Dynamic vs. Static Flow-Sensitive Security Analysis
Paper i proceeding, 2010
This paper seeks to answer fundamental questions
about trade-offs between static and dynamic security
analysis. It has been previously shown that flow-sensitive
static information-flow analysis is a natural
generalization of flow-insensitive static analysis, which
allows accepting more secure programs. It has been
also shown that sound purely dynamic information-flow
enforcement is more permissive than static analysis
in the flow-insensitive case. We argue that the step
from flow-insensitive to flow-sensitive is fundamentally
limited for purely dynamic information-flow controls.
We prove impossibility of a sound purely dynamic
information-flow monitor that accepts programs certified
by a classical flow-sensitive static analysis. A
side implication is impossibility of permissive dynamic
instrumented security semantics for information flow,
which guides us to uncover an unsound semantics from
the literature. We present a general framework for
hybrid mechanisms that is parameterized in the static
part and in the reaction method of the enforcement
(stop, suppress, or rewrite) and give security guarantees
with respect to termination-insensitive noninterference
for a simple language with output.