ABSTRACT
Dynamic information flow policies, such as declassification, are essential for practically useful information flow control systems. However, most systems proposed to date that handle dynamic information flow policies suffer from a common drawback. They build on semantic models of security which are inherently flow insensitive, which means that many simple intuitively secure programs will be considered insecure.
In this paper we address this problem in the context of a particular system, flow locks. We provide a new flow sensitive semantics for flow locks based on a knowledge-style definition (following Askarov and Sabelfeld), in which the knowledge gained by an actor observing a program run is constrained according to the flow locks which are open at the time each observation is made. We demonstrate the applicability of the definition in a soundness proof for a simple flow lock type system. We also show how other systems can be encoded using flow locks, as an easy means to provide these systems with flow sensitive semantics.
- {AB05} A. Almeida Matos and G. Boudol. On declassification and the non-disclosure policy. In Proc. IEEE Computer Security Foundations Workshop, pages 226--240, June 2005. Google ScholarDigital Library
- {AHSS08} A. Askarov, S. Hunt, A. Sabelfeld, and D. Sands. Termination insensitive noninterference leaks more than just a bit. In Proc. European Symp. on Research in Computer Security, 2008. Google ScholarDigital Library
- {AS07} A. Askarov and A. Sabelfeld. Gradual release: Unifying declassification, encryption and key release policies. In Proc. IEEE Symp. on Security and Privacy, pages 207--221, May 2007. Google ScholarDigital Library
- {BCR08} Gilles Barthe, Salvador Cavadini, and Tamara Rezk. Tractable enforcement of declassification policies. In Proc. IEEE Computer Security Foundations Symposium, 2008. Google ScholarDigital Library
- {BNR08} A. Banerjee, D. Naumann, and S. Rosenberg. Expressive declassification policies and modular static enforcement. IEEE Symposium on Security and Privacy, pages 339--353, 2008. Google ScholarDigital Library
- {BS06a} N. Broberg and D. Sands. Flow locks: Towards a core calculus for dynamic flow policies. In Programming Languages and Systems. 15th European Symposium on Programming, ESOP 2006, volume 3924 of LNCS. Springer Verlag, 2006. Google ScholarDigital Library
- {BS06b} N. Broberg and D. Sands. Flow locks: Towards a core calculus for dynamic flow policies. Technical report, Chalmers University of Technology and Göteborgs University, May 2006. Extended version of {BS06a}.Google Scholar
- {Dam06} M. Dam. Decidability and proof systems for language-based noninterference relations. In Proc. ACM Symp. on Principles of Programming Languages, 2006. Google ScholarDigital Library
- {DEG06} C. Dima, C. Enea, and R. Gramatovici. Nondeterministic nointerference and deducible information flow. Technical Report 2006--01, University of Paris 12, LACL, 2006.Google Scholar
- {EP03} R. Echahed and F. Prost. Handling harmless interference. Technical Report 82, Laboratoire Leibniz, IMAG, June 2003.Google Scholar
- {EP05} R. Echahed and F. Prost. Security policy in a declarative style. In Proceedings of the 7<sup>th</sup> International Conference on Principles and Practice of Declarative Programming (PPDP '05), Lisboa, Portugal, July 2005. Google ScholarDigital Library
- {GM82} J. A. Goguen and J. Meseguer. Security policies and security models. In Proc. IEEE Symp. on Security and Privacy, pages 11--20, April 1982.Google ScholarCross Ref
- {LM08} Alexander Lux and Heiko Mantel. Who can declassify? In Preproceedings of the Workshop on Formal Aspects in Security and Trust (FAST), 2008.Google Scholar
- {McC87} D. McCullough. Specifications for multi-level security and hook-up property. In Proc. IEEE Symp. on Security and Privacy, pages 161--166, April 1987.Google Scholar
- {MR07} H. Mantel and A. Reinhard. Controlling the what and where of declassification in language-based security. In Proc. European Symp. on Programming, volume 4421 of LNCS, pages 141--156. Springer-Verlag, March 2007. Google ScholarDigital Library
- {MS04} H. Mantel and D. Sands. Controlled downgrading based on intransitive (non)interference. In Proc. Asian Symp. on Programming Languages and Systems, volume 3302 of LNCS, pages 129--145. Springer-Verlag, November 2004.Google ScholarCross Ref
- {MSZ04} A. Myers, A. Sabelfeld, and S. Zdancewic. Enforcing robust declassification. In Proc. IEEE Computer Security Foundations Workshop, pages 172--186, June 2004. Google ScholarDigital Library
- {SHTZ06} N. Swamy, M. Hicks, S. Tse, and S. Zdancewic. Managing policy updates in security-typed languages. Computer Security Foundations Workshop, IEEE, 2006. Google ScholarDigital Library
- {SS00} A. Sabelfeld and D. Sands. Probabilistic noninterference for multi-threaded programs. In Proc. IEEE Computer Security Foundations Workshop, pages 200--214, July 2000. Google ScholarDigital Library
- {SS05} A. Sabelfeld and D. Sands. Dimensions and principles of declassification. In Proc. IEEE Computer Security Foundations Workshop, pages 255--269, June 2005. Google ScholarDigital Library
- {TZ04} Stephen Tse and Steve Zdancewic. Run-time principals in information-flow type systems. In In IEEE Symposium on Security and Privacy, pages 179--193, 2004.Google Scholar
- {ZM07} L. Zheng and A. C. Myers. Dynamic security labels and static information flow control. International Journal of Information Security, 6, 2007.Google Scholar
Index Terms
- Flow-sensitive semantics for dynamic information flow policies
Recommendations
Flow-sensitive semantics for dynamic information flow policies (abstract only)
Dynamic information flow policies, such as declassification, are essential for practically useful information flow control systems. However, most systems proposed to date that handle dynamic information flow policies suffer from a common drawback. They ...
A language for information flow: dynamic tracking in multiple interdependent dimensions
PLAS '09: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for SecurityThis paper presents λI, a language for dynamic tracking of information flow across multiple, interdependent dimensions of information. Typical dimensions of interest are integrity and confidentiality. λI supports arbitrary domain-specific policies that ...
Encoding information flow in Aura
PLAS '09: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for SecurityTwo of the main ways to protect security-sensitive resources in computer systems are to enforce access-control policies and information-flow policies. In this paper, we show how to enforce information-flow policies in Aura, which is a programming ...
Comments