Hybrid static-runtime information flow and declassification enforcement

B. Pontes Soares Rocha, M. Conti, S. Etalle, B. Crispo

Onderzoeksoutput: Bijdrage aan tijdschriftTijdschriftartikelAcademicpeer review

27 Citaten (Scopus)
1 Downloads (Pure)

Samenvatting

There are different paradigms for enforcing information flow and declassification policies. These approaches can be divided into static analyzers and runtime enforcers. Each class has its own strengths and weaknesses, each being able to enforce a different set of policies. In this paper we introduce a hybrid staticruntime enforcement mechanism that works on unannotated program code and supports information-flow control, as well as declassification policies. Our approach manages to enforce realistic policies, as shown by our three running examples, all within the context of a mobile device application, which cannot be handled separately by static or runtime approaches, and are also not covered by current access control models of mobile platforms such as Android or iOS. We also show that including an intermediate step (called pre-load check) makes both the static analysis system independent (in terms of security labels) and the runtime enforcer lightweight. Finally, we implement our runtime enforcer and run experiments that show that its overhead is so low that the approach can be rolled out on current mobile systems. Keywords: Data security, information security.
Originele taal-2Engels
Pagina's (van-tot)1294-1305
TijdschriftIEEE Transactions on Information Forensics and Security
Volume8
Nummer van het tijdschrift8
DOI's
StatusGepubliceerd - 2013

Vingerafdruk

Duik in de onderzoeksthema's van 'Hybrid static-runtime information flow and declassification enforcement'. Samen vormen ze een unieke vingerafdruk.

Citeer dit