, August 2002. Google Scholar
Digital Library
- Lantian Zheng and Andrew C. Myers. Securing Non-intrusive Web Encryption through Information Flow. In 3rd Workshop on Programming Languages and Analysis for Security (PLAS 2008), pages 125--134, Tucson, AZ, USA, June 2008. Google Scholar
Digital Library
Index Terms
Programming languages and program analysis for security: a three-year retrospective
Recommendations
Programming Languages and Systems Security
The author surveys the current language-based security technology, particularly as it affects secure systems design.
PLAS 2018 - ACM SIGSAC Workshop on Programming Languages and Analysis for Security
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityThe 13th ACM SIGSAC Workshop on Programming Languages and Analysis for Security (PLAS 2018) is co-located with the 25th ACM Conference on Computer and Communications Security (ACM CCS 2018). Over its now more than ten-year history, PLAS has provided a ...
Higher-order program verification and language-based security
ASIAN'09: Proceedings of the 13th Asian conference on Advances in Computer Science: information Security and PrivacyLanguage-based security has been a hot research area of computer security in the last decade. It addresses various concerns about software security by using programming language techniques such as type systems and program analysis/transformation. Thus, ...






Comments