Programming languages and program analysis for security

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Programming languages and program analysis for security: a three-year retrospective

Full text

Pdf (206 KB)

Source

ACM SIGPLAN Notices archive
Volume 43 , Issue 12 (December 2008) table of contents

COLUMN: PLAS 2008 table of contents

Pages 32-39

Year of Publication: 2009

ISSN:0362-1340

Authors

Marco Pistoia	IBM T. J. Watson Research Center
Úlfar Erlingsson	Reykjavík University

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 44, Downloads (12 Months): 324, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1513443.1513449 What is a DOI?

ABSTRACT

Software security has been traditionally enforced at the level of operating systems. However, operating systems have become increasingly large and complex, and it is very difficult--if not impossible--to enforce software security solely through them. Moreover, operating-system security allows dealing primarily with access-control policies on resources such as files and network connections. However, attacks may happen at both lower and higher levels of abstraction, and may target the internal behavior of applications, such as today's Web-based applications. Therefore, defenses must offer protection at the level of applications. Language-based security is the area of research that studies how to enforce application-level security using programming-language and program-analysis techniques. This area of research has become very active with the advent of Web applications. In 2006, the ACM SIGPLAN has introduced a new yearly forum entirely dedicated to the discussion of language-based-security research: Programming Languages and Analysis for Security (PLAS). This paper is a three-year survey of PLAS papers that discusses the progress made in the area of language-based security.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Martin Abadi , Phillip Rogaway, Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption), Journal of Cryptology, v.20 n.3, p.395-395, July 2007 [doi>10.1007/s00145-007-0203-0]
	2	Torben Amtoft , Sruthi Bandhakavi , Anindya Banerjee, A logic for information flow in object-oriented programs, Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.91-102, January 11-13, 2006, Charleston, South Carolina, USA
	3	Aslan Askarov , Andrei Sabelfeld, Localized delimited release: combining the what and where dimensions of information release, Proceedings of the 2007 workshop on Programming languages and analysis for security, June 14-14, 2007, San Diego, California, USA [doi>10.1145/1255329.1255339]
	4	Anindya Banerjee , David A. Naumann , Stan Rosenberg, Towards a logical account of declassification, Proceedings of the 2007 workshop on Programming languages and analysis for security, June 14-14, 2007, San Diego, California, USA [doi>10.1145/1255329.1255340]
	5	Han Chen , Pasquale Malacaria, Quantitative analysis of leakage for multi-threaded programs, Proceedings of the 2007 workshop on Programming languages and analysis for security, June 14-14, 2007, San Diego, California, USA [doi>10.1145/1255329.1255335]
	6	Dorothy E. Denning, A lattice model of secure information flow, Communications of the ACM, v.19 n.5, p.236-243, May 1976 [doi>10.1145/360051.360056]
	7	Dorothy E. Denning , Peter J. Denning, Certification of programs for secure information flow, Communications of the ACM, v.20 n.7, p.504-513, July 1977 [doi>10.1145/359636.359712]
	8	Eclipse Project, http://www.eclipse.org.
	9	Ulfar Erlingsson , Fred B. Schneider, The inlined reference monitor approach to security policy enforcement, Cornell University, Ithaca, NY, 2004
	10	Riccardo Focardi , Matteo Centenaro, Information flow security of multi-threaded distributed programs, Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security, June 07-13, 2008, Tucson, AZ, USA [doi>10.1145/1375696.1375711]
	11	Cédric Fournet , Andrew D. Gordon, Stack inspection: Theory and variants, ACM Transactions on Programming Languages and Systems (TOPLAS), v.25 n.3, p.360-399, May 2003 [doi>10.1145/641909.641912]
	12	Timothy Fraser , Nick L. Petroni, Jr. , William A. Arbaugh, Applying flow-sensitive CQUAL to verify MINIX authorization check placement, Proceedings of the 2006 workshop on Programming languages and analysis for security, June 10-10, 2006, Ottawa, Ontario, Canada [doi>10.1145/1134744.1134747]
	13	Adam Freeman , Allen Jones , John Osborn, Programming .NET Security, O'Reilly & Associates, Inc., Sebastopol, CA, 2003
	14	Vinod Ganapathy , David King , Trent Jaeger , Somesh Jha, Mining Security-Sensitive Operations in Legacy Code Using Concept Analysis, Proceedings of the 29th international conference on Software Engineering, p.458-467, May 20-26, 2007 [doi>10.1109/ICSE.2007.54]
	15	Joseph A. Goguen and José Meseguer. Security Policies and Security Models. In 1982 IEEE Symposium on Security and Privacy, pages 11--20, Oakland, CA, USA, May 1982. IEEE Computer Society Press.
	16	Li Gong , Marianne Mueller , Hemma Prafullchandra , Roland Schemers, Going beyond the sandbox: an overview of the new security architecture in the java^TM development Kit 1.2, Proceedings of the USENIX Symposium on Internet Technologies and Systems on USENIX Symposium on Internet Technologies and Systems, p.10-10, December 08-11, 1997, Monterey, California
	17	Kevin W. Hamlen , Micah Jones, Aspect-oriented in-lined reference monitors, Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security, June 07-13, 2008, Tucson, AZ, USA [doi>10.1145/1375696.1375699]
	18	Kevin W. Hamlen , Greg Morrisett , Fred B. Schneider, Certified In-lined Reference Monitoring on .NET, Proceedings of the 2006 workshop on Programming languages and analysis for security, June 10-10, 2006, Ottawa, Ontario, Canada [doi>10.1145/1134744.1134748]
	19	Christian Hammer , Rüdiger Schaade , Gregor Snelting, Static path conditions for Java, Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security, June 07-13, 2008, Tucson, AZ, USA [doi>10.1145/1375696.1375704]
	20	Boniface Hicks , Dave King , Patrick McDaniel, Jifclipse: development tools for security-typed languages, Proceedings of the 2007 workshop on Programming languages and analysis for security, June 14-14, 2007, San Diego, California, USA [doi>10.1145/1255329.1255331]
	21	Boniface Hicks , Dave King , Patrick McDaniel , Michael Hicks, Trusted declassification:: high-level policy for a security-typed language, Proceedings of the 2006 workshop on Programming languages and analysis for security, June 10-10, 2006, Ottawa, Ontario, Canada [doi>10.1145/1134744.1134757]
	22	Katia Hristova , Tom Rothamel , Yanhong A. Liu , Scott D. Stoller, Efficient type inference for secure information flow, Proceedings of the 2006 workshop on Programming languages and analysis for security, June 10-10, 2006, Ottawa, Ontario, Canada [doi>10.1145/1134744.1134759]
	23	Daniel Jackson, Alloy: a lightweight object modelling notation, ACM Transactions on Software Engineering and Methodology (TOSEM), v.11 n.2, p.256-290, April 2002 [doi>10.1145/505145.505149]
	24	Nenad Jovanovic , Christopher Kruegel , Engin Kirda, Precise alias analysis for static detection of web application vulnerabilities, Proceedings of the 2006 workshop on Programming languages and analysis for security, June 10-10, 2006, Ottawa, Ontario, Canada [doi>10.1145/1134744.1134751]
	25	Larry Koved , Marco Pistoia , Aaron Kershenbaum, Access rights analysis for Java, Proceedings of the 17th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, November 04-08, 2002, Seattle, Washington, USA
	26	Charlie Lai , Li Gong , Larry Koved , Anthony Nadalin , Roland Schemers, User Authentication and Authorization in the Java(tm) Platform, Proceedings of the 15th Annual Computer Security Applications Conference, p.285, December 06-10, 1999
	27	V. Benjamin Livshits , Monica S. Lam, Finding security vulnerabilities in java applications with static analysis, Proceedings of the 14th conference on USENIX Security Symposium, p.18-18, July 31-August 05, 2005, Baltimore, MD
	28	Benjamin Livshits , Úlfar Erlingsson, Using web application construction frameworks to protect against code injection attacks, Proceedings of the 2007 workshop on Programming languages and analysis for security, June 14-14, 2007, San Diego, California, USA [doi>10.1145/1255329.1255346]
	29	Pasquale Malacaria , Han Chen, Lagrange multipliers and maximum information leakage in different observational models, Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security, June 07-13, 2008, Tucson, AZ, USA [doi>10.1145/1375696.1375713]
	30	Stephen McCamant , Michael D. Ernst, A simulation-based proof technique for dynamic information flow, Proceedings of the 2007 workshop on Programming languages and analysis for security, June 14-14, 2007, San Diego, California, USA [doi>10.1145/1255329.1255336]
	31	Stephen McCamant , Michael D. Ernst, Quantitative information flow as network flow capacity, Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation, June 07-13, 2008, Tucson, AZ, USA
	32	Gary McGraw , Edward W. Felten, Securing Java: getting down to business with mobile code, John Wiley & Sons, Inc., New York, NY, 1999
	33	Andrew C. Myers, JFlow: practical mostly-static information flow control, Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.228-241, January 20-22, 1999, San Antonio, Texas, United States [doi>10.1145/292540.292561]
	34	Janus Dam Nielsen , Michael I. Schwartzbach, A domain-specific programming language for secure multiparty computation, Proceedings of the 2007 workshop on Programming languages and analysis for security, June 14-14, 2007, San Diego, California, USA [doi>10.1145/1255329.1255333]
	35	Open Web Application Security Project (OWASP), http://www.owasp.org.
	36	Marco Pistoia , Anindya Banerjee , David A. Naumann, Beyond Stack Inspection: A Unified Access-Control and Information-Flow Security Model, Proceedings of the 2007 IEEE Symposium on Security and Privacy, p.149-163, May 20-23, 2007 [doi>10.1109/SP.2007.10]
	37	Marco Pistoia , Stephen J. Fink , Robert J. Flynn , Eran Yahav, When Role Models Have Flaws: Static Validation of Enterprise Security Policies, Proceedings of the 29th international conference on Software Engineering, p.478-488, May 20-26, 2007 [doi>10.1109/ICSE.2007.98]
	38	Marco Pistoia , Deepak Gupta , Duane F. Reller , Milind Nagnur , Ashok K. Ramani, Java 2 Network Security, Prentice Hall PTR, Upper Saddle River, NJ, 1999
	39	Andrei Sabelfeld , David Sands, Probabilistic Noninterference for Multi-Threaded Programs, Proceedings of the 13th IEEE workshop on Computer Security Foundations, p.200, July 03-05, 2000
	40	Andrei Sabelfeld , David Sands, Dimensions and Principles of Declassification, Proceedings of the 18th IEEE workshop on Computer Security Foundations, p.255-269, June 20-22, 2005 [doi>10.1109/CSFW.2005.15]
	41	Jerome H. Saltzer and Michael D. Schroeder. The Protection of Information in Computer Systems. Proceedings of the IEEE, 63(9):1278--1308, September 1975.
	42	Fred B. Schneider, Enforceable security policies, ACM Transactions on Information and System Security (TISSEC), v.3 n.1, p.30-50, Feb. 2000 [doi>10.1145/353323.353382]
	43	Alan B. Shaffer , Mikhail Auguston , Cynthia E. Irvine , Timothy E. Levin, A security domain model to assess software for exploitable covert channels, Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security, June 07-13, 2008, Tucson, AZ, USA [doi>10.1145/1375696.1375703]
	44	Scott F. Smith , Mark Thober, Refactoring programs to secure information flows, Proceedings of the 2006 workshop on Programming languages and analysis for security, June 10-10, 2006, Ottawa, Ontario, Canada [doi>10.1145/1134744.1134758]
	45	Scott F. Smith , Mark Thober, Improving usability of information flow security in java, Proceedings of the 2007 workshop on Programming languages and analysis for security, June 14-14, 2007, San Diego, California, USA [doi>10.1145/1255329.1255332]
	46	Nikhil Swamy , Brian J. Corcoran , Michael Hicks, Fable: A Language for Enforcing User-defined Security Policies, Proceedings of the 2008 IEEE Symposium on Security and Privacy, p.369-383, May 18-21, 2008 [doi>10.1109/SP.2008.29]
	47	Nikhil Swamy , Michael Hicks, Verified enforcement of stateful information release policies, Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security, June 07-13, 2008, Tucson, AZ, USA [doi>10.1145/1375696.1375700]
	48	Hiroshi Unno , Naoki Kobayashi , Akinori Yonezawa, Combining type-based analysis and model checking for finding counterexamples against non-interference, Proceedings of the 2006 workshop on Programming languages and analysis for security, June 10-10, 2006, Ottawa, Ontario, Canada [doi>10.1145/1134744.1134750]
	49	Dennis Volpano , Cynthia Irvine , Geoffrey Smith, A sound type system for secure flow analysis, Journal of Computer Security, v.4 n.2-3, p.167-187, Jan. 1996
	50	Gary Wassermann , Zhendong Su, Sound and precise analysis of web applications for injection vulnerabilities, Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation, June 10-13, 2007, San Diego, California, USA
	51	Gary Wassermann , Zhendong Su, Static detection of cross-site scripting vulnerabilities, Proceedings of the 30th international conference on Software engineering, May 10-18, 2008, Leipzig, Germany [doi>10.1145/1368088.1368112]
	52	Xiaolan Zhang , Antony Edwards , Trent Jaeger, Using CQUAL for Static Analysis of Authorization Hook Placement, Proceedings of the 11th USENIX Security Symposium, p.33-48, August 05-09, 2002
	53	Lantian Zheng , Andrew C. Myers, Securing nonintrusive web encryption through information flow, Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security, June 07-13, 2008, Tucson, AZ, USA [doi>10.1145/1375696.1375712]