There are different paradigms for enforcing information flow and declassification policies. These approaches can be divided into static analyzers and runtime enforcers. Each class has its own strengths and weaknesses, each being able to enforce a different set of policies. In this paper, we introduce a hybrid static-runtime enforcement mechanism that works on unannotated program code and supports information-flow control, as well as declassification policies. Our approach manages to enforce realistic policies, as shown by our three running examples, all within the context of a mobile device application, which cannot be handled separately by static or runtime approaches, and are also not covered by current access control models of mobile platforms such as Android or iOS. We also show that including an intermediate step (called preload check) makes both the static analysis system independent (in terms of security labels) and the runtime enforcer lightweight. Finally, we implement our runtime enforcer and run experiments that show that its overhead is so low that the approach can be rolled out on current mobile systems.
Scheda prodotto non validato
I dati visualizzati non sono stati ancora sottoposti a validazione formale da parte dello Staff di IRIS, ma sono stati ugualmente trasmessi al Sito Docente Cineca (Loginmiur).
|Titolo:||Hybrid Static-Runtime Information Flow and Declassification Enforcement.|
|Autori:||B. P. S. Rocha; M. Conti; S. Etalle; B. Crispo|
|Titolo del periodico:||IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY|
|Anno di pubblicazione:||2013|
|Numero e parte del fascicolo:||8|
|Codice identificativo Scopus:||2-s2.0-84880684939|
|Codice identificativo ISI:||WOS:000322026900004|
|Digital Object Identifier (DOI):||10.1109/TIFS.2013.2267798|
|Appare nelle tipologie:||03.1 Articolo su rivista (Journal article)|