Séminaire SoSySec

Sécurité des logiciels et des systèmes

Accueil     Présentation     Archives

Nataliia Bielova (Inria Sophia Antipolis)

A Taxonomy of Information Flow Monitors

The dynamic aspects of JavaScript make the security analysis of web applications very challenging. Purely static analysis is prohibitively restrictive in practice since it must exclude JavaScript dynamic aspects or over-approximate them. In recent years, several dynamic enforcement mechanisms in the form of information flow monitors have been proposed. In order to better evaluate the currently available information flow monitors trade-offs, our contribution is to rigorously compare them [1]. We compare them with respect to two important dimensions according to the runtime monitor literature: soundness and transparency. We notice that the standard information flow security definition called Termination-Insensitive Noninterference (TINI) allows the presence of termination channels, however it does not describe whether the termination channel was present in the original program, or it was added by a monitor. We propose a stronger notion of noninterference, that we call Termination-Aware Noninterference (TANI), that captures this fact, and thus allows us to better evaluate the security guarantees of different monitors. We further analyse five widely explored information flow monitors: no-sensitive-upgrade, permissive-upgrade, hybrid monitors, secure multi-execution, and multiple facets. Furthermore, we formally prove that the generalised belief in the equivalence of two of these approaches, secure multi-execution and multiple facets, is false [2].

[1] N. Bielova and T. Rezk. A Taxonomy of Information Flow Monitors. International Conference on Principles of Security and Trust (POST 2016). [2] N. Bielova and T. Rezk. Spot the Difference: Secure Multi-Execution and Multiple Facets. European Symposium on Research in Computer Security (ESORICS 2016).