344,762 research outputs found
A progress-sensitive flow-sensitive inlined information-flow control monitor (extended version)
We present a novel progress-sensitive, flow-sensitive hybrid information-flow control monitor for an imperative interactive language. Progress-sensitive information-flow control is a strong information security guarantee which ensures that a program's progress (or lack of) does not leak information. Flow-sensitivity means that this strong security guarantee is enforced fairly precisely: our monitor tracks information flow per variable and per program point. We illustrate our approach on an imperative interactive language. Our hybrid monitor is inlined: source programs are translated, by a type-based analysis, into a target language that supports dynamic security levels. A key benefit of this is that the resulting monitored program is amenable to standard optimization techniques such as partial evaluation. One of the distinguishing features of our hybrid monitor is that it uses sets of levels to track the different possible security types of variables. This feature allows us to distinguish outputs that never leak information from those that may leak information.Engineering and Applied Science
Nontransitive Policies Transpiled
Nontransitive Noninterference (NTNI) and Nontransitive Types (NTT) are a new security condition and enforcement for policies which, in contrast to Denning\u27s classical lattice model, assume no transitivity of the underlying flow relation. Nontransitive security policies are a natural fit for coarse-grained information-flow control where labels are specified at module rather than variable level of granularity.While the nontransitive and transitive policies pursue different goals and have different intuitions, this paper demonstrates that nontransitive noninterference can in fact be reduced to classical transitive noninterference. We develop a lattice encoding that establishes a precise relation between NTNI and classical noninterference. Our results make it possible to clearly position the new NTNI characterization with respect to the large body of work on noninterference. Further, we devise a lightweight program transformation that leverages standard flow-sensitive information-flow analyses to enforce nontransitive policies. We demonstrate several immediate benefits of our approach, both theoretical and practical. First, we improve the permissiveness over (while retaining the soundness of) the nonstandard NTT enforcement. Second, our results naturally generalize to a language with intermediate inputs and outputs. Finally, we demonstrate the practical benefits by utilizing state-of-the-art flow-sensitive tool JOANA to enforce nontransitive policies for Java programs
Sheaf semantics of termination-insensitive noninterference
We propose a new sheaf semantics for secure information flow over a space of
abstract behaviors, based on synthetic domain theory: security classes are
open/closed partitions, types are sheaves, and redaction of sensitive
information corresponds to restricting a sheaf to a closed subspace. Our
security-aware computational model satisfies termination-insensitive
noninterference automatically, and therefore constitutes an intrinsic
alternative to state of the art extrinsic/relational models of noninterference.
Our semantics is the latest application of Sterling and Harper's recent
re-interpretation of phase distinctions and noninterference in programming
languages in terms of Artin gluing and topos-theoretic open/closed modalities.
Prior applications include parametricity for ML modules, the proof of
normalization for cubical type theory by Sterling and Angiuli, and the
cost-aware logical framework of Niu et al. In this paper we employ the phase
distinction perspective twice: first to reconstruct the syntax and semantics of
secure information flow as a lattice of phase distinctions between "higher" and
"lower" security, and second to verify the computational adequacy of our sheaf
semantics vis-\`a-vis an extension of Abadi et al.'s dependency core calculus
with a construct for declassifying termination channels.Comment: Extended version of FSCD '22 paper with full technical appendice
The Transitivity of Trust Problem in the Interaction of Android Applications
Mobile phones have developed into complex platforms with large numbers of
installed applications and a wide range of sensitive data. Application security
policies limit the permissions of each installed application. As applications
may interact, restricting single applications may create a false sense of
security for the end users while data may still leave the mobile phone through
other applications. Instead, the information flow needs to be policed for the
composite system of applications in a transparent and usable manner. In this
paper, we propose to employ static analysis based on the software architecture
and focused data flow analysis to scalably detect information flows between
components. Specifically, we aim to reveal transitivity of trust problems in
multi-component mobile platforms. We demonstrate the feasibility of our
approach with Android applications, although the generalization of the analysis
to similar composition-based architectures, such as Service-oriented
Architecture, can also be explored in the future
- …