서브메뉴
검색
Practical End-to-End Analysis of Information Flow Security Policies- [electronic resource]
Practical End-to-End Analysis of Information Flow Security Policies- [electronic resource]
- 자료유형
- 학위논문
- Control Number
- 0016934667
- International Standard Book Number
- 9798380169004
- Dewey Decimal Classification Number
- 004
- Main Entry-Personal Name
- Cassel, Darion.
- Publication, Distribution, etc. (Imprint
- [S.l.] : Carnegie Mellon University., 2023
- Publication, Distribution, etc. (Imprint
- Ann Arbor : ProQuest Dissertations & Theses, 2023
- Physical Description
- 1 online resource(257 p.)
- General Note
- Source: Dissertations Abstracts International, Volume: 85-03, Section: B.
- General Note
- Advisor: Jia, Limin.
- Dissertation Note
- Thesis (Ph.D.)--Carnegie Mellon University, 2023.
- Restrictions on Access Note
- This item must not be sold to any third party vendors.
- Summary, Etc.
- 요약C and JavaScript are widely-used languages for writing security-sensitive software, despite their inherent security issues. The widespread deployment of these languages makes them attractive targets for attackers; vulnerabilities in C programs remain common and recent years have seen a surge in attacks that target web page scripts and Node.js packages. Several types of vulnerabilities in these programs can be expressed as violations of information flow policies that specify the confidentiality and integrity of program data, or required sequences of declassification and endorsement. Prior work has proposed analysis techniques for C and JavaScript to check these policies, but a practical end-to-end analysis pipeline, applicable to real programs, requires additional solutions that enable precise, scalable analysis that minimizes manual effort.In this thesis, we develop a set of information flow policy-based modeling and analysis methodologies for checking security-sensitive software, including C cryptographic libraries, server-side Node.js applications, and website scripts. We build tools that help analysts specify and precisely check security policies on their software, without requiring manually-crafted test drivers, with reduced manual tuning to ensure analysis tractability, and with lowered effort for manual triage and confirmation of reported potential vulnerabilities. We first develop techniques to apply information flow policy checking scalably via type systems for C and via dynamic taint analysis for JavaScript. We then demonstrate how dynamic taint analysis can be used in combination with dynamic symbolic execution to improve analysis comprehensiveness. Finally, we show how information flow traces can be leveraged to synthesize concrete exploits that can then be used to automatically confirm potential vulnerabilities in real programs.
- Subject Added Entry-Topical Term
- Computer science.
- Subject Added Entry-Topical Term
- Computer engineering.
- Subject Added Entry-Topical Term
- Electrical engineering.
- Index Term-Uncontrolled
- Information flow
- Index Term-Uncontrolled
- JavaScript
- Index Term-Uncontrolled
- Program analysis
- Index Term-Uncontrolled
- Symbolic execution
- Index Term-Uncontrolled
- Type systems
- Added Entry-Corporate Name
- Carnegie Mellon University Electrical and Computer Engineering
- Host Item Entry
- Dissertations Abstracts International. 85-03B.
- Host Item Entry
- Dissertation Abstract International
- Electronic Location and Access
- 로그인을 한후 보실 수 있는 자료입니다.
- Control Number
- joongbu:644030
