Abstract
We present a novel progress-sensitive, flow-sensitive hybrid information-flow control monitor for an imperative interactive language. Progress-sensitive information-flow control is a strong information security guarantee which ensures that a program's progress (or lack of) does not leak information. Flow-sensitivity means that this strong security guarantee is enforced fairly precisely: our monitor tracks information flow per variable and per program point. We illustrate our approach on an imperative interactive language. Our hybrid monitor is inlined: source programs are translated, by a type-based analysis, into a target language that supports dynamic security levels. A key benefit of this is that the resulting monitored program is amenable to standard optimization techniques such as partial evaluation. One of the distinguishing features of our hybrid monitor is that it uses sets of levels to track the different possible security types of variables. This feature allows us to distinguish outputs that never leak information from those that may leak information.
Highlights
Information-ow control is a promising approach to enable trusted systems to interact with untrusted parties, providing ne-grained application-specic control of condential and untrusted information
Our target language is inspired by the work of Zheng and Myers [15], which introduced a language with rst-class security levels, and a type system that soundly enforces non-interference in this language
We inline a ow-sensitive progress-sensitive hybrid monitor, and we prove soundness using a mostly-standard security-type system for the target language
Summary
Information-ow control is a promising approach to enable trusted systems to interact with untrusted parties, providing ne-grained application-specic control of condential and untrusted information. Static mechanisms for informationow control (such as security type systems [12,14]) analyse a program before execution to determine whether its execution satises the information ow requirements This has low runtime overhead, but can generate many false positives. The most common way to prevent leaks through progress channels is to forbid loops whose execution depends on condential information [10,13], but it leads to the rejection of many secure programs, such as the following.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
