Information-Flow Tracking for Dynamic Languages
Licentiatavhandling, 2013

This thesis explores information-flow tracking technologies and their applicability on industrial-scale dynamic programming languages. We aim to narrow the gap between the need for flexibility in current dynamic languages and the solid well-studied mechanisms from academia. Instead of translating perfect sound theoretical results into a practical implementation, this thesis focuses on practical problems found in dynamic languages and, from them on, looks for the academic support to tackle them. We investigate the compromise between security and flexibility for protecting confidentiality and integrity. Furthermore, using purely dynamic techniques, we implement our ideas to demonstrate their practicability. On the integrity protection side, a taint mode for Python has been implemented. Thanks to the flexibility of this language, the implementation is shipped as a library, allowing it to be used in Cloud Computing environments. On the confidentiality side, two works are presented which differ in their security property. On one hand, a dynamic dependency analysis is suggested as an alternative to flow-sensitive monitors. By relaxing the ambition of blocking every possible leak, we improve permissiveness, even for programming languages that support dynamic evaluation (such as the eval construct). On the other hand, a full JavaScript monitor was developed to enforce non-interference in the complex scenario of the web. This implementation allows us to explore the scalability boundaries of dynamic information-flow enforcements.

information security

information integrity

dependency analysis

information confidentiality

information flow

privacy

EB, ED&IT building, Rännvägen 6B, Chalmers University of Technology
Opponent: Dr. Marco Pistoia, IBM Research Center, Yorktown Heights, NY, USA.

Författare

Luciano Bello

Chalmers, Data- och informationsteknik

Towards a Taint Mode for Cloud Computing Web Application

7th Workshop on Programming Languages and Analysis for Security,; (2012)p. 7:1--7:12-

Paper i proceeding

Styrkeområden

Informations- och kommunikationsteknik

Fundament

Grundläggande vetenskaper

Ämneskategorier

Programvaruteknik

Datavetenskap (datalogi)

Technical report L - Department of Computer Science and Engineering, Chalmers University of Technology and Göteborg University: 104L

EB, ED&IT building, Rännvägen 6B, Chalmers University of Technology

Opponent: Dr. Marco Pistoia, IBM Research Center, Yorktown Heights, NY, USA.