Sciweavers

IFIP
2009
Springer

Towards a Type System for Security APIs

14 years 5 months ago
Towards a Type System for Security APIs
Security API analysis typically only considers a subset of an API’s functions, with results bounded by the number of function calls. Furthermore, attacks involving partial leakage of sensitive information are usually not covered. Type-based static analysis has the potential to alleviate these shortcomings. To that end, we present a type system for secure information flow based upon the one of Volpano, Smith and Irvine [1], extended with types for cryptographic keys and ciphertext similar to those in Sumii and Pierce [2]. In contrast to some other type systems, the encryption and decryption of keys does not require special treatment. We show that a well-typed sequence of commands is non-interferent, based upon a definition of indistinguishability where, in certain circumstances, the adversary can distinguish between ciphertexts that correspond to encrypted public data.
Gavin Keighren, David Aspinall, Graham Steel
Added 26 May 2010
Updated 26 May 2010
Type Conference
Year 2009
Where IFIP
Authors Gavin Keighren, David Aspinall, Graham Steel
Comments (0)