mdh.sePublications
Change search
Refine search result
1 - 7 of 7
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Rows per page
  • 5
  • 10
  • 20
  • 50
  • 100
  • 250
Sort
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
Select
The maximal number of hits you can export is 250. When you want to export more records please use the Create feeds function.
  • 1.
    Bello, Luciano
    et al.
    Chalmers University of Technology, Gothenburg, Sweden.
    Hedin, Daniel
    Mälardalen University, School of Innovation, Design and Engineering, Embedded Systems. Chalmers University of Technology, Gothenburg, Sweden.
    Sabelefeld, Andrei
    Chalmers University of Technology, Gothenburg, Sweden.
    Value Sensitivity and Observable Abstract Values for Information Flow Control2015In: 20th International Conference on Logic for Programming, Artificial Intelligence and Reasoning LPAR'15, 2015, p. 63-78Conference paper (Refereed)
    Abstract [en]

    Much progress has recently been made on information flow control, enabling the enforcement of increasingly rich policies for increasingly expressive programming languages. This has resulted in tools for mainstream programming languages as JavaScript, Java, Caml, and Ada that enforce versatile security policies. However, a roadblock on the way to wider adoption of these tools has been their limited permissiveness (high number of false positives). Flow-, context-, and object-sensitive techniques have been suggested to improve the precision of static information flow control and dynamic monitors have been explored to leverage the knowledge about the current run for precision. This paper explores value sensitivity to boost the permissiveness of information flow control. We show that both dynamic and hybrid information flow mechanisms benefit from value sensitivity. Further, we introduce the concept of observable abstract values to generalize and leverage the power of value sensitivity to richer programming languages. We demonstrate the usefulness of the approach by comparing it to known disciplines for dealing with information flow in dynamic and hybrid settings.

  • 2.
    Hedin, Daniel
    Mälardalen University, School of Innovation, Design and Engineering, Embedded Systems.
    App security with JSFlow2016In: Proceedings - International Conference on Mobile Software Engineering and Systems, MOBILESoft 2016, 2016, p. 289-290Conference paper (Refereed)
    Abstract [en]

    This abstract accompanies a demo of app security using JSFlow [7]. The interested reader is encouraged to try the JSFlow tool [8] and get a full account of the theory and practice behind JSFlow, as detailed in a journal article [9]. The web has transitioned from simple, static pages to full edged applications. When loading a web application, content and scripts may be downloaded from various sources: the 1st party (the application provider), 3rd parties (e.g., library or service providers), as well other users (indirectly, via user generated content). The situation, where either of these sources is untrustworthy or malicious, may lead to attacker controlled code being executed on users' machines. This is particularly problematic, since attacker controlled code allows for complete circumvention of traditional protection mechanisms, and puts the users in the situation, where they cannot trust applications with sensitive information without endangering the con dentiality of the information.

  • 3.
    Hedin, Daniel
    et al.
    Mälardalen University, School of Innovation, Design and Engineering, Embedded Systems. Department of Computer Science and Engineering, Chalmers University of Technology, Rännvägen 6B, Gothenburg, Sweden.
    Bello, L.
    Department of Computer Science and Engineering, Chalmers University of Technology, Rännvägen 6B, Gothenburg, Sweden.
    Sabelfeld, A.
    Department of Computer Science and Engineering, Chalmers University of Technology, Rännvägen 6B, Gothenburg, Sweden.
    Information-flow security for JavaScript and its APIs2016In: Journal of Computer Security, ISSN 0926-227X, E-ISSN 1875-8924, Vol. 24, no 2, p. 181-234Article in journal (Refereed)
    Abstract [en]

    JavaScript drives the evolution of the web into a powerful application platform. Increasingly, web applications combine services from different providers. The script inclusion mechanism routinely turns barebone web pages into full-fledged services built up from third-party code. Script inclusion poses a challenge of ensuring that the integrated third-party code respects security and privacy. This paper presents a dynamic mechanism for securing script executions by tracking information flow in JavaScript and its APIs. On the formal side, the paper identifies language constructs that constitute a core of JavaScript: dynamic objects, higher-order functions, exceptions, and dynamic code evaluation. It develops a dynamic type system that guarantees information-flow security for this language. Based on this formal model, the paper presents JSFlow, a practical security-enhanced interpreter for fine-grained tracking of information flow in full JavaScript and its APIs. Our experiments with JSFlow deployed as a browser extension provide in-depth understanding of information manipulation by third-party scripts. We find that different sites intended to provide similar services effectuate rather different security policies for the user's sensitive information: some ensure it does not leave the browser, others share it with the originating server, while yet others freely propagate it to third parties.

  • 4.
    Hedin, Daniel
    et al.
    Mälardalen University, School of Innovation, Design and Engineering, Embedded Systems. Chalmers University of Technology, Sweden.
    Bello, Luciano
    Chalmers University of Technology, Sweden.
    Sabelefeld, Andrei
    Chalmers University of Technology, Sweden.
    Value-sensitive Hybrid Information Flow Control for a JavaScript-like Language2015In: Proceedings of the Computer Security Foundations Workshop, vol. 2015, 2015, p. 351-365Conference paper (Refereed)
    Abstract [en]

    Secure integration of third-party code is one of the prime challenges for securing today’s web. Recent empirical studies give evidence of pervasive reliance on and excessive trust in third-party JavaScript, with no adequate security mechanism to limit the trust or the extent of its abuse. Information flow control is a promising approach for controlling the behavior of third-party code and enforcing confidentiality and integrity policies. While much progress has been made on static and dynamic approaches to information flow control, only recently their combinations have received attention. Purely static analysis falls short of addressing dynamic language features such as dynamic objects and dynamic code evaluation, while purely dynamic analysis suffers from inability to predict side effects in non-performed executions. This paper develops a value-sensitive hybrid mechanism for tracking information flow in a JavaScriptlike language. The mechanism consists of a dynamic monitor empowered to invoke a static component on the fly. This enables us to achieve a sound yet permissive enforcement. We establish formal soundness results with respect to the security policy of noninterference. In addition, we demonstrate permissiveness by proving that we subsume the precision of purely static analysis and by presenting a collection of common programming patterns that indicate that our mechanism has potential to provide more permissiveness than dynamic mechanisms in practice.

  • 5.
    Hedin, Daniel
    et al.
    Mälardalen University, School of Innovation, Design and Engineering, Embedded Systems. Chalmers University of Technology, Sweden.
    Sabelfeld, Andrei
    Chalmers University of Technology, Sweden.
    Web Application Security Using JSFlow2016In: Proceedings - 17th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, SYNASC 2015, 2016, p. 16-19Conference paper (Refereed)
    Abstract [en]

    Web applications are often vulnerable to code injection attacks and to attacksthrough buggy or malicious libraries. Unfortunately, the current protectionmechanisms are frequently ad-hoc, as a response to attacks after the fact. Thishad lead to a plethora of specialized protection mechanisms that are oftenbrittle and insufficient to guarantee security. This extended abstract accompanies a tutorial on web application security usingJSFlow, an information-flow aware interpreter for full non-strict ECMA-262(v.5). In contrast to access control, which most current protection mechanismsapply, information-flow control focuses on what applications are allowed to dowith the information they access. This removes the inherent trust that accesscontrol places on entities that are granted access. Dispensing with this trustis key for the protection to withstand bypassing in the presence ofuntrustworthy 3rd party code and code injection attacks. Based on two practical attacks against an example web application Hrafn, wedemonstrate the power of JSFlow. The attacks model the scenario where thecurrent standards protection mechanism are bypassed or not applicable. By usinga simple and natural security policy, we show how both attacks are prevented byJSFlow. Although information-flow control has not been tailor made to preventthis kind of attacks, it offers a uniform line of defense against untrustworthyand malicious code and ensures confidentiality of sensitive data.

  • 6.
    Hedin, Daniel
    et al.
    Mälardalen University, School of Innovation, Design and Engineering, Embedded Systems. Chalmers University of Technology, Gothenburg, Sweden.
    Sjösten, Alexander
    Chalmers University of Technology, Gothenburg, Sweden.
    Piessens, Frank
    imec-DistriNet, KU Leuven, Leuven, Belgium.
    Sabelfeld, Andrei
    Chalmers University of Technology, Gothenburg, Sweden.
    A principled approach to tracking information flow in the presence of libraries2017Conference paper (Refereed)
    Abstract [en]

    There has been encouraging progress on information flow control for programs in increasingly complex programming languages, tracking the propagation of information from input sources to output sinks. Yet, programs are typically deployed in an environment with rich APIs and powerful libraries, posing challenges for information flow control when the code for these APIs and libraries is either unavailable or written in a different language. This paper presents a principled approach to tracking information flow in the presence of libraries. With the goal to strike the balance between security and precision, we present a framework that explores the middle ground between the “shallow”, signature-based modeling of libraries and the “deep”, stateful approach, where library models need to be supplied manually. We formalize our approach for a core language, extend it with lists and higher-order functions, and establish soundness results with respect to the security condition of noninterference.

  • 7.
    Sjösten, A.
    et al.
    Chalmers University of Technology, Gothenburg, Sweden.
    Hedin, Daniel
    Mälardalen University, School of Innovation, Design and Engineering, Embedded Systems. Chalmers University of Technology, Gothenburg, Sweden.
    Sabelfeld, A.
    Chalmers University of Technology, Gothenburg, Sweden.
    Information flow tracking for side-effectful libraries2018In: Lect. Notes Comput. Sci., Springer Verlag , 2018, p. 141-160Conference paper (Refereed)
    Abstract [en]

    Dynamic information flow control is a promising technique for ensuring confidentiality and integrity of applications that manipulate sensitive information. While much progress has been made on increasingly powerful programming languages ranging from low-level machine languages to high-level languages for distributed systems, surprisingly little attention has been devoted to libraries and APIs. The state of the art is largely an all-or-nothing choice: either a shallow or deep library modeling approach. Seeking to break out of this restrictive choice, we formalize a general mechanism that tracks information flow for a language that includes higher-order functions, structured data types and references. A key feature of our approach is the model heap, a part of the memory, where security information is kept to enable the interaction between the labeled program and the unlabeled library. We provide a proof-of-concept implementation and report on experiments with a file system library. The system has been proved correct using Coq.

1 - 7 of 7
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf