Information-flow technology is a promising approach for ensuring security by design and construction. When tracking information flow, of particular concern are implicit flows, i.e., flows through control flow when computation branches on secret data and performs publicly observed side effects depending on which branch is taken.
The large body of literature exercises two extreme views on implicit flows: either track them (striving to show that there are no leaks, and often running into the problem of complex enforcement mechanisms and false alarms), or not track them (which reduces false alarms, but provides weak or no security guarantees).
This paper distinguishes between malicious and nonmalicious code. The attacker may exploit implicit flows with malicious code, and so they should be tracked. We show how this can be done by a security type system and by a monitor. For nonmalicious code, we explore a middle ground between the two extremes. We observe that implicit flows are often harmless in nonmalicious code: they cannot be exploited to efficiently leak secrets. To this end, we are able to guarantee strong information-flow properties with a combination of an explicit-flow and a graph-pattern analyses. Initial studies of industrial code (secure logging and data sanitization) suggest that our approach has potential of offering a desired combination of a lightweight analysis, strong security guarantees, and no excessive false alarms.
IOS Press, Inc.
6751 Tepper Drive
Clifton, VA 20124
Tel.: +1 703 830 6300
Fax: +1 703 830 2300 email@example.com
(Corporate matters and books only) IOS Press c/o Accucoms US, Inc.
For North America Sales and Customer Service
West Point Commons
Lansdale PA 19446
Tel.: +1 866 855 8967
Fax: +1 215 660 5042 firstname.lastname@example.org