SNITCH: Dynamic Dependent Information Flow Analysis for Independent Java Bytecode

by   Eduardo Geraldo, et al.

Software testing is the most commonly used technique in the industry to certify the correctness of software systems. This includes security properties like access control and data confidentiality. However, information flow control and the detection of information leaks using tests is a demanding task without the use of specialized monitoring and assessment tools. In this paper, we tackle the challenge of dynamically tracking information flow in third-party Java-based applications using dependent information flow control. Dependent security labels increase the expressiveness of traditional information flow control techniques by allowing to parametrize labels with context-related information and allowing for the specification of more detailed and fine-grained policies. Instead of the fixed security lattice used in traditional approaches that defines a fixed set of security compartments, dependent security labels allow for a dynamic lattice that can be extended at runtime, allowing for new security compartments to be defined using context values. We present a specification and instrumentation approach for rewriting JVM compiled code with in-lined reference monitors. To illustrate the proposed approach we use an example and a working prototype, SNITCH. SNITCH operates over the static single assignment language Shimple, an intermediate representation for Java bytecode used in the SOOT framework.


page 1

page 2

page 3

page 4


A Permission-Dependent Type System for Secure Information Flow Analysis

We introduce a novel type system for enforcing secure information flow i...

A Dependently Typed Library for Static Information-Flow Control in Idris

Safely integrating third-party code in applications while protecting the...

Mining Secure Behavior of Hardware Designs

Specification mining offers a solution by automating security specificat...

Secure Information Flow Connections

Denning's lattice model provided secure information flow analyses with a...

IFCIL: An Information Flow Configuration Language for SELinux (Extended Version)

Security Enhanced Linux (SELinux) is a security architecture for Linux i...

ACGreGate: A Framework for Practical Access Control for Applications using Weakly Consistent Databases

Scalable and highly available systems often require data stores that off...

Confidentiality enforcement by hybrid control of information flows

An information owner, possessing diverse data sources, might want to off...

Please sign up or login with your details

Forgot password? Click here to reset