A Semantic Notion of Secure Information-Flow

Abstract

It is highly desirable to have a safety property characterizing a general notion of secure information flow that succinctly captures the underpinnings of language-based security for general purpose programming languages. Such a notion must necessarily consider both implicit and explicit flows, and the need to provide labeled outputs. The notion must also embed access control and information-flow control considering that the program output is usually a set of multilevel labeled outputs. Finally, it must be based on a notion of security violations, as the latter plays a vital role in compositionality of security properties. The widely used notion of non-interference does not meet many of these criteria, and its use has crippled the progress of secure programming systems and operating systems. A notion of security that takes the desired criteria into account is proposed, and its advantages in comparison with non-interference and other related notions is established. We further relate our notion to the early works of Fenton and Denning to highlight its succinctness in defining language-based security, and also with that of Boudol’s notion of secure information flow as a safety property. An added advantage of our approach compared to Boudol’s approach is that it generalizes to non-deterministic systems and systems with rich constructs such as exceptions etc.

Appendix

Proof

We prove this by proving its contrapositive, i.e., by proving that if c is not non-interfering, then it is not IF-Secure.

c is not non-interfering if

$$\begin{aligned} \exists q_1,q_2\in \mathcal {Q}, L\in \mathcal {L} \big [(q_1\cong _L q_2) \wedge (\mathcal {S}(q_1,c)\not \cong _L \mathcal {S}(q_2,c))\big ] \end{aligned}$$

(1)

Without loss of generality, let \(q_1\), \(q_2\), and L be such that they satisfy (1). We now consider a case-by-case analysis.

Case(i): \(\text {ASeq}(q_1,c)=\text {ASeq}(q_2,c)\).

Let \(\sigma =\text {ASeq}(q_1,c)\), and \(|\sigma |=n\). For \(0\le i\le n\), and \(j\in \{1,2\}\), let \(q_j^i\) denote the values of variables after the \(i^{th}\) intermediate step in the execution of \(\mathcal {S}(q_j,c)\), where \(q_j^0=q_j\), and \(q_j^n=\mathcal {S}(q_j,c)\). From the hypothesis, we have \(q_1^0\cong _L q_2^0\) and \(q_1^n\not \cong _L q_2^n\). Let \(1\le i\le n\) be the integer such that \([\forall 0\le k< i\) \((q_1^k\cong _L q_2^k)]\) \(\wedge \) \((q_1^i\not \cong _L q_2^i)\). This means that \(\sigma _i=(v',u)\) for some variable \(v'\) with \(\lambda (v')\leqslant L\), and that \(v'\) has been updated with different values at the \(i^{th}\) step in the two executions. Since the machine and its commands are deterministic, and since \([\forall 0\le k< i\) \((q_1^k\cong _L q_2^k)]\), this is possible only if \(\exists v''\in V, 1\le l< i\) \(\big [(\lambda (v'')\not \leqslant L)\) \(\wedge \) \((\sigma _l=(v'',r))\) \(\wedge \) \((q_1^l(v'')\ne q_2^l(v''))\) \(\wedge \) \([\forall l< m< i\) \((\sigma _m\ne (v'',r))]\big ]\).

$$\begin{aligned}&(\sigma _l=(v'',r)) \wedge (\sigma _i=(v',u)) \wedge l<i \Rightarrow (v'',v')\in \text {IF}(q_1,c) \end{aligned}$$

(2)

$$\begin{aligned}&[(\lambda (v')\leqslant L) \wedge (\lambda (v'')\not \leqslant {L})] \Rightarrow (\lambda (v'')\not \leqslant {\lambda (v')}) \end{aligned}$$

(3)

From (2), and (3) we can immediately conclude that c is not IF-Secure.

Case(ii): \(\text {ASeq}(q_1,c)\ne \text {ASeq}(q_2,c)\).

Note that because of the deterministic nature of the computing machine \(\mathcal {C}\), it cannot diverge without accessing any inputs i.e., \(\text {ASeq}(q_1,c)_1=\text {ASeq}(q_2,c)_1\). Let \(|\text {ASeq}(q_1,c)|=n_1\), \(|\text {ASeq}(q_2,c)|=n_2\), and without loss of generality \(n_1\le n_2\). Let \(1\le i\le n_1\) be such that \(\big [\forall 1\le j\le i\) \((\text {ASeq}(q_1,c)_j=\text {ASeq}(q_2,c)_j)\) \(\wedge \) \((\text {ASeq}(q_1,c)_{i+1}\ne \text {ASeq}(q_2,c)_{i+1})\big ]\). Further note that due to the deterministic nature of c, the point of divergence can only occur because of a new information learnt i.e., \(\text {ASeq}(q_1,c)_i=\text {ASeq}(q_2,c)_i=(v',r)\) for some \(v'\in V\). Let \(\sigma \) denote the longest common prefix of the sequences \(\text {ASeq}(q_1,c)\) and \(\text {ASeq}(q_2,c)\) i.e., \(\sigma \) is the subsequence of \(\text {ASeq}(q_1,c)\) consisting of its first i elements. For \(j\in \{1,2\}\), and \(0\le i\le n_j\), let \(q_j^i\) denote the values of variables after the \(i^{th}\) intermediate step in the execution of \(\mathcal {S}(q_j,c)\), where \(q_j^0=q_j\), and \(q_j^{n_j}=\mathcal {S}(q_j,c)\).

Here, we further subdivide the proof into two cases.

Case(ii-A): \(q_1^{i-1}\cong _L q_2^{i-1}\)

In this case, only a variable \(v'\in V\) such that \(\lambda (v')\not \leqslant L\) can satisfy \(q_1^{i-1}(v')\ne q_2^{i-1}(v')\), which is a necessity for the paths to diverge.

$$\begin{aligned}&(q_1^{i-1}\cong _L q_2^{i-1}) \wedge (q_1^{n_1}=\mathcal {S}(q_1,c)\not \cong _L\mathcal {S}(q_2,c)=q_2^{n_2}) \Rightarrow \exists v''\in V, i< k\le n_2\big [(\lambda (v'') \leqslant \nonumber \\&L) \wedge (\text {ASeq}(q_2,c)_k=(v'',u))] \end{aligned}$$

(4)

$$\begin{aligned}&\text {ASeq}(q_2,c)_i=(v',r) \wedge \text {ASeq}(q_2,c)_k=(v'',u) \wedge i<k \Rightarrow (v',v'')\in \text {IF}(q_2,c) \end{aligned}$$

(5)

$$\begin{aligned}&[(\lambda (v')\not \leqslant L) \wedge (\lambda (v'')\leqslant L)] \Rightarrow (\lambda (v')\not \leqslant \lambda (v'')) \end{aligned}$$

(6)

From (4), (5) and (6) we can immediately conclude that c is not IF-Secure.

Case(ii-B): \(q_1^{i-1}\not \cong _L q_2^{i-1}\)

This case is similar to Case(i).    \(\square \)