14 research outputs found
A New Enforcement on Declassification with Reachability Analysis
Language-based information flow security aims to decide whether an
action-observable program can unintentionally leak confidential information if
it has the authority to access confidential data. Recent concerns about
declassification polices have provided many choices for practical intended
information release, but more precise enforcement mechanism for these policies
is insufficiently studied. In this paper, we propose a security property on the
where-dimension of declassification and present an enforcement based on
automated verification. The approach automatically transforms the abstract
model with a variant of self-composition, and checks the reachability of
illegal-flow state of the model after transformation. The self-composition is
equipped with a store-match pattern to reduce the state space and to model the
equivalence of declassified expressions in the premise of property. The
evaluation shows that our approach is more precise than type-based enforcement.Comment: 7 pages, this is a full version of the work presented on 2011 IEEE
INFOCOM Workshop
Assumptions and guarantees for compositional noninterference
The idea of building secure systems by plugging together "secure" components is appealing, but this requires a definition of security which, in addition to taking care of top-level security goals, is strengthened appropriately in order to be compositional. This approach has been previously studied for information-flow security of shared-variable concurrent programs, but the price for compositionality is very high: a thread must be extremely pessimistic about what an environment might do with shared resources. This pessimism leads to many intuitively secure threads being labelled as insecure. Since in practice it is only meaningful to compose threads which follow an agreed protocol for data access, we take advantage of this to develop a more liberal compositional security condition. The idea is to give the security definition access to the intended pattern of data usage, as expressed by assumption-guarantee style conditions associated with each thread. We illustrate the improved precision by developing the first flow-sensitive security type system that provably enforces a noninterference-like property for concurrent programs. \ua9 2011 IEEE
Scheduler-Independent Declassification
Abstract The controlled declassification of secrets has received much attention in research on information-flow security, though mostly for se-quential programming languages. In this article, we aim at guarantee-ing the security of concurrent programs. We propose the novel security property WHAT&WHERE that allows one to limit what information may be declassified where in a program. We show that our property provides adequate security guarantees independent of the scheduling al-gorithm (which is non-trivial due to the refinement paradox) and present a security type system that reliably enforces the property. In a second scheduler-independence result, we show that an earlier proposed security condition is adequate for the same range of schedulers. These are the first scheduler-independence results in the presence of declassification.
Stateful Declassification Policies for Event-Driven Programs
International audience—We propose a novel mechanism for enforcing information flow policies with support for declassification on event-driven programs. Declassification policies consist of two functions. First, a projection function specifies for each confidential event what information in the event can be declassified directly. This generalizes the traditional security labelling of inputs. Second, a stateful release function specifies the aggregate information about all confidential events seen so far that can be declassified. We provide evidence that such declassification policies are useful in the context of JavaScript web applications. An enforcement mechanism for our policies is presented and its soundness and precision is proven. Finally, we give evidence of practicality by implementing and evaluating the mechanism in a browser
RIFL 1.1: A Common Specification Language for Information-Flow Requirements
The RS³ Information-Flow Specification Language (RIFL) is a policy
language for information-flow security. RIFL originated from the need
for a common language for specifying security requirements within the
DFG priority program Reliably Secure Software Systems (RS³)
(http://www.spp-rs3.de). In this report, we present the syntax and
informal semantics of RIFL 1.1, the most recent version of RIFL.
At this point in time, RIFL is supported by four tools for
information-flow analysis. We believe that RIFL can also be useful as
a policy language for further tools, and we encourage its adoption and
extension by the community
Information flow analysis for mobile code in dynamic security environments
With the growing amount of data handled by Internet-enabled
mobile devices, the task of preventing software from leaking
confidential information is becoming increasingly important. At
the same time, mobile applications are typically executed on
different devices whose users have varying requirements for the
privacy of their data. Users should be able to define their
personal information security settings, and they should get a
reliable assurance that the installed software respects these
settings. Language-based information flow security focuses on
the analysis of programs to determine information flows among
accessed data resources of different security levels, and to
verify and formally certify that these flows follow a given
policy. In the mobile code scenario, however, both the dynamic
aspect of the security environment and the fact that mobile
software is distributed as bytecode pose a challenge for existing
static analysis approaches. This thesis presents a
language-based mechanism to certify information flow security in
the presence of dynamic environments. An object-oriented
high-level language as well as a bytecode language are equipped
with facilities to inspect user-defined information flow security
settings at runtime. This way, the software developer can create
privacy-aware programs that can adapt their behaviour to
arbitrary security environments, a property that is formalized as
"universal noninterference". This property is statically
verified by an information flow type system that uses restrictive
forms of dependent types to judge abstractly on the concrete
security policy that is effective at runtime. To verify compiled
bytecode programs, a low-level version of the type system is
presented that works on an intermediate code representation in
which the original program structure is partially restored.
Rigorous soundness proofs and a type-preserving compilation
enable the generation of certified bytecode programs in the style
of proof-carrying code. To show the practical feasibility of the
approach, the system is implemented and demonstrated on a
concrete application scenario, where personal data are sent from
a mobile device to a server on the Internet