|« Previous Event||Next Event »|
Thomas Austin, Graduate Student, Computer Science
Friday, August 17, 2012, 9:30 AM to 11:30 AM
Location: Engineering 2, Room 280
Hosted By Cormac Flanagan
The no-sensitive-upgrade check forbids updating public reference cells in a private context through the use of a runtime monitor. This approach can be done with minimal performance overhead by using a sparse-labeling strategy, which leaves security labels on data implicit whenever possible. Experimental results demonstrate the efficiency of this approach.
While the no-sensitive-upgrade check is effective, it sometimes rejects valid program executions that do not violate the security property. The permissive-upgrade strategy is a refinement of this approach that still guarantees non-interference, but which accepts strictly more executions. When a public reference cell is updated in a private context, the permissive-upgrade strategy marks the data as partially-leaked rather than terminating execution. Partially leaked data is carefully tracked to avoid leaking private information.
The final approach introduces special faceted values, which capture multiple views for a single object. Faceted values simulate multiple executions for different security levels, giving the following benefits:
• Faceted values do not rely on the stuck executions of the no-sensitive-upgrade and permissive-upgrade approaches, and therefore accept strictly more programs than either of the monitor-based approaches.
• Faceted values avoid redundant computations, improving efficiency over related approaches.
Finally we implement faceted values in Firefox and show how they may be used to prevent a variety of attacks.