State-oriented noninterference for CCS

We address the question of typing noninterference (NI) in Milner's Calculus of Communicating Systems (CCS), in such a way that Milner's translation of a standard parallel imperative language into CCS preserves both an existing NI property and the associated type system. Recently, Focardi, Rossi and Sabelfeld have shown that a variant of Milner's translation, restricted to the sequential fragment of the language, maps a time-sensitive NI property to that of Persistent Bisimulation-based Non Deducibility on Compositions (PBNDC) on CCS. However, since CCS was not equipped with a security type system, the question of whether the translation preserves types could not be addressed. We extend Focardi, Rossi and Sabelfeld's result by showing that a slightly different variant of Milner's translation preserves a time-insensitive NI property on the full parallel language, by mapping it again to PBNDC. As a by-product, we formalise a folklore result, namely that Milner's translation preserves a natural behavioural equivalence on programs. We present a type system ensuring the PBNDC-property on CCS, inspired from type systems for the pi-calculus. Unfortunately, this type system as it stands is too restrictive to grant the expected type preservation result. We sketch a solution to overcome this problem

Combining behavioural types with security analysis

Today's software systems are highly distributed and interconnected, and they increasingly rely on communication to achieve their goals; due to their societal importance, security and trustworthiness are crucial aspects for the correctness of these systems. Behavioural types, which extend data types by describing also the structured behaviour of programs, are a widely studied approach to the enforcement of correctness properties in communicating systems. This paper offers a unified overview of proposals based on behavioural types which are aimed at the analysis of security properties

On the Foundations of Practical Language-Based Security

Language-based information flow control (IFC) promises to provide programming languages and tools that make it easy for developers to write secure code. Traditionally,\ua0research in this field aims to build a variant on a programming language or system\ua0that lets developers write code that gives them strong guarantees beyond the potential\ua0memory- and type-safety guarantees of modern languages. However, two developments\ua0in the field challenge this paradigm. Firstly, backwards-compatible security enforcement\ua0without false alarms promises to retrofit security enforcement on code that was not written with the enforcement mechanism in mind. This has the potential to greatly increase\ua0the applicability of IFC enforcement to legacy and mobile code from untrusted sources.Secondly, library-based security, a technique by which IFC researchers provide a software\ua0library in an established language whose programming interface gives the same guarantees as a stand-alone IFC tool for developers to use promises to do away with specialized\ua0IFC languages. This technique also has the potential to increase the applicability of IFC\ua0enforcement as developers no longer need to adopt a whole new language to get securityguarantees.This thesis makes contributions to both these recent developments that come in two\ua0parts; the first part concerns enforcing secure information flow without introducing false\ua0alarms while the second part concerns the correctness of using libraries instead of fullyfledged IFC programming languages to write secure code.The first part of the thesis makes the following contributions:1. It unifies the existing literature, in the form of Secure Multi-Execution and MultipleFacets, on security enforcement without false alarms by introducing Faceted SecureMulti-Execution.2. It explores the unique optimisation challenges that appear in this setting. Specifically, mixing multi-execution and facets means that unnecessarily large facetedtrees give rise to unnecessary executions in multi-execution and vice verse. Thisthesis proposes optimisation strategies that can overcome this hurdle.3. It proves an exponential lower bound on black-box false-alarm-free enforcementand new possibility results for false-alarm-free enforcement of a variant of the noninterference security condition known as termination insensitive noninterference.4. It classifies the special cases of enforcement that is not subject to the aforementionedexponential lower bound. Specifically, this thesis shows how and why the choice ofsecurity lattice makes the difference between exponential, polynomial, and constantoverheads in multi-execution.In short, the first part of the thesis unifies the existing literature on false-alarm-freeIFC enforcement and presents a number of results on the performance of enforcementmechanisms of this kind.The second part of the thesis meanwhile makes the following contributions:1. It reduces the trusted computing base of security libraries by showing how to implement secure effects on top of an already secure core without incurring any newproof obligations.2. It shows how to simplify DCC, the core language in the literature, without losingexpressiveness.3. It proves that noninterference can be derived in a simple and straightforward wayfrom parametricity for both static and dynamic security libraries. This in turnreduces the conceptual gap between the kind of security libraries that are writtentoday and the proofs one can write to prove that the libraries ensure noninterference.In short, the second part of the thesis provides a new direction for thinking about thecorrectness of security libraries by both reducing the amount of trusted code and by introducing improved means of proving that a security library guarantees noninterference

Complexity and Unwinding for Intransitive Noninterference

The paper considers several definitions of information flow security for intransitive policies from the point of view of the complexity of verifying whether a finite-state system is secure. The results are as follows. Checking (i) P-security (Goguen and Meseguer), (ii) IP-security (Haigh and Young), and (iii) TA-security (van der Meyden) are all in PTIME, while checking TO-security (van der Meyden) is undecidable, as is checking ITO-security (van der Meyden). The most important ingredients in the proofs of the PTIME upper bounds are new characterizations of the respective security notions, which also lead to new unwinding proof techniques that are shown to be sound and complete for these notions of security, and enable the algorithms to return simple counter-examples demonstrating insecurity. Our results for IP-security improve a previous doubly exponential bound of Hadj-Alouane et al

A Verified Information-Flow Architecture

SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to dynamically control information flow in SAFE and an end-to-end proof of noninterference for this model. We use a refinement proof methodology to propagate the noninterference property of the abstract machine down to the concrete machine level. We use an intermediate layer in the refinement chain that factors out the details of the information-flow control policy and devise a code generator for compiling such information-flow policies into low-level monitor code. Finally, we verify the correctness of this generator using a dedicated Hoare logic that abstracts from low-level machine instructions into a reusable set of verified structured code generators

Information Security as Strategic (In)effectivity

Security of information flow is commonly understood as preventing any information leakage, regardless of how grave or harmless consequences the leakage can have. In this work, we suggest that information security is not a goal in itself, but rather a means of preventing potential attackers from compromising the correct behavior of the system. To formalize this, we first show how two information flows can be compared by looking at the adversary's ability to harm the system. Then, we propose that the information flow in a system is effectively information-secure if it does not allow for more harm than its idealized variant based on the classical notion of noninterference

Securing the Foundations of Practical Information Flow Control

Language-based information flow control (IFC) promises to secure computer programs against malicious or incompetent programmers by addressing key shortcomings of modern programming languages. In spite of showing great promise, the field remains under-utilised in practise. This thesis makes contributions to the theoretical foundations of IFC aimed at making the techniques practically applicable. The paper addresses two primary topics, IFC as a library and IFC without false alarms. The contributions range from foundational observations about soundness and completeness, to practical considerations of efficiency and expressiveness

Security analysis of private data enquiries in Erlang

Privacy is an issue of increasing concern to the Inter- net user. To ensure the continued success of distributed information systems, a reliable information flow must be established in certified but immediately evident ways. We begin with basic consideration of the privacy problem in the general setting of database enquiries. From there, we develop a simple solution, which we illustrate with a simple implementation in the programming language Erlang. We first provide an informal security analysis that is then developed into a formal definition of a type system for noninterference