发布求助
文献互助 智能选刊 最新文献

Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security最新文献

筛选
英文 中文
A Language-Based Approach to Secure Quorum Replication 基于语言的安全仲裁复制方法
Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security Pub Date : 2014-07-28 DOI: 10.1145/2637113.2637117
Lantian Zheng, A. Myers
{"title":"A Language-Based Approach to Secure Quorum Replication","authors":"Lantian Zheng, A. Myers","doi":"10.1145/2637113.2637117","DOIUrl":"https://doi.org/10.1145/2637113.2637117","url":null,"abstract":"Quorum replication is an important technique for building distributed systems because it can simultaneously improve both the integrity and availability of computation and storage. Information flow control is a well-known method for enforcing the confidentiality and integrity of information. This paper demonstrates that these two techniques can be integrated to simultaneously enforce all three major security properties: confidentiality, integrity and availability. It presents a security-typed language with explicit language constructs for supporting secure quorum replication. The dependency analysis performed by the type system of the language provides a way to formally verify the end-to-end security assurance of complex replication schemes. We also contribute a new multilevel timestamp mechanism for synchronizing code and data replicas while controlling previously ignored side channels introduced by such synchronization.","PeriodicalId":336079,"journal":{"name":"Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security","volume":"44 4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-07-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126070564","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 9
Monitoring Reactive Systems with Dynamic Channels 用动态通道监测无功系统
Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security Pub Date : 2014-07-28 DOI: 10.1145/2637113.2637120
D. Zanarini, Mauro Jaskelioff
{"title":"Monitoring Reactive Systems with Dynamic Channels","authors":"D. Zanarini, Mauro Jaskelioff","doi":"10.1145/2637113.2637120","DOIUrl":"https://doi.org/10.1145/2637113.2637120","url":null,"abstract":"Given the increasingly sensitive data that web applications deal with, a lot of attention has been put into their security. Dynamic methods for ensuring confidentiality of secret data, such as monitors, are usually preferred due to their permissiveness and ability to adapt to dynamic features of web languages. One dynamic approach to confidentiality is through secure multi-execution, a technique which transforms programs into secure ones. A recent refinement of this technique led to a monitor for reactive systems such as web applications which is precise, in the sense that it raises an alarm exactly when a security condition is violated, and transparent, in the sense that the semantics of secure programs is preserved. A limitation of this and other approaches based on secure multi-execution is that there is a fixed set of channels with a fixed security level. However, most web applications create channels dynamically, even by doing something as trivial as adding a button to a page. Moreover, the security level of such new channel would be chosen dynamically. In this work, we overcome the limitation of assuming a fixed set of channels and introduce a model of reactive systems with dynamic channels and present a precise and transparent monitor for it.","PeriodicalId":336079,"journal":{"name":"Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security","volume":"678 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-07-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116106331","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
You Sank My Battleship!: A Case Study in Secure Programming 你击沉了我的战舰!:安全编程的案例研究
Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security Pub Date : 2014-07-28 DOI: 10.1145/2637113.2637115
Alley Stoughton, Andrew Johnson, Samuel Beller, Karishma Chadha, Dennis Chen, Kenneth Foner, M. Zhivich
{"title":"You Sank My Battleship!: A Case Study in Secure Programming","authors":"Alley Stoughton, Andrew Johnson, Samuel Beller, Karishma Chadha, Dennis Chen, Kenneth Foner, M. Zhivich","doi":"10.1145/2637113.2637115","DOIUrl":"https://doi.org/10.1145/2637113.2637115","url":null,"abstract":"We report on a case study in secure programming, focusing on the design, implementation and auditing of programs for playing the board game Battleship. We begin by precisely defining the security of Battleship programs, borrowing ideas from theoretical cryptography. We then consider three implementations of Battleship: one in Concurrent ML featuring a trusted referee; one in Haskell/LIO using information flow control to avoid needing a trusted referee; and one in Concurrent ML using access control to avoid needing such a referee. All three implementations employ data abstraction in key ways.","PeriodicalId":336079,"journal":{"name":"Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-07-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121120743","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 7
Operational Semantics for Secure Interoperation 安全互操作的操作语义
Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security Pub Date : 2014-07-28 DOI: 10.1145/2637113.2637118
Adriaan Larmuseau, Marco Patrignani, D. Clarke
{"title":"Operational Semantics for Secure Interoperation","authors":"Adriaan Larmuseau, Marco Patrignani, D. Clarke","doi":"10.1145/2637113.2637118","DOIUrl":"https://doi.org/10.1145/2637113.2637118","url":null,"abstract":"Modern software systems are commonly programmed in multiple languages. Research into the security and correctness of such multi-language programs has generally relied on static methods that check both the individual components as well as the interoperation between them. In practice, however, components are sometimes linked in at run-time through malicious means. In this paper we introduce a technique to specify operational semantics that securely combine an abstraction-rich language with a model of an arbitrary attacker, without relying on any static checks. The resulting operational semantics, instead, lifts a proven memory isolation mechanism into the resulting multi-language system. We establish the security benefits of our technique by proving that the obtained multi-language system preserves and reflects the equivalences of the abstraction-rich language. To that end a notion of bisimilarity for this new type of multi-language system is developed.","PeriodicalId":336079,"journal":{"name":"Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security","volume":"240 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-07-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122699448","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 4
Generalizing Permissive-Upgrade in Dynamic Information Flow Analysis 动态信息流分析中权限升级的概化
Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security Pub Date : 2014-07-28 DOI: 10.1145/2637113.2637116
Abhishek Bichhawat, Vineet Rajani, D. Garg, Christian Hammer
{"title":"Generalizing Permissive-Upgrade in Dynamic Information Flow Analysis","authors":"Abhishek Bichhawat, Vineet Rajani, D. Garg, Christian Hammer","doi":"10.1145/2637113.2637116","DOIUrl":"https://doi.org/10.1145/2637113.2637116","url":null,"abstract":"Preventing implicit information flows by dynamic program analysis requires coarse approximations that result in false positives, because a dynamic monitor sees only the executed trace of the program. One widely deployed method is the no-sensitive-upgrade check, which terminates a program whenever a variable's taint is upgraded (made more sensitive) due to a control dependence on tainted data. Although sound, this method is restrictive, e.g., it terminates the program even if the upgraded variable is never used subsequently. To counter this, Austin and Flanagan introduced the permissive-upgrade check, which allows a variable upgrade due to control dependence, but marks the variable \"partially-leaked\". The program is stopped later if it tries to use the partially-leaked variable. Permissive-upgrade handles the dead-variable assignment problem and remains sound. However, Austin and Flanagan develop permissive-upgrade only for a two-point (low-high) security lattice and indicate a generalization to pointwise products of such lattices. In this paper, we develop a non-trivial and non-obvious generalization of permissive-upgrade to arbitrary lattices. The key difficulty lies in finding a suitable notion of partial leaks that is both sound and permissive and in developing a suitable definition of memory equivalence that allows an inductive proof of soundness.","PeriodicalId":336079,"journal":{"name":"Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security","volume":"94 21 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-07-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129071950","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 26
Building Secure Systems with LIO (Demo) 使用LIO构建安全系统(演示)
Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security Pub Date : 2014-07-28 DOI: 10.1145/2637113.2637121
D. Stefan, David Mazières
{"title":"Building Secure Systems with LIO (Demo)","authors":"D. Stefan, David Mazières","doi":"10.1145/2637113.2637121","DOIUrl":"https://doi.org/10.1145/2637113.2637121","url":null,"abstract":"LIO is an information flow control (IFC) system. In this demo, we give an overview of the Haskell LIO library and show how LIO can be used to build secure systems. In particular, we show how to build secure web applications with high-level data-security policies and describe how LIO automatically enforces these policies.","PeriodicalId":336079,"journal":{"name":"Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security","volume":"127 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-07-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134263891","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Paragon: Programming with Information Flow Control (Demo) 范例:信息流控制编程(演示)
Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security Pub Date : 2014-07-28 DOI: 10.1145/2637113.2637122
Niklas Broberg, B. V. Delft, David Sands
{"title":"Paragon: Programming with Information Flow Control (Demo)","authors":"Niklas Broberg, B. V. Delft, David Sands","doi":"10.1145/2637113.2637122","DOIUrl":"https://doi.org/10.1145/2637113.2637122","url":null,"abstract":"We demonstrate Paragon, a Java-based programming language with integrated information-flow control. We show how the use of information-flow policies combined with encapsulation allows for simple yet powerful and flexible policy libraries tailored to the needs of a particular application or system.","PeriodicalId":336079,"journal":{"name":"Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security","volume":"226 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-07-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114274161","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
To Dream the Impossible Dream: Toward Security Analysis for JavaScript 做不可能的梦:JavaScript的安全分析
Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security Pub Date : 2014-07-28 DOI: 10.1145/2637113.2639514
Julian T Dolby
{"title":"To Dream the Impossible Dream: Toward Security Analysis for JavaScript","authors":"Julian T Dolby","doi":"10.1145/2637113.2639514","DOIUrl":"https://doi.org/10.1145/2637113.2639514","url":null,"abstract":"As the Web becomes the dominant interface to ever more aspects of life, we become ever more dependent upon Web technology to protect our security and privacy. However, the impossible dream refers to the difficulty in ensuring that current Web technology, which is heavily based on JavaScript, actually does this. In this talk, I shall discuss our experience at IBM Research in building static program analysis to check security properties.","PeriodicalId":336079,"journal":{"name":"Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-07-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115472056","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Domain-Polymorphic Programming of Privacy-Preserving Applications 隐私保护应用的域多态规划
Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security Pub Date : 2014-07-28 DOI: 10.1145/2637113.2637119
D. Bogdanov, Peeter Laud, Jaak Randmets
{"title":"Domain-Polymorphic Programming of Privacy-Preserving Applications","authors":"D. Bogdanov, Peeter Laud, Jaak Randmets","doi":"10.1145/2637113.2637119","DOIUrl":"https://doi.org/10.1145/2637113.2637119","url":null,"abstract":"Secure Multi-party Computation (SMC) is seen as one of the main enablers for secure outsourcing of computation. Currently, there are many different SMC techniques (garbled circuits, secret sharing, homomorphic encryption, etc.) and none of them is clearly superior to others in terms of efficiency, security guarantees, ease of implementation, etc. For maximum efficiency, and for obeying the trust policies, a privacy-preserving application may wish to use several different SMC techniques for different operations it performs. A straightforward implementation of this application may result in a program that (i) contains a lot of duplicated code, differing only in the used SMC technique; (ii) is difficult to maintain, if policies or SMC implementations change; and (iii) is difficult to reuse in similar applications using different SMC techniques. In this paper, we propose a programming language called SecreC with associated compilation techniques for simple orchestration of multiple SMC techniques and multiple protection domains. It is a simple imperative language with function calls where the types of data items are annotated with protection domains and where the function declarations may be domain-polymorphic. This allows most of the program code working with private data to be written in a SMC-technique-agnostic manner. It also allows rapid deployment of new SMC techniques and implementations in existing applications. We have implemented the compiler for the language, integrated it with Sharemind SMC framework, and are currently using it for new privacy-preserving applications.","PeriodicalId":336079,"journal":{"name":"Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security","volume":"67 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-07-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134006727","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 49
Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security 第九届安全编程语言与分析研讨会论文集
Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security Pub Date : 1900-01-01 DOI: 10.1145/2637113
Alejandro Russo, Omer Tripp
{"title":"Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security","authors":"Alejandro Russo, Omer Tripp","doi":"10.1145/2637113","DOIUrl":"https://doi.org/10.1145/2637113","url":null,"abstract":"","PeriodicalId":336079,"journal":{"name":"Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security","volume":"127 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125771968","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信