Towards Fully Automatic Placement of Security Sanitizers and Declassifiers
Show simple item record
| dc.contributor.author |
Livshits, Benjamin |
|
| dc.contributor.author |
Chong, Stephen N.
|
|
| dc.date.accessioned |
2012-11-27T21:39:01Z |
|
| dc.date.issued |
2012-11-27 |
|
| dc.identifier.citation |
Livshits, Benjamin, and Stephen N. Chong. Forthcoming. Towards fully automatic placement of security sanitizers and declassifiers. In POPL 2013: Proceedings of the 40th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages: January 23-25, 2013, Rome, Italy. |
en_US |
| dc.identifier.uri |
http://nrs.harvard.edu/urn-3:HUL.InstRepos:9949290 |
|
| dc.description.abstract |
A great deal of research on sanitizer placement, sanitizer correctness, checking path validity, and policy inference, has been done in the last five to ten years, involving type systems, static analysis and run-time monitoring and enforcement. However, in pretty much all work thus far, the burden of sanitizer placement has fallen on the developer. However, sanitizer placement in large-scale applications is difficult, and developers are likely to make errors, and thus create security vulnerabilities. This paper advocates a radically different approach: we aim to fully automate the placement of sanitizers by analyzing the flow of tainted data in the program. We argue that developers are better off leaving out sanitizers entirely instead of trying to place them. This paper proposes a fully automatic technique for sanitizer placement. Placement is static whenever possible, switching to run time when necessary. Run-time taint tracking techniques can be used to track the source of a value, and thus apply appropriate sanitization. However, due to the run-time overhead of run-time taint tracking, our technique avoids it wherever possible. |
en_US |
| dc.description.sponsorship |
Engineering and Applied Sciences |
en_US |
| dc.language.iso |
en_US |
en_US |
| dc.publisher |
Association for Computing Machinery |
en_US |
| dash.license |
META_ONLY |
|
| dc.subject |
languages |
en_US |
| dc.subject |
security |
en_US |
| dc.subject |
verification |
en_US |
| dc.subject |
security analysis |
en_US |
| dc.subject |
vulnerability prevention |
en_US |
| dc.title |
Towards Fully Automatic Placement of Security Sanitizers and Declassifiers |
en_US |
| dc.type |
Conference Paper |
en_US |
| dc.description.version |
Author's Original |
en_US |
| dc.relation.journal |
POPL 2013: Proceedings of the 40th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages |
en_US |
| dash.depositing.author |
Chong, Stephen N.
|
|
| dash.embargo.until |
10000-01-01 |
|
| dash.waiver |
2012-10-31 |
|
Files in this item
This item appears in the following Collection(s)
-
FAS Scholarly Articles [5137]
Peer reviewed scholarly articles from the Faculty of Arts and Sciences of Harvard University
Show simple item record
Contact administrator regarding this item (to report mistakes or request changes)
