{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,3]],"date-time":"2026-05-03T11:01:48Z","timestamp":1777806108961,"version":"3.51.4"},"reference-count":50,"publisher":"SAGE Publications","issue":"3","license":[{"start":{"date-parts":[[2020,4,1]],"date-time":"2020-04-01T00:00:00Z","timestamp":1585699200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2020,4,21]]},"abstract":"<jats:p>Dynamic taint analysis is often used as a defense against low-integrity data in applications with untrusted user interfaces. An important example is defense against XSS and injection attacks in programs with web interfaces. Data sanitization is commonly used in this context, and can be treated as a precondition for endorsement in a dynamic integrity taint analysis. However, sanitization is often incomplete in practice. We develop a model of dynamic integrity taint analysis for Java that addresses imperfect sanitization with an in-depth approach. To avoid false positives, results of sanitization are endorsed for access control (aka prospective security), but are tracked and logged for auditing and accountability (aka retrospective security).<\/jats:p>\n                  <jats:p>We show how this heterogeneous prospective\/retrospective mechanism can be specified as a uniform policy, separate from code. We then use this policy to establish correctness conditions for a program rewriting algorithm that instruments code for the analysis. These conditions synergize our previous work on the semantics of audit logging with explicit integrity which is an analogue of noninterference for taint analysis. A technical contribution of our work is the extension of explicit integrity to a high-level functional language setting with structured data, vs. previous systems that only address low level languages with unstructured data. Our approach considers endorsement which is crucial to address sanitization. An implementation of our rewriting algorithm is presented that hardens the OpenMRS medical records software system with in-depth taint analysis, along with an empirical evaluation of the overhead imposed by instrumentation. Our results show that this instrumentation is practical.<\/jats:p>","DOI":"10.3233\/jcs-191342","type":"journal-article","created":{"date-parts":[[2020,4,3]],"date-time":"2020-04-03T10:50:34Z","timestamp":1585911034000},"page":"295-335","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":3,"title":["Maybe tainted data: Theory and a case study"],"prefix":"10.1177","volume":"28","author":[{"given":"Christian","family":"Skalka","sequence":"first","affiliation":[{"name":"Department of Computer Science, University of Vermont, USA. E-mails:\u00a0,\u00a0"}]},{"given":"Sepehr","family":"Amir-Mohammadian","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of the Pacific, USA. E-mail:\u00a0"}]},{"given":"Samuel","family":"Clark","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Vermont, USA. E-mails:\u00a0,\u00a0"}]}],"member":"179","published-online":{"date-parts":[[2020,4,1]]},"reference":[{"key":"ref001","unstructured":"S.\u00a0Amir-Mohammadian, A formal approach to combining prospective and retrospective security, PhD thesis, The University of Vermont, 2017."},{"key":"ref002","doi-asserted-by":"crossref","unstructured":"S.\u00a0Amir-Mohammadian, S.\u00a0Chong and C.\u00a0Skalka, Correct audit logging: Theory and practice, in: POST, 2016, pp.\u00a0139\u2013162.","DOI":"10.1007\/978-3-662-49635-0_8"},{"key":"ref003","doi-asserted-by":"crossref","unstructured":"S.\u00a0Amir-Mohammadian and C.\u00a0Skalka, In-depth enforcement of dynamic integrity taint analysis, in: PLAS, 2016.","DOI":"10.1145\/2993600.2993610"},{"key":"ref004","doi-asserted-by":"crossref","unstructured":"A.\u00a0Askarov, S.\u00a0Hunt, A.\u00a0Sabelfeld and D.\u00a0Sands, Termination-insensitive noninterference leaks more than just a bit, in: ESORICS, 2008, pp.\u00a0333\u2013348.","DOI":"10.1007\/978-3-540-88313-5_22"},{"key":"ref005","doi-asserted-by":"crossref","unstructured":"A.\u00a0Askarov and A.\u00a0Myers, A semantic framework for declassification and endorsement, in: ESOP, 2010, pp.\u00a064\u201384.","DOI":"10.1007\/978-3-642-11957-6_5"},{"key":"ref006","doi-asserted-by":"crossref","unstructured":"A.\u00a0Askarov and A.\u00a0Sabelfeld, Gradual release: Unifying declassification, encryption and key release policies, in: IEEE S&P, 2007, pp.\u00a0207\u2013221.","DOI":"10.1109\/SP.2007.22"},{"key":"ref007","doi-asserted-by":"crossref","unstructured":"A.\u00a0Askarov and A.\u00a0Sabelfeld, Tight enforcement of information-release policies for dynamic languages, in: CSF, 2009, pp.\u00a043\u201359.","DOI":"10.1109\/CSF.2009.22"},{"key":"ref008","doi-asserted-by":"crossref","unstructured":"M.\u00a0Balliu, D.\u00a0Schoepe and A.\u00a0Sabelfeld, We are family: Relating information-flow trackers, in: European Symposium on Research in Computer Security, 2017, pp.\u00a0124\u2013145.","DOI":"10.1007\/978-3-319-66402-6_9"},{"key":"ref009","unstructured":"L.\u00a0Bauer, J.\u00a0Ligatti and D.\u00a0Walker, More enforceable security policies, Technical Report TR-649-02, Princeton University, 2002."},{"key":"ref010","doi-asserted-by":"crossref","unstructured":"F.\u00a0Bavera and E.\u00a0Bonelli, Justification logic and audited computation, Journal of Logic and Computation (2015), exv037.","DOI":"10.1093\/logcom\/exv037"},{"key":"ref011","doi-asserted-by":"crossref","unstructured":"J.\u00a0Bell and G.E.\u00a0Kaiser, Phosphor: Illuminating dynamic data flow in commodity jvms, in: OOPSLA, 2014, pp.\u00a083\u2013101.","DOI":"10.1145\/2660193.2660212"},{"key":"ref012","doi-asserted-by":"crossref","unstructured":"J.\u00a0Bell and G.E.\u00a0Kaiser, Dynamic taint tracking for java with phosphor (demo), in: ISSTA, 2015, pp.\u00a0409\u2013413.","DOI":"10.1145\/2771783.2784768"},{"key":"ref013","doi-asserted-by":"crossref","unstructured":"A.\u00a0Birgisson, A.\u00a0Russo and A.\u00a0Sabelfeld, Unifying facets of information integrity, in: ICISS, 2010, pp.\u00a048\u201365.","DOI":"10.1007\/978-3-642-17714-9_5"},{"key":"ref014","unstructured":"C.\u00a0Bodei and L.\u00a0Galletta, Tracking sensitive and untrustworthy data in IoT, in: ITASEC, 2017, pp.\u00a038\u201352."},{"key":"ref015","doi-asserted-by":"crossref","unstructured":"E.\u00a0Bosman, A.\u00a0Slowinska and H.B.\u00a0Minemu, The world\u2019s fastest taint tracker, in: RAID, 2011, pp.\u00a01\u201320.","DOI":"10.1007\/978-3-642-23644-0_1"},{"key":"ref016","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-007-0017-y"},{"key":"ref017","doi-asserted-by":"crossref","unstructured":"W.\u00a0Cheng, Q.\u00a0Zhao, B.\u00a0Yu and S.H.\u00a0Tainttrace, Efficient flow tracing with dynamic binary rewriting, in: IEEE ISCC, 2006, pp.\u00a0749\u2013754.","DOI":"10.1109\/ISCC.2006.158"},{"key":"ref018","doi-asserted-by":"publisher","DOI":"10.1145\/1655121.1655125"},{"key":"ref019","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-2009-0393"},{"key":"ref020","doi-asserted-by":"publisher","DOI":"10.1145\/359636.359712"},{"key":"ref021","doi-asserted-by":"publisher","DOI":"10.1145\/2494522"},{"key":"ref022","unstructured":"V.\u00a0Ganapathy, T.\u00a0Jaeger, C.\u00a0Skalka and G.\u00a0Tan, Assurance for defense in depth via retrofitting, in: LAW, 2014."},{"key":"ref023","doi-asserted-by":"crossref","unstructured":"D.\u00a0Garg, L.\u00a0Jia and A.\u00a0Datta, Policy auditing over incomplete logs: Theory, implementation and applications, in: CCS 2011, 2011, pp.\u00a0151\u2013162.","DOI":"10.1145\/2046707.2046726"},{"key":"ref024","doi-asserted-by":"crossref","unstructured":"J.A.\u00a0Goguen and J.\u00a0Meseguer, Security policies and security models, in: IEEE S&P, 1982, pp.\u00a011\u201320.","DOI":"10.1109\/SP.1982.10014"},{"key":"ref025","doi-asserted-by":"crossref","unstructured":"V.\u00a0Haldar, D.\u00a0Chandra and M.\u00a0Franz, Dynamic taint propagation for java, in: ACSAC, 2005, pp.\u00a0303\u2013311.","DOI":"10.1109\/CSAC.2005.21"},{"key":"ref026","doi-asserted-by":"publisher","DOI":"10.1145\/503502.503505"},{"key":"ref027","doi-asserted-by":"crossref","unstructured":"J.\u00a0Kohlas, Information Algebras: Generic Structures for Inference, Discrete Mathematics and Theoretical Computer Science, Springer, 2003.","DOI":"10.1007\/978-1-4471-0009-6_6"},{"key":"ref028","doi-asserted-by":"publisher","DOI":"10.3390\/info5020219"},{"key":"ref029","unstructured":"B.\u00a0Livshits, Dynamic taint tracking in managed runtimes, Technical report, Technical Report MSR-TR-2012-114, Microsoft Research, 2012."},{"key":"ref030","doi-asserted-by":"crossref","unstructured":"B.\u00a0Livshits and S.\u00a0Chong, Towards fully automatic placement of security sanitizers and declassifiers, in: POPL, 2013, pp.\u00a0385\u2013398.","DOI":"10.1145\/2429069.2429115"},{"key":"ref031","unstructured":"B.\u00a0Livshits, M.\u00a0Martin and M.S.\u00a0Lam, Securifly: Runtime protection and recovery from web application vulnerabilities, Technical report, Stanford University, 2006."},{"key":"ref032","unstructured":"M.\u00a0Martin, B.\u00a0Livshits and M.S.\u00a0Lam, Finding application errors using PQL: A program query language, in: OOPSLA, 2005."},{"key":"ref033","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-2006-14203"},{"key":"ref034","unstructured":"W.\u00a0Ricciotti and J.\u00a0Cheney, Strongly normalizing audited computation,\n                      CoRR\n                      , 2017, abs\/1706.03711."},{"key":"ref035","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-2009-0352"},{"key":"ref036","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2002.806121"},{"key":"ref037","doi-asserted-by":"publisher","DOI":"10.1145\/1356058.1356069"},{"key":"ref038","doi-asserted-by":"publisher","DOI":"10.1145\/353323.353382"},{"key":"ref039","doi-asserted-by":"crossref","unstructured":"D.\u00a0Schoepe, M.\u00a0Balliu, B.C.\u00a0Pierce and A.\u00a0Sabelfeld, Explicit secrecy: A policy for taint tracking, in: IEEE EuroS&P, 2016, pp.\u00a015\u201330.","DOI":"10.1109\/EuroSP.2016.14"},{"key":"ref040","doi-asserted-by":"crossref","unstructured":"D.\u00a0Schoepe, M.\u00a0Balliu, F.\u00a0Piessens and A.\u00a0Sabelfeld, Let\u2019s face it: Faceted values for taint tracking, in: European Symposium on Research in Computer Security, 2016, pp.\u00a0561\u2013580.","DOI":"10.1007\/978-3-319-45744-4_28"},{"key":"ref041","doi-asserted-by":"crossref","unstructured":"E.J.\u00a0Schwartz, T.\u00a0Avgerinos and D.\u00a0Brumley, All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask), in: IEEE S&P, 2010, pp.\u00a0317\u2013331.","DOI":"10.1109\/SP.2010.26"},{"key":"ref042","unstructured":"R.\u00a0Sekar, An efficient black-box technique for defeating web application attacks, in: NDSS, 2009."},{"key":"ref043","unstructured":"C.\u00a0Skalka, S.\u00a0Amir-Mohammadian and S.\u00a0Clark, Dynamic integrity taint analysis in depth, Technical report, University of Vermont, 2019, http:\/\/www.cs.uvm.edu\/~ceskalka\/skalka-pubs\/phos-TR19.pdf."},{"key":"ref044","unstructured":"C.\u00a0Skalka, S.\u00a0Amir-Mohammadian and S.\u00a0Clark, Retrospective taint analysis for OpenMRS, 2019, https:\/\/github.com\/uvm-plaid\/phosphor-mod."},{"key":"ref045","doi-asserted-by":"publisher","DOI":"10.1145\/2993600.2993606"},{"key":"ref046","unstructured":"Usage statistics module, 2010, https:\/\/wiki.openmrs.org\/display\/docs\/Usage+Statistics+Module, Accessed: 2015-09-27."},{"key":"ref047","doi-asserted-by":"crossref","unstructured":"D.M.\u00a0Volpano, Safety versus secrecy, in: SAS, 1999, pp.\u00a0303\u2013311.","DOI":"10.1007\/3-540-48294-6_20"},{"key":"ref048","doi-asserted-by":"crossref","unstructured":"G.\u00a0Wassermann and Z.\u00a0Su, Sound and precise analysis of web applications for injection vulnerabilities, in: PLDI, 2007, pp.\u00a032\u201341.","DOI":"10.1145\/1273442.1250739"},{"key":"ref049","doi-asserted-by":"crossref","unstructured":"Z.\u00a0Wei and D.L.\u00a0Lazytainter, Memory-efficient taint tracking in managed runtimes, in: SPSM Workshop at CCS, 2014, pp.\u00a027\u201338.","DOI":"10.1145\/2666620.2666626"},{"key":"ref050","doi-asserted-by":"publisher","DOI":"10.1145\/1945023.1945039"}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-191342","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-191342","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-191342","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T20:45:22Z","timestamp":1777495522000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-191342"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,4,1]]},"references-count":50,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2020,4,21]]}},"alternative-id":["10.3233\/JCS-191342"],"URL":"https:\/\/doi.org\/10.3233\/jcs-191342","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"value":"0926-227X","type":"print"},{"value":"1875-8924","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,4,1]]}}}