SNITCH: Dynamic Dependent Information Flow Analysis for Independent Java Bytecode

Eduardo Geraldo
(NOVA LINCS - Faculdade de Ciências e Tecnologia da Universidade Nova de Lisboa)
João Costa Seco
(NOVA LINCS - Faculdade de Ciências e Tecnologia da Universidade Nova de Lisboa)

Software testing is the most commonly used technique in the industry to certify the correctness of software systems. This includes security properties like access control and data confidentiality. However, information flow control and the detection of information leaks using tests is a demanding task without the use of specialized monitoring and assessment tools.

In this paper, we tackle the challenge of dynamically tracking information flow in third-party Java-based applications using dependent information flow control. Dependent security labels increase the expressiveness of traditional information flow control techniques by allowing to parametrize labels with context-related information and allowing for the specification of more detailed and fine-grained policies. Instead of the fixed security lattice used in traditional approaches that defines a fixed set of security compartments, dependent security labels allow for a dynamic lattice that can be extended at runtime, allowing for new security compartments to be defined using context values.

We present a specification and instrumentation approach for rewriting JVM compiled code with in-lined reference monitors. To illustrate the proposed approach we use an example and a working prototype, SNITCH. SNITCH operates over the static single assignment language Shimple, an intermediate representation for Java bytecode used in the SOOT framework.

In Davide Ancona and Gordon Pace: Proceedings of the Second Workshop on Verification of Objects at RunTime EXecution (VORTEX 2018), Amsterdam, Netherlands, 17th July 2018, Electronic Proceedings in Theoretical Computer Science 302, pp. 16–31.
Published: 27th August 2019.

ArXived at: bibtex PDF
References in reconstructed bibtex, XML and HTML format (approximated).
Comments and questions to:
For website issues: