This article investigates formal properties of a family of semantically sound flow-sensitive type systems for tracking information flow in simple While programs. The family is indexed by the choice of flow lattice. By choosing the flow lattice to be the powerset of program variables, we obtain a system which, in a very strong sense, subsumes all other systems in the family (in particular, for each program, it provides a principal typing from which all others may be inferred). This distinguished system is shown to be equivalent to, though more simply described than, Amtoft and Banerjee’s Hoare-style independence logic (SAS’04). In general, some lattices are more expressive than others. Despite this, we show that no type system in the family can give better results for a given choice of lattice than the type system for that lattice itself. Finally, for any program typeable in one of these systems, we show how to construct an equivalent program which is typeable in a simple flow-insensitive system. We argue that this general approach could be useful in a proof-carrying-code setting.

This paper specifies, via a Hoare-like logic, an interprocedural and flow sensitive (but termination insensitive) information flow analysis for object-oriented programs. Pointer aliasing is ubiquitous in such programs, and can potentially leak confidential information. Thus the logic employs independence assertions to describe the noninterference property that formalizes confidentiality, and employs region assertions to describe possible aliasing. Programmer assertions, in the style of JML, are also allowed, thereby permitting a more fine-grained specification of information flow policy. The logic supports local reasoning about state in the style of separation logic. Small specifications are used; they mention only the variables and addresses relevant to a command. Specifications are combined using a frame rule. An algorithm for the computation of postconditions is described: under certain assumptions, there exists a strongest postcondition which the algorithm computes. 1.

The browser has become the de facto platform for everyday computation. Among the many potential attacks that target or exploit browsers, vulnerabilities in browser extensions have received relatively little attention. Currently, extensions are vetted by manual inspection, which does not scale well and is subject to human error. In this paper, we present VEX, a framework for highlighting potential security vulnerabilities in browser extensions by applying static information-flow analysis to the JavaScript code used to implement extensions. We describe several patterns of flows as well as unsafe programming practices that may lead to privilege escalations in Firefox extensions. VEX analyzes Firefox extensions for such flow patterns using high-precision, context-sensitive, flow-sensitive static analysis. We analyze thousands of browser extensions, and VEX finds six exploitable vulnerabilities, three of which were previously unknown. VEX also finds hundreds of examples of bad programming practices that may lead to security vulnerabilities. We show that compared to current Mozilla extension review tools, VEX greatly reduces the human burden for manually vetting extensions when looking for key types of dangerous flows. 1

Over the years, many aspects of the transfer of information from one party to another have commanded the attention of the security and privacy community. Released information can have various levels of sensitivity: facts that are public, sensitive private information that requires its original owner’s permission for its future dissemination, or even information that requires control over the release of the conclusions reached using that information. Some situations also call for declassification of information, which requires a two-pronged approach: the original owner retains control over the dissemination of sensitive information and sensitive conclusions reached using that information, but when the information is used to reach conclusions that are sufficiently non-sensitive, the original owner’s control can be removed for the dissemination of those conclusions. In this paper, we define such a logic to specify information dissemination control policies and reason about release and declassification, and give case studies of the use of our language to control the release of aggregated open source software, multimedia content and medical information.

SQL injection attacks are one of the topmost threats for applications written for the Web. These attacks are launched through specially crafted user inputs, on web applications that use low level string operations to construct SQL queries. In this work, we exhibit a novel and powerful scheme for automatically transforming web applications to render them safe against all SQL injection attacks. A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Our technique for detecting SQL injection is to dynamically mine the programmer-intended query structure on any input, and detect attacks by comparing it against the structure of the actual query issued. We propose a simple and novel mechanism, called Candid, for mining programmer intended queries by dynamically evaluating runs over benign candidate inputs. This mechanism is theoretically well founded and is based on inferring intended queries by considering the symbolic query computed on a program run. Our approach has been implemented in a tool called Candid that retrofits Web applications written in Java to defend them against SQL injection attacks. We have also implemented Candid by modifying a Java Virtual Machine, which safeguards applications without requiring retrofitting. We report extensive experimental results that show that our approach performs remarkably well in practice.

Network security administrators cannot always accurately tell which end-to-end accesses are permitted within their network, and which ones are not. The problem is that every access is determined by the configurations of multiple, separately administered, components along a path. Furthermore, configurations evolve over time, and a small change in one configuration file can have widespread impact on the end-to-end accesses. Short of exhaustive testing, which is prohibitively time consuming and impractical, there are no good solutions to analyze end-to-end flows from network configurations. This paper presents a technique to analyze all the end-to-end accesses from the configuration files of network routers and firewalls. The contributions of this paper are to engineer solutions for real network instances that are based on (i) generic templates for network components and (ii) a more general treatment of firewalls, including ways to deal with certain state-dependent filter rules, and (iii) efficient generation of firewall access control rules to meet desired end-to-end flow requirements. Our goal is to help network security engineers and operators quickly determine configuration errors that may cause unexpected access behavior.

We specify an information flow analysis for a simple imperative language, using a Hoare-like logic. The logic facilitates static checking of a larger class of programs than can be checked by extant type-based approaches in which a program is deemed interpretation of program traces that makes independence between program variables explicit. Unlike other, more precise, approaches based on Hoare logics, our approach does not require a theorem prover to generate invariants. We demonstrate the modularity of our approach by showing that a frame rule holds in our logic. Finally, we show how our logic can be applied to a program transformation, namely, forward slicing: given a derivation of a program in the logic, with the information that variable l is independent of variable h, the slicing transformation systematically creates the forward l-slice of the program: the slice contains all the commands independent of h. We show that the slicing transformation is semantics preserving.

Early work on security-typed languages required that legal information flows be defined statically. More recently, techniques have been introduced that relax these assumptions and allow policies to change at run-time. For example, the Rx language uses a policy language based on RT, a trust management framework for representing authorization policies. While Rx made significant strides toward the goal of allowing policy updates in security-typed languages, in this paper we observe that certain design choices of Rx violate the privacy and autonomy requirements of principals in trust management systems, thus making decentralized control over information difficult. To address these problems, we propose RTI, a new security-typed language. In addition to avoiding prior pitfalls, RTI’s most distinguishing characteristic is that it supports fine-grained specification of security for dynamic policy. We also provide a proof of noninterference for RTI. 1

Abstract — Security of web applications is becoming one of the major concerns today. As per our survey 70 % of web applications over the internet are vulnerable to SQL injection attacks (SQLIA’s). SQL injection attacks pose serious security threat to these databases and web applications. Through SQLIA’s attackers gain unrestricted access to the databases of applications and potentially sensitive information. Many methods to address this problem have been proposed in the literature, some having the scope for extension. Methods employ only a subset of the prevention and detection techniques. An extensive survey was done to review and uncover these issues. The paper strongly focuses on the review work of SQL injection attacks and their detection and prevention approaches known to date. This paper elaborates the survey done for 30 techniques and the attacks they can withstand. An in depth study of the techniques and their performance against SQLIA’s is focused in the paper. Also for each strategy its strengths and weaknesses are addressed along with comparative analysis.

This paper specifies a nontermination-insensitive, interprocedural, information flow analysis for object-oriented programs via a Hoarelike logic. Pointer aliasing is ubiquitous in such programs, and can potentially leak confidential information. Therefore, assertions in the logic not only describe the noninterference property that formalizes confidentiality, but also describe aliasing properties. The representation of noninterference in assertions makes explicit the independences between variables and addresses. The logic is flow-sensitive and can deem secure more programs than extant type-based information flow analyses. Modular