skip to main content
10.1145/1255329.1255339acmconferencesArticle/Chapter ViewAbstractPublication PagespldiConference Proceedingsconference-collections
Article

Localized delimited release: combining the what and where dimensions of information release

Published: 14 June 2007 Publication History

Abstract

Information release (or declassification) policies are the key challenge for language-based information security. Although much progress has been made, different approaches to information release tend to address different aspects of information release. In a recent classification, these aspects are referred to as what, who, where, and when dimensions of declassification. In order to avoid information laundering, it is important to combine defense along the different dimensions. As a step in this direction, this paper presents a combination of what and where information release policies. Moreover, we show that a minor modification of a security type system from the literature (which was designed for treating the what dimension) in fact enforces the combination of what and where policies

References

[1]
M. Abadi, A. Banerjee, N. Heintze, and J. Riecke. A core calculus of dependency. In Proc. ACM Symp. on Principles of Programming Languages, pages 147--160, January 1999.
[2]
A. Askarov and A. Sabelfeld. Gradual release: Unifying declassification, encryption and key release policies. In Proc. IEEE Symp. on Security and Privacy, May 2007.
[3]
A. Bossi, C. Piazza, and S. Rossi. Modelling downgrading in information flow security. In Proc. IEEE Computer Security Foundations Workshop, pages 187--201, June 2004.
[4]
N. Broberg and D. Sands. Flow locks: Towards a core calculus for dynamic flow policies. In Proc. European Symp. on Programming, volume 3924 of LNCS, pages 180--196. Springer-Verlag, 2006.
[5]
S. Chong and A. C. Myers. Security policies for downgrading. In ACM Conference on Computer and Communications Security, pages 198--209, October 2004.
[6]
E. S. Cohen. Information transmission in sequential programs. In R. A. DeMillo, D. P. Dobkin, A. K. Jones, and R. J. Lipton, editors, Foundations of Secure Computation, pages 297--335. Academic Press, 1978.
[7]
J. A. Goguen and J. Meseguer. Security policies and security models. In Proc. IEEE Symp. on Security and Privacy, pages 11--20, April 1982.
[8]
R. Giacobazzi and I. Mastroeni. Abstract non-interference: Parameterizing non-interference by abstract interpretation. In Proc. ACM Symp. on Principles of Programming Languages, pages 186--197, January 2004.
[9]
R. Giacobazzi and I. Mastroeni. Adjoining declassification and attack models by abstract interpretation. In Proc. European Symp. on Programming, volume 3444 of LNCS, pages 295--310. Springer-Verlag, April 2005.
[10]
R. Joshi and K. R. M. Leino. A semantic approach to secure information flow. Science of Computer Programming, 37(1-3):113--138, 2000.
[11]
P. Li and S. Zdancewic. Downgrading policies and relaxed noninterference. In Proc. ACM Symp. on Principles of Programming Languages, pages 158--170, January 2005.
[12]
H. Mantel. Information flow control and applications¿Bridging a gap. In Proc. Formal Methods Europe, volume 2021 of LNCS, pages 153--172. Springer-Verlag, March 2001.
[13]
H. Mantel and A. Reinhard. Controlling the what and where of declassification in language-based security. In Proc. European Symp. on Programming, volume 4421 of LNCS, pages 141--156. Springer-Verlag, 2007.
[14]
H. Mantel and D. Sands. Controlled downgrading based on intransitive (non)interference. In Proc. Asian Symp. on Programming Languages and Systems, volume 3302 of LNCS, pages 129--145. Springer-Verlag, November 2004.
[15]
J. Mullins. Non-deterministic admissible interference. J. of Universal Computer Science, 6(11):1054--1070, 2000.
[16]
S. Pinsky. Absorbing covers and intransitive non-interference. In Proc. IEEE Symp. on Security and Privacy, pages 102--113, May 1995.
[17]
F. Prost. On the semantics of non-interference type-based analyses. In JFLA¿001, Journ' ees Francophones des Langages Applicatifs, January 2001.
[18]
A. W. Roscoe and M. H. Goldsmith. What is intransitive non-interference? In Proc. IEEE Computer Security Foundations Workshop, pages 228--238, June 1999.
[19]
P. Ryan and S. Schneider. Process algebra and non-interference. In Proc. IEEE Computer Security Foundations Workshop, pages 214--227, June 1999.
[20]
J. M. Rushby. Noninterference, transitivity, and channel-control security policies. Technical Report CSL-92-02, SRI International, 1992.
[21]
A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE J. Selected Areas in Communications, 21(1):5--19, January 2003.
[22]
A. Sabelfeld and A. C. Myers. A model for delimited information release. In Proc. International Symp. on Software Security (ISSS¿03), volume 3233 of LNCS, pages 174--191. Springer-Verlag, October 2004.
[23]
A. Sabelfeld and D. Sands. A per model of secure information flow in sequential programs. Higher Order and Symbolic Computation, 14(1):59--91, March 2001.
[24]
A. Sabelfeld and D. Sands. Dimensions and principles of declassification. In Proc. IEEE Computer Security Foundations Workshop, pages 255--269, June 2005.
[25]
A. Sabelfeld and D. Sands. Declassification: Dimensions and principles. J. Computer Security, 2007. To appear.
[26]
D. Volpano, G. Smith, and C. Irvine. A sound type system for secure flow analysis. J. Computer Security, 4(3):167--187, 1996.
[27]
S. Zdancewic. Challenges for information-flow security. In Proc. Programming Language Interference and Dependence (PLID), August 2004.

Cited By

View all
  • (2023)Compositional Security Definitions for Higher-Order Where DeclassificationProceedings of the ACM on Programming Languages10.1145/35860417:OOPSLA1(406-433)Online publication date: 6-Apr-2023
  • (2023)A Dafny-based approach to thread-local information flow analysis2023 IEEE/ACM 11th International Conference on Formal Methods in Software Engineering (FormaliSE)10.1109/FormaliSE58978.2023.00017(86-96)Online publication date: May-2023
  • (2022)Towards a General-Purpose Dynamic Information Flow Policy2022 IEEE 35th Computer Security Foundations Symposium (CSF)10.1109/CSF54842.2022.9919639(260-275)Online publication date: Aug-2022
  • Show More Cited By

Index Terms

  1. Localized delimited release: combining the what and where dimensions of information release

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      PLAS '07: Proceedings of the 2007 workshop on Programming languages and analysis for security
      June 2007
      122 pages
      ISBN:9781595937117
      DOI:10.1145/1255329
      • General Chair:
      • Michael Hicks
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 14 June 2007

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. de-classification
      2. downgrading
      3. information flow
      4. noninterference
      5. security policies

      Qualifiers

      • Article

      Conference

      PLAS07
      Sponsor:

      Acceptance Rates

      Overall Acceptance Rate 43 of 77 submissions, 56%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)5
      • Downloads (Last 6 weeks)0
      Reflects downloads up to 17 Jan 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2023)Compositional Security Definitions for Higher-Order Where DeclassificationProceedings of the ACM on Programming Languages10.1145/35860417:OOPSLA1(406-433)Online publication date: 6-Apr-2023
      • (2023)A Dafny-based approach to thread-local information flow analysis2023 IEEE/ACM 11th International Conference on Formal Methods in Software Engineering (FormaliSE)10.1109/FormaliSE58978.2023.00017(86-96)Online publication date: May-2023
      • (2022)Towards a General-Purpose Dynamic Information Flow Policy2022 IEEE 35th Computer Security Foundations Symposium (CSF)10.1109/CSF54842.2022.9919639(260-275)Online publication date: Aug-2022
      • (2022)Declassification Predicates for Controlled Information ReleaseFormal Methods and Software Engineering10.1007/978-3-031-17244-1_18(298-315)Online publication date: 24-Oct-2022
      • (2021)A Field-Sensitive Security Monitor for Object-Oriented ProgramsComputers and Security10.1016/j.cose.2021.102349108:COnline publication date: 1-Sep-2021
      • (2020)RIFJournal of Computer Security10.3233/JCS-19131628:2(191-228)Online publication date: 1-Jan-2020
      • (2019)A Dependently Typed Library for Static Information-Flow Control in IdrisPrinciples of Security and Trust10.1007/978-3-030-17138-4_3(51-75)Online publication date: 3-Apr-2019
      • (2018)Abstract Non-InterferenceACM Transactions on Privacy and Security10.1145/317566021:2(1-31)Online publication date: 5-Feb-2018
      • (2018)Assuming You Know: Epistemic Semantics of Relational Annotations for Expressive Flow Policies2018 IEEE 31st Computer Security Foundations Symposium (CSF)10.1109/CSF.2018.00021(189-203)Online publication date: Jul-2018
      • (2018)Synthesis of a Permissive Security MonitorComputer Security10.1007/978-3-319-99073-6_3(48-65)Online publication date: 8-Aug-2018
      • Show More Cited By

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media