75 research outputs found
Existential Types for Relaxed Noninterference
Information-flow security type systems ensure confidentiality by enforcing
noninterference: a program cannot leak private data to public channels.
However, in practice, programs need to selectively declassify information about
private data. Several approaches have provided a notion of relaxed
noninterference supporting selective and expressive declassification while
retaining a formal security property. The labels-as-functions approach provides
relaxed noninterference by means of declassification policies expressed as
functions. The labels-as-types approach expresses declassification policies
using type abstraction and faceted types, a pair of types representing the
secret and public facets of values. The original proposal of labels-as-types is
formulated in an object-oriented setting where type abstraction is realized by
subtyping. The object-oriented approach however suffers from limitations due to
its receiver-centric paradigm.
In this work, we consider an alternative approach to labels-as-types,
applicable in non-object-oriented languages, which allows us to express
advanced declassification policies, such as extrinsic policies, based on a
different form of type abstraction: existential types. An existential type
exposes abstract types and operations on these; we leverage this abstraction
mechanism to express secrets that can be declassified using the provided
operations. We formalize the approach in a core functional calculus with
existential types, define existential relaxed noninterference, and prove that
well-typed programs satisfy this form of type-based relaxed noninterference
A Design for a Security-typed Language with Certificate-based Declassification
This paper presents a calculus that supports information-flow security policies and certificate-based declassification. The decentralized label model and its downgrading mechanisms are concisely expressed in the polymorphic lambda calculus with subtyping (System F≾). We prove a conditioned version of the noninterference theorem such that authorization for declassification is justified by digital certificates from public-key infrastructures
Dynamic IFC Theorems for Free!
We show that noninterference and transparency, the key soundness theorems for
dynamic IFC libraries, can be obtained "for free", as direct consequences of
the more general parametricity theorem of type abstraction. This allows us to
give very short soundness proofs for dynamic IFC libraries such as faceted
values and LIO. Our proofs stay short even when fully mechanized for Agda
implementations of the libraries in terms of type abstraction.Comment: CSF 2021 final versio
Type Abstraction for Relaxed Noninterference
Information-flow security typing statically prevents confidential information to leak to public channels. The fundamental information flow property, known as noninterference, states that a public observer cannot learn anything from private data. As attractive as it is from a theoretical viewpoint, noninterference is impractical: real systems need to intentionally declassify some information, selectively. Among the different information flow approaches to declassification, a particularly expressive approach was proposed by Li and Zdancewic, enforcing a notion of relaxed noninterference by allowing programmers to specify declassification policies that capture the intended manner in which public information can be computed from private data.
This paper shows how we can exploit the familiar notion of type abstraction to support expressive declassification policies in a simpler, yet more expressive manner. In particular, the type-based approach to declassification---which we develop in an object-oriented setting---addresses several issues and challenges with respect to prior work, including a simple notion of label ordering based on subtyping, support for recursive declassification policies, and a local, modular reasoning principle for relaxed noninterference. This work paves the way for integrating declassification policies in practical security-typed languages
Run-time Principals in Information-flow Type Systems
Information-flow type systems are a promising approach for enforcing strong end-to-end confidentiality and integrity policies. Such policies, however, are usually specified in term of static information—data is labeled high or low security at compile time. In practice, the confidentiality of data may depend on information available only while the system is running.
This paper studies language support for run-time principals, a mechanism for specifying information-flow security policies that depend on which principals interact with the system. We establish the basic property of noninterference for programs written in such language, and use run-time principals for specifying run-time authority in downgrading mechanisms such as declassification.
In addition to allowing more expressive security policies, run-time principals enable the integration of language-based security mechanisms with other existing approaches such as Java stack inspection and public key infrastructures. We sketch an implementation of run-time principals via public keys such that principal delegation is verified by certificate chains
- …