Abstract
We present PIDGIN, a program analysis and understanding tool that enables the specification and enforcement of precise application-specific information security guarantees. PIDGIN also allows developers to interactively explore the information flows in their applications to develop policies and investigate counter-examples. PIDGIN combines program dependence graphs (PDGs), which precisely capture the information flows in a whole application, with a custom PDG query language. Queries express properties about the paths in the PDG; because paths in the PDG correspond to information flows in the application, queries can be used to specify global security policies. PIDGIN is scalable. Generating a PDG for a 330k line Java application takes 90 seconds, and checking a policy on that PDG takes under 14 seconds. The query language is expressive, supporting a large class of precise, application-specific security guarantees. Policies are separate from the code and do not interfere with testing or development, and can be used for security regression testing. We describe the design and implementation of PIDGIN and report on using it: (1) to explore information security guarantees in legacy programs; (2) to develop and modify security policies concurrently with application development; and (3) to develop policies based on known vulnerabilities.
- M. Abadi, A. Banerjee, N. Heintze, and J. G. Riecke. A core calculus of dependency. In Proc. 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 1999. Google Scholar
Digital Library
- S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. le Traon, D. Octeau, and P. McDaniel. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In Proc. ACM Conf. on Program Language Design and Implementation, 2014. Google Scholar
Digital Library
- T. H. Austin and C. Flanagan. Efficient purely-dynamic information flow analysis. In Proc. ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, 2009. Google Scholar
Digital Library
- T. H. Austin and C. Flanagan. Multiple facets for dynamic information flow. In Proc. 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2012. Google Scholar
Digital Library
- A. Banerjee, D. A. Naumann, and S. Rosenberg. Expressive declassification policies and modular static enforcement. In Proc. 2008 IEEE Symposium on Security and Privacy, 2008. Google Scholar
Digital Library
- J.-F. Bergeretti and B. A. Carré. Information-flow and data-flow analysis of while-programs. ACM Trans. on Programming Languages and Systems, 1985. Google Scholar
Digital Library
- C. Botev, H. Chao, T. Chao, Y. Cheng, R. Doyle, S. Grankin, J. Guarino, S. Guha, P.-C. Lee, D. Perry, C. Re, I. Rifkin, T. Yuan, D. Abdullah, K. Carpenter, D. Gries, D. Kozen, A. Myers, D. Schwartz, and J. Shanmugasundaram. Supporting workflow in a course management system. In Proc. 36th SIGCSE technical symposium on Computer science education, 2005. Google Scholar
Digital Library
- M. Bravenboer and Y. Smaragdakis. Strictly declarative specification of sophisticated points-to analyses. In Proc. 24th ACM SIGPLAN conference on Object oriented programming, systems, languages, and applications, New York, NY, USA, 2009. ACM. Google Scholar
Digital Library
- R. Cartwright and M. Felleisen. The semantics of program dependence. In Proc. ACM SIGPLAN Conference on Programming Language Design and Implementation, 1989. Google Scholar
Digital Library
- D. Chandra and M. Franz. Fine-grained information flow analysis and enforcement in a java virtual machine. In Proc. 23rd Annual Computer Security Applications Conference, 2007.Google Scholar
Cross Ref
- E. Chin and D. Wagner. Efficient character-level taint tracking for Java. In Proc. 2009 ACM workshop on Secure web services, 2009. Google Scholar
Digital Library
- S. Chong and A. C. Myers. Security policies for downgrading. In Proc. 11th ACM conference on Computer and communications security, 2004. Google Scholar
Digital Library
- R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadeck. Efficiently computing static single assignment form and the control dependence graph. ACM Trans. on Programming Languages and Systems, 1991. Google Scholar
Digital Library
- D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 1976. Google Scholar
Digital Library
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proc. Usenix Conference on Operating Systems Design and Implementation, 2010. Google Scholar
Digital Library
- J. Ferrante, K. J. Ottenstein, and J. D. Warren. The program dependence graph and its use in optimization. ACM Trans. on Programming Languages and Systems, 1987. Google Scholar
Digital Library
- D. Giffhorn and G. Snelting. A new algorithm for low-deterministic security. International Journal of Information Security, 2014. Google Scholar
Digital Library
- J. A. Goguen and J. Meseguer. Security policies and security models. In Proc. IEEE Symposium on Security and Privacy, 1982.Google Scholar
Cross Ref
- M. I. Gordon, D. Kim, J. Perkins, L. Gilham, N. Nguyen, and M. Rinard. Information flow analysis of android applications in droidsafe. In Proc. 2015 Network and Distributed System Security Symposium, 2015.Google Scholar
Cross Ref
- J. Graf. Speeding up context-, object- and field-sensitive SDG generation. In Proc. of the 10th IEEE Working Conference on Source Code Analysis and Manipulation, 2010. Google Scholar
Digital Library
- C. Hammer. Information Flow Control for Java - A Comprehensive Approach based on Path Conditions in Dependence Graphs. PhD thesis, Universität Karlsruhe (TH), Fak. f. Informatik, 2009.Google Scholar
- C. Hammer and G. Snelting. Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. International Journal of Information Security, 2009. Google Scholar
Digital Library
- C. Hammer, J. Krinke, and F. Nodes. Intransitive noninterference in dependence graphs. In 2nd International Symposium on Leveraging Application of Formal Methods, Verification and Validation, 2006. Google Scholar
Digital Library
- B. Hicks, D. King, P. McDaniel, and M. Hicks. Trusted declassification: high-level policy for a security-typed language. In Proc. ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, 2006. Google Scholar
Digital Library
- F. Holzschuher and R. Peinl. Performance of graph query languages: Comparison of Cypher, Gremlin and native access in Neo4j. In Proc. Joint EDBT/ICDT 2013 Workshops, 2013. Google Scholar
Digital Library
- S. Horwitz, T. Reps, and D. Binkley. Interprocedural slicing using dependence graphs. SIGPLAN Not., 1988. Google Scholar
Digital Library
- C. Hritcu, M. Greenberg, B. Karel, B. C. Pierce, and G. Morrisett. All your IFCException are belong to us. In Proc. 2013 IEEE Symposium on Security and Privacy, 2013. Google Scholar
Digital Library
- V. Kashyap and B. Hardekopf. Security signature inference for javascript-based browser addons. In Proc. 2015 IEEE/ACM International Symposium on Code Generation and Optimization, 2014. Google Scholar
Digital Library
- D. King, B. Hicks, M. Hicks, and T. Jaeger. Implicit flows: Can’t live with ’em, can’t live without ’em. In Proc. International Conference on Information Systems Security, 2008. Google Scholar
Digital Library
- C. Lattner and V. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In Proc. 2004 International Symposium on Code Generation and Optimization, 2004. Google Scholar
Digital Library
- G. Le Guernic, A. Banerjee, T. Jensen, and D. A. Schmidt. Automatabased confidentiality monitoring. Proc. 11th Annual Asian Computing Science Conference, 2006. Google Scholar
Digital Library
- D. Li. Dynamic tainting for deployed Java programs. In Proc. ACM international conference companion on Object oriented programming systems languages and applications, 2010. Google Scholar
Digital Library
- J. Liu, M. D. George, K. Vikram, X. Qi, L. Waye, and A. C. Myers. Fabric: a platform for secure distributed computation and storage. In Proc. ACM SIGOPS Symposium on Operating systems principles, 2009. Google Scholar
Digital Library
- Y. Liu and A. Milanova. Static analysis for inference of explicit information flow. In Proc. 8th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, 2008. Google Scholar
Digital Library
- Y. Liu and A. Milanova. Practical static analysis for inference of security-related program properties. In Proc. IEEE 17th International Conference on Program Comprehension, 2009.Google Scholar
- B. Livshits. Securibench Micro, 2006. http://suif.stanford. edu/~livshits/work/securibench-micro/.Google Scholar
- B. Livshits, A. V. Nori, S. K. Rajamani, and A. Banerjee. Merlin: Specification inference for explicit information flow problems. In Proc. ACM SIGPLAN 2009 Conference on Programming Language Design and Implementation, 2009. Google Scholar
Digital Library
- H. Mantel and D. Sands. Controlled Declassification based on Intransitive Noninterference. In Proc. 2nd ASIAN Symposium on Programming Languages and Systems, 2004.Google Scholar
Cross Ref
- I. Mastroeni and A. Banerjee. Modelling declassification policies using abstract domain completeness. Mathematical Structures in Computer Science, 2011. Google Scholar
Digital Library
- A. C. Myers. Mostly-Static Decentralized Information Flow Control. PhD thesis, MIT, 1999. Google Scholar
Digital Library
- A. C. Myers, L. Zheng, S. Zdancewic, S. Chong, N. Nystrom, D. Zhang, O. Arden, J. Liu, and K. Vikram. Jif: Java information flow. Software release. Located at http://www.cs.cornell.edu/jif, 2001–2014.Google Scholar
- A. Nanevski, A. Banerjee, and D. Garg. Dependent type theory for verification of information flow and access control policies. ACM Trans. on Programming Languages and Systems, 2013. Google Scholar
Digital Library
- F. Pottier and S. Conchon. Information flow inference for free. In Proc. 5th ACM SIGPLAN International Conference on Functional Programming, 2000. Google Scholar
Digital Library
- T. Reps. Program analysis via graph reachability. In Proc. 1997 International Symposium on Logic Programming, 1997. Google Scholar
Digital Library
- T. Reps and G. Rosay. Precise interprocedural chopping. In Proc. 3rd ACM SIGSOFT symposium on Foundations of software engineering, 1995. Google Scholar
Digital Library
- B. Rocha, S. Bandhakavi, J. den Hartog, W. Winsborough, and S. Etalle. Towards static flow-based declassification for legacy and untrusted programs. In Proc. 2010 IEEE Symposium on Security and Privacy, 2010. Google Scholar
Digital Library
- A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 2003. Google Scholar
Digital Library
- A. Sabelfeld and D. Sands. Dimensions and principles of declassification. In Proc. 18th IEEE Computer Security Foundations Workshop, 2005. Google Scholar
Digital Library
- V. Simonet. The Flow Caml System: documentation and user’s manual. Technical report, Institut National de Recherche en Informatique et en Automatique (INRIA), 2003.Google Scholar
- Y. Smaragdakis, M. Bravenboer, and O. Lhoták. Pick your contexts well: understanding object-sensitivity. In Proc. 38th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, 2011. Google Scholar
Digital Library
- S. F. Smith and M. Thober. Improving usability of information flow security in Java. In Proc. 2007 Workshop on Programming Languages and Analysis for Security, 2007. Google Scholar
Digital Library
- G. Snelting, D. Giffhorn, J. Graf, C. Hammer, M. Hecker, M. Mohr, and D. Wasserrab. Checking probabilistic noninterference using JOANA. Information Technology, 2015.Google Scholar
- D. Stefan, A. Russo, J. C. Mitchell, and D. Mazières. Flexible dynamic information flow control in Haskell. In Proc. 4th ACM Symposium on Haskell, 2011. Google Scholar
Digital Library
- M. Taghdiri, G. Snelting, and C. Sinz. Information flow analysis via path condition refinement. In International Workshop on Formal Aspects of Security and Trust, 2010. Google Scholar
Digital Library
- O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: Effective taint analysis of web applications. In Proc. ACM SIGPLAN 2009 Conference on Programming Language Design and Implementation, 2009. Google Scholar
Digital Library
- O. Tripp, M. Pistoia, P. Cousot, R. Cousot, and S. Guarnieri. ANDROMEDA: accurate and scalable security analysis of web applications. In Fundamental Approaches to Software Engineering, 2013. Google Scholar
Digital Library
- J. A. Vaughan and S. Chong. Inference of expressive declassification policies. In Proc. 2011 IEEE Symposium on Security and Privacy, 2011. Google Scholar
Digital Library
- D. Volpano, G. Smith, and C. Irvine. A sound type system for secure flow analysis. Journal of Computer Security, 1996. Google Scholar
Digital Library
- D. Wasserrab, D. Lohner, and G. Snelting. On PDG-based noninterference and its modular proof. In Proc. ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, 2009. Google Scholar
Digital Library
- F. Yamaguchi, N. Golde, D. Arp, and K. Rieck. Modeling and discovering vulnerabilities with code property graphs. In Proc. 2014 IEEE Symposium on Security and Privacy, 2014. Google Scholar
Digital Library
- D. Y. Zhu, J. Jung, D. Song, T. Kohno, and D. Wetherall. TaintEraser: Protecting sensitive data leaks using application-level taint tracking. ACM Operating Systems Review, 2011. Google Scholar
Digital Library
Index Terms
Exploring and enforcing security guarantees via program dependence graphs
Recommendations
Exploring and enforcing security guarantees via program dependence graphs
PLDI '15: Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and ImplementationWe present PIDGIN, a program analysis and understanding tool that enables the specification and enforcement of precise application-specific information security guarantees. PIDGIN also allows developers to interactively explore the information flows in ...
Enforcing "sticky" security policies throughout a distributed application
MidSec '08: Proceedings of the 2008 workshop on Middleware securityExisting policy enforcement points (PEPs) typically call a local policy decision point (PDP) running at the local site, either embedded in the application, or running as a local stand alone service. In distributed applications, the PDPs at each site do ...
Enforcing IRM security policies: two case studies
ISI'09: Proceedings of the 2009 IEEE international conference on Intelligence and security informaticsSPoX (Security Policy XML) is a declarative language for specifying application security policies for enforcement by In-lined Reference Monitors. Two case studies are presented that demonstrate how this language can be used to effectively enforce ...






Comments