research-article

Flow-sensitive semantics for dynamic information flow policies

Authors:
Niklas Broberg

Chalmers University of Technology and University of Gothenburg, Göteborg, Sweden

Chalmers University of Technology and University of Gothenburg, Göteborg, Sweden
View Profile

,
David Sands

Chalmers University of Technology, Göteborg, Sweden

Chalmers University of Technology, Göteborg, Sweden
View Profile

PLAS '09: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for SecurityJune 2009Pages 101–112https://doi.org/10.1145/1554339.1554352

Published:15 June 2009Publication History

PLAS '09: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security

Pages 101–112

ABSTRACT

Dynamic information flow policies, such as declassification, are essential for practically useful information flow control systems. However, most systems proposed to date that handle dynamic information flow policies suffer from a common drawback. They build on semantic models of security which are inherently flow insensitive, which means that many simple intuitively secure programs will be considered insecure.

In this paper we address this problem in the context of a particular system, flow locks. We provide a new flow sensitive semantics for flow locks based on a knowledge-style definition (following Askarov and Sabelfeld), in which the knowledge gained by an actor observing a program run is constrained according to the flow locks which are open at the time each observation is made. We demonstrate the applicability of the definition in a soundness proof for a simple flow lock type system. We also show how other systems can be encoded using flow locks, as an easy means to provide these systems with flow sensitive semantics.

References

{AB05} A. Almeida Matos and G. Boudol. On declassification and the non-disclosure policy. In Proc. IEEE Computer Security Foundations Workshop, pages 226--240, June 2005. Google ScholarDigital Library
{AHSS08} A. Askarov, S. Hunt, A. Sabelfeld, and D. Sands. Termination insensitive noninterference leaks more than just a bit. In Proc. European Symp. on Research in Computer Security, 2008. Google ScholarDigital Library
{AS07} A. Askarov and A. Sabelfeld. Gradual release: Unifying declassification, encryption and key release policies. In Proc. IEEE Symp. on Security and Privacy, pages 207--221, May 2007. Google ScholarDigital Library
{BCR08} Gilles Barthe, Salvador Cavadini, and Tamara Rezk. Tractable enforcement of declassification policies. In Proc. IEEE Computer Security Foundations Symposium, 2008. Google ScholarDigital Library
{BNR08} A. Banerjee, D. Naumann, and S. Rosenberg. Expressive declassification policies and modular static enforcement. IEEE Symposium on Security and Privacy, pages 339--353, 2008. Google ScholarDigital Library
{BS06a} N. Broberg and D. Sands. Flow locks: Towards a core calculus for dynamic flow policies. In Programming Languages and Systems. 15th European Symposium on Programming, ESOP 2006, volume 3924 of LNCS. Springer Verlag, 2006. Google ScholarDigital Library
{BS06b} N. Broberg and D. Sands. Flow locks: Towards a core calculus for dynamic flow policies. Technical report, Chalmers University of Technology and Göteborgs University, May 2006. Extended version of {BS06a}.Google Scholar
{Dam06} M. Dam. Decidability and proof systems for language-based noninterference relations. In Proc. ACM Symp. on Principles of Programming Languages, 2006. Google ScholarDigital Library
{DEG06} C. Dima, C. Enea, and R. Gramatovici. Nondeterministic nointerference and deducible information flow. Technical Report 2006--01, University of Paris 12, LACL, 2006.Google Scholar
{EP03} R. Echahed and F. Prost. Handling harmless interference. Technical Report 82, Laboratoire Leibniz, IMAG, June 2003.Google Scholar
{EP05} R. Echahed and F. Prost. Security policy in a declarative style. In Proceedings of the 7<sup>th</sup> International Conference on Principles and Practice of Declarative Programming (PPDP '05), Lisboa, Portugal, July 2005. Google ScholarDigital Library
{GM82} J. A. Goguen and J. Meseguer. Security policies and security models. In Proc. IEEE Symp. on Security and Privacy, pages 11--20, April 1982.Google ScholarCross Ref
{LM08} Alexander Lux and Heiko Mantel. Who can declassify? In Preproceedings of the Workshop on Formal Aspects in Security and Trust (FAST), 2008.Google Scholar
{McC87} D. McCullough. Specifications for multi-level security and hook-up property. In Proc. IEEE Symp. on Security and Privacy, pages 161--166, April 1987.Google Scholar
{MR07} H. Mantel and A. Reinhard. Controlling the what and where of declassification in language-based security. In Proc. European Symp. on Programming, volume 4421 of LNCS, pages 141--156. Springer-Verlag, March 2007. Google ScholarDigital Library
{MS04} H. Mantel and D. Sands. Controlled downgrading based on intransitive (non)interference. In Proc. Asian Symp. on Programming Languages and Systems, volume 3302 of LNCS, pages 129--145. Springer-Verlag, November 2004.Google ScholarCross Ref
{MSZ04} A. Myers, A. Sabelfeld, and S. Zdancewic. Enforcing robust declassification. In Proc. IEEE Computer Security Foundations Workshop, pages 172--186, June 2004. Google ScholarDigital Library
{SHTZ06} N. Swamy, M. Hicks, S. Tse, and S. Zdancewic. Managing policy updates in security-typed languages. Computer Security Foundations Workshop, IEEE, 2006. Google ScholarDigital Library
{SS00} A. Sabelfeld and D. Sands. Probabilistic noninterference for multi-threaded programs. In Proc. IEEE Computer Security Foundations Workshop, pages 200--214, July 2000. Google ScholarDigital Library
{SS05} A. Sabelfeld and D. Sands. Dimensions and principles of declassification. In Proc. IEEE Computer Security Foundations Workshop, pages 255--269, June 2005. Google ScholarDigital Library
{TZ04} Stephen Tse and Steve Zdancewic. Run-time principals in information-flow type systems. In In IEEE Symposium on Security and Privacy, pages 179--193, 2004.Google Scholar
{ZM07} L. Zheng and A. C. Myers. Dynamic security labels and static information flow control. International Journal of Information Security, 6, 2007.Google Scholar

Index Terms

Flow-sensitive semantics for dynamic information flow policies
1. Theory of computation
  1. Semantics and reasoning
    1. Program semantics

Recommendations

Flow-sensitive semantics for dynamic information flow policies (abstract only)

Dynamic information flow policies, such as declassification, are essential for practically useful information flow control systems. However, most systems proposed to date that handle dynamic information flow policies suffer from a common drawback. They ...
Read More
A language for information flow: dynamic tracking in multiple interdependent dimensions
PLAS '09: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security

This paper presents λ_I, a language for dynamic tracking of information flow across multiple, interdependent dimensions of information. Typical dimensions of interest are integrity and confidentiality. λ_I supports arbitrary domain-specific policies that ...
Read More
Encoding information flow in Aura
PLAS '09: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security

Two of the main ways to protect security-sensitive resources in computer systems are to enforce access-control policies and information-flow policies. In this paper, we show how to enforce information-flow policies in Aura, which is a programming ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
PLAS '09: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security
June 2009
130 pages
ISBN:9781605586458
DOI:10.1145/1554339
Conference Chairs:
Stephen Chong
Harvard University
,
David Naumann
Stevens Institute of Technology
Copyright © 2009 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 15 June 2009
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
declassification
information flow control
security type system
Qualifiers
- research-article
Conference

Acceptance Rates
PLAS '09 Paper Acceptance Rate8of19submissions,42%Overall Acceptance Rate43of77submissions,56%
More
Upcoming Conference
PLDI '24

Sponsor:

sigplan

ACM SIGPLAN Conference on Programming Language Design and Implementation

June 24 - 28, 2024

Copenhagen , Denmark
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 16
  Total Citations
  View Citations
- 222
  Total Downloads
- Downloads (Last 12 months)12
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Flow-sensitive semantics for dynamic information flow policies

PLAS '09: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Flow-sensitive semantics for dynamic information flow policies (abstract only)

A language for information flow: dynamic tracking in multiple interdependent dimensions

Encoding information flow in Aura