skip to main content
research-article

Exploring and enforcing security guarantees via program dependence graphs

Published:03 June 2015Publication History
Skip Abstract Section

Abstract

We present PIDGIN, a program analysis and understanding tool that enables the specification and enforcement of precise application-specific information security guarantees. PIDGIN also allows developers to interactively explore the information flows in their applications to develop policies and investigate counter-examples. PIDGIN combines program dependence graphs (PDGs), which precisely capture the information flows in a whole application, with a custom PDG query language. Queries express properties about the paths in the PDG; because paths in the PDG correspond to information flows in the application, queries can be used to specify global security policies. PIDGIN is scalable. Generating a PDG for a 330k line Java application takes 90 seconds, and checking a policy on that PDG takes under 14 seconds. The query language is expressive, supporting a large class of precise, application-specific security guarantees. Policies are separate from the code and do not interfere with testing or development, and can be used for security regression testing. We describe the design and implementation of PIDGIN and report on using it: (1) to explore information security guarantees in legacy programs; (2) to develop and modify security policies concurrently with application development; and (3) to develop policies based on known vulnerabilities.

References

  1. M. Abadi, A. Banerjee, N. Heintze, and J. G. Riecke. A core calculus of dependency. In Proc. 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. le Traon, D. Octeau, and P. McDaniel. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In Proc. ACM Conf. on Program Language Design and Implementation, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. T. H. Austin and C. Flanagan. Efficient purely-dynamic information flow analysis. In Proc. ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. T. H. Austin and C. Flanagan. Multiple facets for dynamic information flow. In Proc. 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. A. Banerjee, D. A. Naumann, and S. Rosenberg. Expressive declassification policies and modular static enforcement. In Proc. 2008 IEEE Symposium on Security and Privacy, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. J.-F. Bergeretti and B. A. Carré. Information-flow and data-flow analysis of while-programs. ACM Trans. on Programming Languages and Systems, 1985. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. C. Botev, H. Chao, T. Chao, Y. Cheng, R. Doyle, S. Grankin, J. Guarino, S. Guha, P.-C. Lee, D. Perry, C. Re, I. Rifkin, T. Yuan, D. Abdullah, K. Carpenter, D. Gries, D. Kozen, A. Myers, D. Schwartz, and J. Shanmugasundaram. Supporting workflow in a course management system. In Proc. 36th SIGCSE technical symposium on Computer science education, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. M. Bravenboer and Y. Smaragdakis. Strictly declarative specification of sophisticated points-to analyses. In Proc. 24th ACM SIGPLAN conference on Object oriented programming, systems, languages, and applications, New York, NY, USA, 2009. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. R. Cartwright and M. Felleisen. The semantics of program dependence. In Proc. ACM SIGPLAN Conference on Programming Language Design and Implementation, 1989. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. D. Chandra and M. Franz. Fine-grained information flow analysis and enforcement in a java virtual machine. In Proc. 23rd Annual Computer Security Applications Conference, 2007.Google ScholarGoogle ScholarCross RefCross Ref
  11. E. Chin and D. Wagner. Efficient character-level taint tracking for Java. In Proc. 2009 ACM workshop on Secure web services, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. S. Chong and A. C. Myers. Security policies for downgrading. In Proc. 11th ACM conference on Computer and communications security, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadeck. Efficiently computing static single assignment form and the control dependence graph. ACM Trans. on Programming Languages and Systems, 1991. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 1976. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proc. Usenix Conference on Operating Systems Design and Implementation, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. J. Ferrante, K. J. Ottenstein, and J. D. Warren. The program dependence graph and its use in optimization. ACM Trans. on Programming Languages and Systems, 1987. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. D. Giffhorn and G. Snelting. A new algorithm for low-deterministic security. International Journal of Information Security, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. J. A. Goguen and J. Meseguer. Security policies and security models. In Proc. IEEE Symposium on Security and Privacy, 1982.Google ScholarGoogle ScholarCross RefCross Ref
  19. M. I. Gordon, D. Kim, J. Perkins, L. Gilham, N. Nguyen, and M. Rinard. Information flow analysis of android applications in droidsafe. In Proc. 2015 Network and Distributed System Security Symposium, 2015.Google ScholarGoogle ScholarCross RefCross Ref
  20. J. Graf. Speeding up context-, object- and field-sensitive SDG generation. In Proc. of the 10th IEEE Working Conference on Source Code Analysis and Manipulation, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. C. Hammer. Information Flow Control for Java - A Comprehensive Approach based on Path Conditions in Dependence Graphs. PhD thesis, Universität Karlsruhe (TH), Fak. f. Informatik, 2009.Google ScholarGoogle Scholar
  22. C. Hammer and G. Snelting. Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. International Journal of Information Security, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. C. Hammer, J. Krinke, and F. Nodes. Intransitive noninterference in dependence graphs. In 2nd International Symposium on Leveraging Application of Formal Methods, Verification and Validation, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. B. Hicks, D. King, P. McDaniel, and M. Hicks. Trusted declassification: high-level policy for a security-typed language. In Proc. ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. F. Holzschuher and R. Peinl. Performance of graph query languages: Comparison of Cypher, Gremlin and native access in Neo4j. In Proc. Joint EDBT/ICDT 2013 Workshops, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. S. Horwitz, T. Reps, and D. Binkley. Interprocedural slicing using dependence graphs. SIGPLAN Not., 1988. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. C. Hritcu, M. Greenberg, B. Karel, B. C. Pierce, and G. Morrisett. All your IFCException are belong to us. In Proc. 2013 IEEE Symposium on Security and Privacy, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. V. Kashyap and B. Hardekopf. Security signature inference for javascript-based browser addons. In Proc. 2015 IEEE/ACM International Symposium on Code Generation and Optimization, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. D. King, B. Hicks, M. Hicks, and T. Jaeger. Implicit flows: Can’t live with ’em, can’t live without ’em. In Proc. International Conference on Information Systems Security, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. C. Lattner and V. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In Proc. 2004 International Symposium on Code Generation and Optimization, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. G. Le Guernic, A. Banerjee, T. Jensen, and D. A. Schmidt. Automatabased confidentiality monitoring. Proc. 11th Annual Asian Computing Science Conference, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. D. Li. Dynamic tainting for deployed Java programs. In Proc. ACM international conference companion on Object oriented programming systems languages and applications, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. J. Liu, M. D. George, K. Vikram, X. Qi, L. Waye, and A. C. Myers. Fabric: a platform for secure distributed computation and storage. In Proc. ACM SIGOPS Symposium on Operating systems principles, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Y. Liu and A. Milanova. Static analysis for inference of explicit information flow. In Proc. 8th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Y. Liu and A. Milanova. Practical static analysis for inference of security-related program properties. In Proc. IEEE 17th International Conference on Program Comprehension, 2009.Google ScholarGoogle Scholar
  36. B. Livshits. Securibench Micro, 2006. http://suif.stanford. edu/~livshits/work/securibench-micro/.Google ScholarGoogle Scholar
  37. B. Livshits, A. V. Nori, S. K. Rajamani, and A. Banerjee. Merlin: Specification inference for explicit information flow problems. In Proc. ACM SIGPLAN 2009 Conference on Programming Language Design and Implementation, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. H. Mantel and D. Sands. Controlled Declassification based on Intransitive Noninterference. In Proc. 2nd ASIAN Symposium on Programming Languages and Systems, 2004.Google ScholarGoogle ScholarCross RefCross Ref
  39. I. Mastroeni and A. Banerjee. Modelling declassification policies using abstract domain completeness. Mathematical Structures in Computer Science, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. A. C. Myers. Mostly-Static Decentralized Information Flow Control. PhD thesis, MIT, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. A. C. Myers, L. Zheng, S. Zdancewic, S. Chong, N. Nystrom, D. Zhang, O. Arden, J. Liu, and K. Vikram. Jif: Java information flow. Software release. Located at http://www.cs.cornell.edu/jif, 2001–2014.Google ScholarGoogle Scholar
  42. A. Nanevski, A. Banerjee, and D. Garg. Dependent type theory for verification of information flow and access control policies. ACM Trans. on Programming Languages and Systems, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. F. Pottier and S. Conchon. Information flow inference for free. In Proc. 5th ACM SIGPLAN International Conference on Functional Programming, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. T. Reps. Program analysis via graph reachability. In Proc. 1997 International Symposium on Logic Programming, 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. T. Reps and G. Rosay. Precise interprocedural chopping. In Proc. 3rd ACM SIGSOFT symposium on Foundations of software engineering, 1995. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. B. Rocha, S. Bandhakavi, J. den Hartog, W. Winsborough, and S. Etalle. Towards static flow-based declassification for legacy and untrusted programs. In Proc. 2010 IEEE Symposium on Security and Privacy, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. A. Sabelfeld and D. Sands. Dimensions and principles of declassification. In Proc. 18th IEEE Computer Security Foundations Workshop, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. V. Simonet. The Flow Caml System: documentation and user’s manual. Technical report, Institut National de Recherche en Informatique et en Automatique (INRIA), 2003.Google ScholarGoogle Scholar
  50. Y. Smaragdakis, M. Bravenboer, and O. Lhoták. Pick your contexts well: understanding object-sensitivity. In Proc. 38th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. S. F. Smith and M. Thober. Improving usability of information flow security in Java. In Proc. 2007 Workshop on Programming Languages and Analysis for Security, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. G. Snelting, D. Giffhorn, J. Graf, C. Hammer, M. Hecker, M. Mohr, and D. Wasserrab. Checking probabilistic noninterference using JOANA. Information Technology, 2015.Google ScholarGoogle Scholar
  53. D. Stefan, A. Russo, J. C. Mitchell, and D. Mazières. Flexible dynamic information flow control in Haskell. In Proc. 4th ACM Symposium on Haskell, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. M. Taghdiri, G. Snelting, and C. Sinz. Information flow analysis via path condition refinement. In International Workshop on Formal Aspects of Security and Trust, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: Effective taint analysis of web applications. In Proc. ACM SIGPLAN 2009 Conference on Programming Language Design and Implementation, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. O. Tripp, M. Pistoia, P. Cousot, R. Cousot, and S. Guarnieri. ANDROMEDA: accurate and scalable security analysis of web applications. In Fundamental Approaches to Software Engineering, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. J. A. Vaughan and S. Chong. Inference of expressive declassification policies. In Proc. 2011 IEEE Symposium on Security and Privacy, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. D. Volpano, G. Smith, and C. Irvine. A sound type system for secure flow analysis. Journal of Computer Security, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. D. Wasserrab, D. Lohner, and G. Snelting. On PDG-based noninterference and its modular proof. In Proc. ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. F. Yamaguchi, N. Golde, D. Arp, and K. Rieck. Modeling and discovering vulnerabilities with code property graphs. In Proc. 2014 IEEE Symposium on Security and Privacy, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. D. Y. Zhu, J. Jung, D. Song, T. Kohno, and D. Wetherall. TaintEraser: Protecting sensitive data leaks using application-level taint tracking. ACM Operating Systems Review, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Exploring and enforcing security guarantees via program dependence graphs

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          • Published in

            cover image ACM SIGPLAN Notices
            ACM SIGPLAN Notices  Volume 50, Issue 6
            PLDI '15
            June 2015
            630 pages
            ISSN:0362-1340
            EISSN:1558-1160
            DOI:10.1145/2813885
            • Editor:
            • Andy Gill
            Issue’s Table of Contents
            • cover image ACM Conferences
              PLDI '15: Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation
              June 2015
              630 pages
              ISBN:9781450334686
              DOI:10.1145/2737924

            Copyright © 2015 ACM

            Publisher

            Association for Computing Machinery

            New York, NY, United States

            Publication History

            • Published: 3 June 2015

            Check for updates

            Qualifiers

            • research-article

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!