Skip to main content
Springer Nature Link
Log in

A Model for Delimited Information Release

  • Conference paper
Software Security - Theories and Systems (ISSS 2003)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 3233))

Included in the following conference series:

Abstract

Much work on security-typed languages lacks a satisfactory account of intentional information release. In the context of confidentiality, a typical security guarantee provided by security type systems is noninterference, which allows no information flow from secret inputs to public outputs. However, many intuitively secure programs do allow some release, or declassification, of secret information (e.g., password checking, information purchase, and spreadsheet computation). Noninterference fails to recognize such programs as secure. In this respect, many security type systems enforcing noninterference are impractical. On the other side of the spectrum are type systems designed to accommodate some information leakage. However, there is often little or no guarantee about what is actually being leaked. As a consequence, such type systems are vulnerable to laundering attacks, which exploit declassification mechanisms to reveal more secret data than intended. To bridge this gap, this paper introduces a new security property, delimited release, an end-to-end guarantee that declassification cannot be exploited to construct laundering attacks. In addition, a security type system is given that straightforwardly and provably enforces delimited release.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Abadi, M.: Secrecy by typing in security protocols. J. ACM 46(5), 749–786 (1999)

    Article  MATH  MathSciNet  Google Scholar 

  2. Abadi, M., Banerjee, A., Heintze, N., Riecke, J.: A core calculus of dependency. In: Proc. ACM Symp. on Principles of Programming Languages, January 1999, pp. 147–160 (1999)

    Google Scholar 

  3. Abadi, M., Gordon, A.D.: A calculus for cryptographic protocols: The Spi calculus. Information and Computation 148(1), 1–70 (1999)

    Article  MATH  MathSciNet  Google Scholar 

  4. Agat, J.: Transforming out timing leaks. In: Proc. ACM Symp. on Principles of Programming Languages, January 2000, pp. 40–53 (2000)

    Google Scholar 

  5. Banerjee, A., Naumann, D.A.: Secure information flow and pointer confinement in a Java-like language. In: Proc. IEEE Computer Security Foundations Workshop, June 2002, pp. 253–267 (2002)

    Google Scholar 

  6. Bossi, A., Piazza, C., Rossi, S.: Modelling downgrading in information flow security. In: Proc. IEEE Computer Security Foundations Workshop (June 2004) (to appear)

    Google Scholar 

  7. Clark, D., Hunt, S., Malacaria, P.: Quantitative analysis of the leakage of confidential data. In: Proc. Quantitative Aspects of Programming Languages. ENTCS, vol. 59. Elsevier, Amsterdam (2002)

    Google Scholar 

  8. Cohen, E.S.: Information transmission in sequential programs. In: DeMillo, R.A., Dobkin, D.P., Jones, A.K., Lipton, R.J. (eds.) Foundations of Secure Computation, pp. 297–335. Academic Press, London (1978)

    Google Scholar 

  9. Dam, M., Giambiagi, P.: Confidentiality for mobile code: The case of a simple payment protocol. In: Proc. IEEE Computer Security Foundations Workshop, July 2000, pp. 233–244 (2000)

    Google Scholar 

  10. Denning, D.E.: Cryptography and Data Security. Addison-Wesley, Reading (1982)

    MATH  Google Scholar 

  11. Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Comm. of the ACM 20(7), 504–513 (1977)

    Article  MATH  Google Scholar 

  12. Di Pierro, A., Hankin, C., Wiklicky, H.: Approximate non-interference. In: Proc. IEEE Computer Security Foundations Workshop, June 2002, pp. 1–17 (2002)

    Google Scholar 

  13. Duggan, D.: Cryptographic types. In: Proc. IEEE Computer Security Foundations Workshop, June 2002, pp. 238–252 (2002)

    Google Scholar 

  14. Giacobazzi, R., Mastroeni, I.: Abstract non-interference: Parameterizing non-interference by abstract interpretation. In: Proc. ACM Symp. on Principles of Programming Languages, January 2004, pp. 186–197 (2004)

    Google Scholar 

  15. Giambiagi, P., Dam, M.: On the secure implementation of security protocols. In: Degano, P. (ed.) ESOP 2003 and ETAPS 2003. LNCS, vol. 2618, pp. 144–158. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  16. Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proc. IEEE Symp. on Security and Privacy, April 1982, pp. 11–20 (1982)

    Google Scholar 

  17. Goguen, J.A., Meseguer, J.: Unwinding and inference control. In: Proc. IEEE Symp. on Security and Privacy, April 1984, pp. 75–86 (1984)

    Google Scholar 

  18. Gosling, J., Joy, B., Steele, G.: The Java Language Specification. Addison-Wesley, Reading (1996)

    MATH  Google Scholar 

  19. Heintze, N., Riecke, J.G.: The SLam calculus: programming with secrecy and integrity. In: Proc. ACM Symp. on Principles of Programming Languages, January 1998, pp. 365–377 (1998)

    Google Scholar 

  20. Joshi, R., Leino, K.R.M.: A semantic approach to secure information flow. Science of Computer Programming 37(1–3), 113–138 (2000)

    Article  MATH  MathSciNet  Google Scholar 

  21. Laud, P.: Semantics and program analysis of computationally secure information flow. In: Sands, D. (ed.) ESOP 2001 and ETAPS 2001. LNCS, vol. 2028, pp. 77–91. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  22. Laud, P.: Handling encryption in an analysis for secure information flow. In: Degano, P. (ed.) ESOP 2003 and ETAPS 2003. LNCS, vol. 2618, pp. 159–173. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  23. Lowe, G.: Quantifying information flow. In: Proc. IEEE Computer Security Foundations Workshop, June 2002, pp. 18–31 (2002)

    Google Scholar 

  24. Mantel, H.: Information flow control and applications—Bridging a gap. In: Oliveira, J.N., Zave, P. (eds.) FME 2001. LNCS, vol. 2021, pp. 153–172. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  25. Mantel, H., Sands, D.: Controlled downgrading based on intransitive (non)interference. Draft (July 2003)

    Google Scholar 

  26. McLean, J.: The specification and modeling of computer security. Computer 23(1), 9–16 (1990)

    Article  Google Scholar 

  27. Myers, A.C.: JFlow: Practical mostly-static information flow control. In: Proc. ACM Symp. on Principles of Programming Languages, January 1999, pp. 228–241 (1999)

    Google Scholar 

  28. Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: Proc. ACM Symp. on Operating System Principles, October 1997, pp. 129–142 (1997)

    Google Scholar 

  29. Myers, A.C., Liskov, B.: Complete, safe information flow with decentralized labels. In: Proc. IEEE Symp. on Security and Privacy, May 1998, pp. 186–197 (1998)

    Google Scholar 

  30. Myers, A.C., Sabelfeld, A., Zdancewic, S.: Enforcing robust declassification. In: Proc. IEEE Computer Security Foundations Workshop (June 2004) (to appear)

    Google Scholar 

  31. Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow. Software release, Located at: http://www.cs.cornell.edu/jif (July 2001–2003)

  32. Pinsky, S.: Absorbing covers and intransitive non-interference. In: Proc. IEEE Symp. on Security and Privacy, May 1995, pp. 102–113 (1995)

    Google Scholar 

  33. Pottier, F., Conchon, S.: Information flow inference for free. In: Proc. ACM International Conference on Functional Programming, September 2000, pp. 46–57 (2000)

    Google Scholar 

  34. Pottier, F., Simonet, V.: Information flow inference for ML. In: Proc. ACM Symp. on Principles of Programming Languages, January 2002, pp. 319–330 (2002)

    Google Scholar 

  35. Roscoe, A.W., Goldsmith, M.H.: What is intransitive noninterference? In: Proc. IEEE Computer Security Foundations Workshop, June 1999, pp. 228–238 (1999)

    Google Scholar 

  36. Rushby, J.M.: Noninterference, transitivity, and channel-control security policies. Technical Report CSL-92-02, SRI International (1992)

    Google Scholar 

  37. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1), 5–19 (2003)

    Article  Google Scholar 

  38. Sabelfeld, A., Sands, D.: Probabilistic noninterference for multi-threaded programs. In: Proc. IEEE Computer Security Foundations Workshop, July 2000, pp. 200–214 (2000)

    Google Scholar 

  39. Sabelfeld, A., Sands, D.: A per model of secure information flow in sequential programs. Higher Order and Symbolic Computation 14(1), 59–91 (2001)

    Article  MATH  Google Scholar 

  40. Saltzer, J.H., Reed, D.P., Clark, D.D.: End-to-end arguments in system design. ACM Transactions on Computer Systems 2(4), 277–288 (1984)

    Article  Google Scholar 

  41. Shannon, C.E., Weaver, W.: The Mathematical Theory of Communication. University of Illinois Press, US (1963)

    Google Scholar 

  42. Smith, G., Volpano, D.: Secure information flow in a multi-threaded imperative language. In: Proc. ACM Symp. on Principles of Programming Languages, January 1998, pp. 355–364 (1998)

    Google Scholar 

  43. Sumii, E., Pierce, B.: Logical relations for encryption. In: Proc. IEEE Computer Security Foundations Workshop, June 2001, pp. 256–269 (2001)

    Google Scholar 

  44. Volpano, D.: Secure introduction of one-way functions. In: Proc. IEEE Computer Security Foundations Workshop, July 2000, pp. 246–254 (2000)

    Google Scholar 

  45. Volpano, D., Smith, G.: Probabilistic noninterference in a concurrent language. J. Computer Security 7(2–3), 231–253 (1999)

    Google Scholar 

  46. Volpano, D., Smith, G.: Verifying secrets and relative secrecy. In: Proc. ACM Symp. on Principles of Programming Languages, January 2000, pp. 268–276 (2000)

    Google Scholar 

  47. Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. J. Computer Security 4(3), 167–187 (1996)

    Google Scholar 

  48. Winskel, G.: The Formal Semantics of Programming Languages: An Introduction. MIT Press, Cambridge (1993)

    MATH  Google Scholar 

  49. Zdancewic, S.: A type system for robust declassification. In: Proc. Mathematical Foundations of Programming Semantics. ENTCS. Elsevier, Amsterdam (2003)

    Google Scholar 

  50. Zdancewic, S., Myers, A.C.: Robust declassification. In: Proc. IEEE Computer Security Foundations Workshop, June 2001, pp. 15–23 (2001)

    Google Scholar 

  51. Zdancewic, S., Myers, A.C.: Secure information flow and CPS. In: Sands, D. (ed.) ESOP 2001 and ETAPS 2001. LNCS, vol. 2028, pp. 46–61. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Chalmers University of Technology, 412 96, Gothenburg, Sweden

    Andrei Sabelfeld

  2. Department of Computer Science, Cornell University, Ithaca, NY, 14853, USA

    Andrew C. Myers

Authors
  1. Andrei Sabelfeld
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andrew C. Myers
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Japan Advanced Institute of Science and Technology, (JAIST),  

    Kokichi Futatsugi

  2. Faculty of Science and Technology, Tokyo University of Science, Yamazaki 2641, Noda, Chiba, Japan

    Fumio Mizoguchi

  3. Tokyo Institute of Technology,  

    Naoki Yonezaki

Rights and permissions

Reprints and permissions

Copyright information

© 2004 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sabelfeld, A., Myers, A.C. (2004). A Model for Delimited Information Release. In: Futatsugi, K., Mizoguchi, F., Yonezaki, N. (eds) Software Security - Theories and Systems. ISSS 2003. Lecture Notes in Computer Science, vol 3233. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-37621-7_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-37621-7_9

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-23635-1

  • Online ISBN: 978-3-540-37621-7

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics