Proof-Carrying Code for Verifying Confidentiality of Mobile Code through Secure Information Flow Analysis

The growing dependence of our society and economy on networked information systems makes it essential to protect our confidential data from being leaked by malicious code. Downloading and executing code (possibly from untrusted sources) has become a daily event. Modern operating systems load code fo...

Full description

Saved in:
Bibliographic Details
Main Author: Abdu Muthana, Abdulrahman Ahmad
Format: Thesis
Language:English
English
Published: 2008
Online Access:http://psasir.upm.edu.my/id/eprint/5256/1/FSKTM_2008_20a.pdf
http://psasir.upm.edu.my/id/eprint/5256/
Tags: Add Tag
No Tags, Be the first to tag this record!
id my.upm.eprints.5256
record_format eprints
spelling my.upm.eprints.52562013-05-27T07:21:30Z http://psasir.upm.edu.my/id/eprint/5256/ Proof-Carrying Code for Verifying Confidentiality of Mobile Code through Secure Information Flow Analysis Abdu Muthana, Abdulrahman Ahmad The growing dependence of our society and economy on networked information systems makes it essential to protect our confidential data from being leaked by malicious code. Downloading and executing code (possibly from untrusted sources) has become a daily event. Modern operating systems load code for adding new functionalities; web browsers download plug-ins and applets; end-users download untrusted code for doing some useful tasks. Certification that the untrusted code respects the confidentiality of data it manipulates is essential in these situations. Thus it is necessary to analyze how information flows within that program. This thesis presents an approach to enable end-users to determine whether untrusted mobile code will respect pre-specified confidentiality policies by statically analyzing the untrusted code for secure information flow. The approach is based on adapting of a well-known approach, proof-carrying code (PCC) to information flow security and basing the security policy of PCC on a security-type system, which enforces information flow policy, namely noninterference security policy in RISC-style assembly programs. The untrusted code is then analyzed for secure information flow based on the idea of PCC. The proofs that untrusted code does not leak confidential information are generated by the code producer and checked by the code consumer. If the proofs are valid, then the end-users (code consumer) can install and execute the untrusted mobile code safely. The proposed approach benefits from distinctive features that make it a very appropriate for security checking. First, it operates directly on object code produced by general-purpose off-the-shelf compilers. Second, it exploits the benefits that both type systems and proof-carrying code approaches offer and combines their strengths. Type systems provide an appealing option for implementing security policies, and thus represent a natural enabling technology of proof-carrying code. Meanwhile, proof-carrying code is an efficient approach for assembly code verification. Third, the explicit machine-checkable proofs serve as a certificate to distrustful users and give them more confidence in the security approach. The proposed security approach represents one point in the design space for mobile code security systems; it is well suited to typical Internet users. It enforces information flow policy with low preparation cost on the part of the code producer and no runtime overhead cost on the part of the code consumer. The security approach provides end-users with an adequate assurance of protecting the confidentiality of their confidential data. 2008 Thesis NonPeerReviewed application/pdf en http://psasir.upm.edu.my/id/eprint/5256/1/FSKTM_2008_20a.pdf Abdu Muthana, Abdulrahman Ahmad (2008) Proof-Carrying Code for Verifying Confidentiality of Mobile Code through Secure Information Flow Analysis. PhD thesis, Universiti Putra Malaysia. English
institution Universiti Putra Malaysia
building UPM Library
collection Institutional Repository
continent Asia
country Malaysia
content_provider Universiti Putra Malaysia
content_source UPM Institutional Repository
url_provider http://psasir.upm.edu.my/
language English
English
description The growing dependence of our society and economy on networked information systems makes it essential to protect our confidential data from being leaked by malicious code. Downloading and executing code (possibly from untrusted sources) has become a daily event. Modern operating systems load code for adding new functionalities; web browsers download plug-ins and applets; end-users download untrusted code for doing some useful tasks. Certification that the untrusted code respects the confidentiality of data it manipulates is essential in these situations. Thus it is necessary to analyze how information flows within that program. This thesis presents an approach to enable end-users to determine whether untrusted mobile code will respect pre-specified confidentiality policies by statically analyzing the untrusted code for secure information flow. The approach is based on adapting of a well-known approach, proof-carrying code (PCC) to information flow security and basing the security policy of PCC on a security-type system, which enforces information flow policy, namely noninterference security policy in RISC-style assembly programs. The untrusted code is then analyzed for secure information flow based on the idea of PCC. The proofs that untrusted code does not leak confidential information are generated by the code producer and checked by the code consumer. If the proofs are valid, then the end-users (code consumer) can install and execute the untrusted mobile code safely. The proposed approach benefits from distinctive features that make it a very appropriate for security checking. First, it operates directly on object code produced by general-purpose off-the-shelf compilers. Second, it exploits the benefits that both type systems and proof-carrying code approaches offer and combines their strengths. Type systems provide an appealing option for implementing security policies, and thus represent a natural enabling technology of proof-carrying code. Meanwhile, proof-carrying code is an efficient approach for assembly code verification. Third, the explicit machine-checkable proofs serve as a certificate to distrustful users and give them more confidence in the security approach. The proposed security approach represents one point in the design space for mobile code security systems; it is well suited to typical Internet users. It enforces information flow policy with low preparation cost on the part of the code producer and no runtime overhead cost on the part of the code consumer. The security approach provides end-users with an adequate assurance of protecting the confidentiality of their confidential data.
format Thesis
author Abdu Muthana, Abdulrahman Ahmad
spellingShingle Abdu Muthana, Abdulrahman Ahmad
Proof-Carrying Code for Verifying Confidentiality of Mobile Code through Secure Information Flow Analysis
author_facet Abdu Muthana, Abdulrahman Ahmad
author_sort Abdu Muthana, Abdulrahman Ahmad
title Proof-Carrying Code for Verifying Confidentiality of Mobile Code through Secure Information Flow Analysis
title_short Proof-Carrying Code for Verifying Confidentiality of Mobile Code through Secure Information Flow Analysis
title_full Proof-Carrying Code for Verifying Confidentiality of Mobile Code through Secure Information Flow Analysis
title_fullStr Proof-Carrying Code for Verifying Confidentiality of Mobile Code through Secure Information Flow Analysis
title_full_unstemmed Proof-Carrying Code for Verifying Confidentiality of Mobile Code through Secure Information Flow Analysis
title_sort proof-carrying code for verifying confidentiality of mobile code through secure information flow analysis
publishDate 2008
url http://psasir.upm.edu.my/id/eprint/5256/1/FSKTM_2008_20a.pdf
http://psasir.upm.edu.my/id/eprint/5256/
_version_ 1643823136096911360
score 13.214268