Implicit flows in malicious and nonmalicious code
Paper in proceedings, 2009
Information-flow technology is a promising approach for ensuring security
by design and construction. When tracking information flow, of particular concern
are implicit flows, i.e., flows through control flow when computation branches
on secret data and performs publicly observed side effects depending on which
branch is taken.
The large body of literature exercises two extreme views on implicit flows: either
track them (striving to show that there are no leaks, and often running into the
problem of complex enforcement mechanisms and false alarms), or not track them
(which reduces false alarms, but provides weak or no security guarantees).
This paper distinguishes between malicious and nonmalicious code. The attacker
may exploit implicit flows with malicious code, and so they should be tracked. We
show how this can be done by a security type system and by a monitor. For nonmalicious
code, we explore a middle ground between the two extremes.We observe that
implicit flows are often harmless in nonmalicious code: they cannot be exploited
to efficiently leak secrets. To this end, we are able to guarantee strong informationflow
properties with a combination of an explicit-flow and a graph-pattern analyses.
Initial studies of industrial code (secure logging and data sanitization) suggest
that our approach has potential of offering a desired combination of a lightweight
analysis, strong security guarantees, and no excessive false alarms.