Mostly-static decentralized information flow control

Thesis (Ph.D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 1999.Includes bibliographical references (p. 169-174) and index.This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.The growing use of mobile code in downloaded programs such as applets and servlets has increased interest in robust mechanisms for ensuring privacy and secrecy. Common security mechanisms such as sand boxing and access control are either too restrictive or too weak -- they prevent applications from sharing data usefully, or allow private information to leak. For example, security mechanisms in Java prevent many useful applications while still permitting Trojan horse applets to leak private information. This thesis describes the decentralized label model, a new model of information flow control that protects private data while allowing applications to share data. Unlike previous approaches to privacy protection based on information flow, this label model is decentralized: it allows cooperative computation by mutually distrusting principals, without mediation by highly trusted agents. Cooperative computation is possible because individual principals can declassify their own data without infringing on other principals' privacy. The decentralized label model permits programs using it to be checked statically, which is important for the precise detection of information leaks. This thesis also presents the new language J flow, an extension to the Java programming language that incorporates the decentralized label model and permits static checking of information flows within programs. Variable declarations in J flow programs are annotated with labels that allow the static checker to check programs for information leaks efficiently, in a manner similar to type checking. Often, these labels can be inferred automatically, so annotating programs is not onerous. Dynamic checks also may be used safely when static checks are insufficiently powerful. A compiler has been implemented for the J flow language. Because most checking is performed statically at compile time, the compiler generates code with few additional dynamic tests, improving performance.by Andrew C. Myers.Ph.D

Formal Semantics for Java-like Languages and Research Opportunities

The objective of this paper is twofold: first, we discuss the state of art on Java-like semantics, focusing on those that provide formal specification using operational semantics (big-step or small-step), studying in detail the most cited projects and presenting some derivative works that extend the originals aggregating useful features. Also, we filter our research for those that provide some insights in type-safety proofs. Furthermore, we provide a comparison between the most used projects in order to show which functionalities are covered in such projects. Second, our effort is focused towards the research opportunities in this area, showing some important works that can be applied to the previously presented projects to study features of object-oriented languages, and pointing for some possibilities to explore in future researches

A Verified Information-Flow Architecture

SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to dynamically control information flow in SAFE and an end-to-end proof of noninterference for this model. We use a refinement proof methodology to propagate the noninterference property of the abstract machine down to the concrete machine level. We use an intermediate layer in the refinement chain that factors out the details of the information-flow control policy and devise a code generator for compiling such information-flow policies into low-level monitor code. Finally, we verify the correctness of this generator using a dedicated Hoare logic that abstracts from low-level machine instructions into a reusable set of verified structured code generators

Access and information flow control to secure mobile web service compositions in resource constrained environments

The growing use of mobile web services such as electronic health records systems and applications like twitter, Facebook has increased interest in robust mechanisms for ensuring security for such information sharing services. Common security mechanisms such as access control and information flow control are either restrictive or weak in that they prevent applications from sharing data usefully, and/or allow private information leaks when used independently. Typically, when services are composed there is a resource that some or all of the services involved in the composition need to share. However, during service composition security problems arise because the resulting service is made up of different services from different security domains. A key issue that arises and that we address in this thesis is that of enforcing secure information flow control during service composition to prevent illegal access and propagation of information between the participating services. This thesis describes a model that combines access control and information flow control in one framework. We specifically consider a case study of an e-health service application, and consider how constraints like location and context dependencies impact on authentication and authorization. Furthermore, we consider how data sharing applications such as the e-health service application handle issues of unauthorized users and insecure propagation of information in resource constrained environments¹. Our framework addresses this issue of illegitimate information access and propagation by making use of the concept of program dependence graphs (PDGs). Program dependence graphs use path conditions as necessary conditions for secure information flow control. The advantage of this approach to securing information sharing is that, information is only propagated if the criteria for data sharing are verified. Our solution proposes or offers good performance, fast authentication taking into account bandwidth limitations. A security analysis shows the theoretical improvements our scheme offers. Results obtained confirm that the framework accommodates the CIA-triad (which is the confidentiality, integrity and availability model designed to guide policies of information security) of our work and can be used to motivate further research work in this field

Program-level Specification and Deductive Verification of Security Properties

Programs with publicly accessible interfaces are increasingly used to process confidential data. This makes it all the more important to control the information flow within such applications. This thesis shows how highly precise specification and deductive verification of language-based secure information flow can be made feasible. The approach does not rely on fixed approximations, but makes use of the precision provided by the underlying calculus for Java Dynamic Logic

Secure file sharing

File sharing has become an indispensable part of our daily lives. The shared files might be sensitive, thus, their confidentially, integrity and availability should be protected. Such protection might be against external threats that are initiated by unauthorised users or insider threats that are initiated by authorised users. Our main interest in this thesis is with insider threats. Protecting shared files against insiders is a challenging problem. Insiders enjoy various characteristics such as being trusted and authorised, in addition to being inside the network perimeter and having knowledge of information systems. This makes it difficult to prevent or detect policy violation for these users. The goal of this thesis is to protect shared files from the perspective of insider security with language-based techniques. In the first part of the thesis, we define what we mean by an insider and the insider problem precisely, and propose an approach to classify the insider problem into different categories. We then define and focus on one category that is related to file sharing. Namely, protecting the confidentiality and integrity of the shared files against accidental misuse by insiders. Furthermore, we classify the activity of file sharing into different categories that describe all possible ways of performing the activity of file sharing. These categories represent policies that describe how files should be propagated and accessed by insiders. We show that enforcing these policies can protect the files against accidental misuse by insiders while allowing the activity of sharing to be performed as desired. Thus our interest can be summarised as keeping honest users safe. In the second part of the thesis, we develop a security type system that statically enforces information flow and access control policies in a file system. Files are associated with security types that represent security policies, and programs are sets of operations to be performed on files such as read, copy, move, etc. A type checker, therefore, will statically check each operation to be performed on a file and determine whether the operation satisfies the policy of the file. We prove that our type system is sound and develop a type reconstruction algorithm and prove its soundness and completeness. The type system we developed in this thesis protects the files against accidental misuse by insiders