Implicit flows: Can't live with 'Em, can't live without 'Em

Dave King, Boniface Hicks, Michael Hicks, Trent Jaeger

Research output: Chapter in Book/Report/Conference proceedingConference contribution

41 Citations (Scopus)

Abstract

Verifying that programs trusted to enforce security actually do so is a practical concern for programmers and administrators. However, there is a disconnect between the kinds of tools that have been successfully applied to real software systems (such as taint mode in Perl and Ruby), and information-flow compilers that enforce a variant of the stronger security property of noninterference. Tools that have been successfully used to find security violations have focused on explicit flows of information, where high-security information is directly leaked to output. Analysis tools that enforce noninterference also prevent implicit flows of information, where high-security information can be inferred from a program's flow of control. However, these tools have seen little use in practice, despite the stronger guarantees that they provide. To better understand why, this paper experimentally investigates the explicit and implicit flows identified by the standard algorithm for establishing noninterference. When applied to implementations of authentication and cryptographic functions, the standard algorithm discovers many real implicit flows of information, but also reports an extremely high number of false alarms, most of which are due to conservative handling of unchecked exceptions (e.g., null pointer exceptions). After a careful analysis of all sources of true and false alarms, due to both implicit and explicit flows, the paper concludes with some ideas to improve the false alarm rate, toward making stronger security analysis more practical.

Original languageEnglish (US)
Title of host publicationInformation Systems Security - 4th International Conference, ICISS 2008, Proceedings
Pages56-70
Number of pages15
DOIs
StatePublished - Dec 1 2008
Event4th International Conference on Information Systems Security, ICISS 2008 - Hyderabad, India
Duration: Dec 16 2008Dec 20 2008

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume5352 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other4th International Conference on Information Systems Security, ICISS 2008
CountryIndia
CityHyderabad
Period12/16/0812/20/08

Fingerprint

Noninterference
Information Security
False Alarm
Ruby
Exception
Authentication
False Alarm Rate
Security Analysis
Information Flow
Compiler
Software System
Null
Output
Standards

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

King, D., Hicks, B., Hicks, M., & Jaeger, T. (2008). Implicit flows: Can't live with 'Em, can't live without 'Em. In Information Systems Security - 4th International Conference, ICISS 2008, Proceedings (pp. 56-70). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5352 LNCS). https://doi.org/10.1007/978-3-540-89862-7_4
King, Dave ; Hicks, Boniface ; Hicks, Michael ; Jaeger, Trent. / Implicit flows : Can't live with 'Em, can't live without 'Em. Information Systems Security - 4th International Conference, ICISS 2008, Proceedings. 2008. pp. 56-70 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{5876719887d740f4bac9fd8089b9ac29,
title = "Implicit flows: Can't live with 'Em, can't live without 'Em",
abstract = "Verifying that programs trusted to enforce security actually do so is a practical concern for programmers and administrators. However, there is a disconnect between the kinds of tools that have been successfully applied to real software systems (such as taint mode in Perl and Ruby), and information-flow compilers that enforce a variant of the stronger security property of noninterference. Tools that have been successfully used to find security violations have focused on explicit flows of information, where high-security information is directly leaked to output. Analysis tools that enforce noninterference also prevent implicit flows of information, where high-security information can be inferred from a program's flow of control. However, these tools have seen little use in practice, despite the stronger guarantees that they provide. To better understand why, this paper experimentally investigates the explicit and implicit flows identified by the standard algorithm for establishing noninterference. When applied to implementations of authentication and cryptographic functions, the standard algorithm discovers many real implicit flows of information, but also reports an extremely high number of false alarms, most of which are due to conservative handling of unchecked exceptions (e.g., null pointer exceptions). After a careful analysis of all sources of true and false alarms, due to both implicit and explicit flows, the paper concludes with some ideas to improve the false alarm rate, toward making stronger security analysis more practical.",
author = "Dave King and Boniface Hicks and Michael Hicks and Trent Jaeger",
year = "2008",
month = "12",
day = "1",
doi = "10.1007/978-3-540-89862-7_4",
language = "English (US)",
isbn = "3540898611",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "56--70",
booktitle = "Information Systems Security - 4th International Conference, ICISS 2008, Proceedings",

}

King, D, Hicks, B, Hicks, M & Jaeger, T 2008, Implicit flows: Can't live with 'Em, can't live without 'Em. in Information Systems Security - 4th International Conference, ICISS 2008, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5352 LNCS, pp. 56-70, 4th International Conference on Information Systems Security, ICISS 2008, Hyderabad, India, 12/16/08. https://doi.org/10.1007/978-3-540-89862-7_4

Implicit flows : Can't live with 'Em, can't live without 'Em. / King, Dave; Hicks, Boniface; Hicks, Michael; Jaeger, Trent.

Information Systems Security - 4th International Conference, ICISS 2008, Proceedings. 2008. p. 56-70 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5352 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Implicit flows

T2 - Can't live with 'Em, can't live without 'Em

AU - King, Dave

AU - Hicks, Boniface

AU - Hicks, Michael

AU - Jaeger, Trent

PY - 2008/12/1

Y1 - 2008/12/1

N2 - Verifying that programs trusted to enforce security actually do so is a practical concern for programmers and administrators. However, there is a disconnect between the kinds of tools that have been successfully applied to real software systems (such as taint mode in Perl and Ruby), and information-flow compilers that enforce a variant of the stronger security property of noninterference. Tools that have been successfully used to find security violations have focused on explicit flows of information, where high-security information is directly leaked to output. Analysis tools that enforce noninterference also prevent implicit flows of information, where high-security information can be inferred from a program's flow of control. However, these tools have seen little use in practice, despite the stronger guarantees that they provide. To better understand why, this paper experimentally investigates the explicit and implicit flows identified by the standard algorithm for establishing noninterference. When applied to implementations of authentication and cryptographic functions, the standard algorithm discovers many real implicit flows of information, but also reports an extremely high number of false alarms, most of which are due to conservative handling of unchecked exceptions (e.g., null pointer exceptions). After a careful analysis of all sources of true and false alarms, due to both implicit and explicit flows, the paper concludes with some ideas to improve the false alarm rate, toward making stronger security analysis more practical.

AB - Verifying that programs trusted to enforce security actually do so is a practical concern for programmers and administrators. However, there is a disconnect between the kinds of tools that have been successfully applied to real software systems (such as taint mode in Perl and Ruby), and information-flow compilers that enforce a variant of the stronger security property of noninterference. Tools that have been successfully used to find security violations have focused on explicit flows of information, where high-security information is directly leaked to output. Analysis tools that enforce noninterference also prevent implicit flows of information, where high-security information can be inferred from a program's flow of control. However, these tools have seen little use in practice, despite the stronger guarantees that they provide. To better understand why, this paper experimentally investigates the explicit and implicit flows identified by the standard algorithm for establishing noninterference. When applied to implementations of authentication and cryptographic functions, the standard algorithm discovers many real implicit flows of information, but also reports an extremely high number of false alarms, most of which are due to conservative handling of unchecked exceptions (e.g., null pointer exceptions). After a careful analysis of all sources of true and false alarms, due to both implicit and explicit flows, the paper concludes with some ideas to improve the false alarm rate, toward making stronger security analysis more practical.

UR - http://www.scopus.com/inward/record.url?scp=58449135488&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=58449135488&partnerID=8YFLogxK

U2 - 10.1007/978-3-540-89862-7_4

DO - 10.1007/978-3-540-89862-7_4

M3 - Conference contribution

AN - SCOPUS:58449135488

SN - 3540898611

SN - 9783540898610

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 56

EP - 70

BT - Information Systems Security - 4th International Conference, ICISS 2008, Proceedings

ER -

King D, Hicks B, Hicks M, Jaeger T. Implicit flows: Can't live with 'Em, can't live without 'Em. In Information Systems Security - 4th International Conference, ICISS 2008, Proceedings. 2008. p. 56-70. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-540-89862-7_4