A Cut Principle for Information Flow

We view a distributed system as a graph of active locations with unidirectional channels between them, through which they pass messages. In this context, the graph structure of a system constrains the propagation of information through it. Suppose a set of channels is a cut set between an information source and a potential sink. We prove that, if there is no disclosure from the source to the cut set, then there can be no disclosure to the sink. We introduce a new formalization of partial disclosure, called *blur operators*, and show that the same cut property is preserved for disclosure to within a blur operator. This cut-blur property also implies a compositional principle, which ensures limited disclosure for a class of systems that differ only beyond the cut.Comment: 31 page

Information Security as Strategic (In)effectivity

Security of information flow is commonly understood as preventing any information leakage, regardless of how grave or harmless consequences the leakage can have. In this work, we suggest that information security is not a goal in itself, but rather a means of preventing potential attackers from compromising the correct behavior of the system. To formalize this, we first show how two information flows can be compared by looking at the adversary's ability to harm the system. Then, we propose that the information flow in a system is effectively information-secure if it does not allow for more harm than its idealized variant based on the classical notion of noninterference

JBLIF, a tool for non-interference analysis of java and java bytecode programs

Protecting sensitive information has become an important facet of software development. One aspect of software security relies on information flow control (IFC), a technique for discovering information leaks in software. Despite the large body of work on language-based IFC, there are only few implementation of information flow analyzers for full-scale real programming languages. This lack signifies a gap between IFC theory and practice. This work introduces, a tool that helps to overpass this gap: JBLIF –acronym from Java Bytecode-Level Information Flow–, a tool capable of statically detect information leaks in systems coded in Java and/or Java bytecode.Red de Universidades con Carreras en Informática (RedUNCI

Unwinding in Information Flow Security

We study information flow security properties which are persistent, in the sense that if a system is secure then all of its reachable states are secure too. We present a uniform characterization of these properties in terms of a general unwinding schema. This unwinding characterization allows us to prove several compositionality properties of the considered security classes. Moreover, we exploit the unwinding condition to dictate the form of the rules we can use to incrementally develop secure processes and to rectify insecure processes

Delimited Persistent Stochastic Non-Interference

Non-Interference is an information flow security property which aims to protect confidential data by ensuring the complete absence of any information flow from high level entities to low level ones. However, this requirement is too demanding when dealing with real applications: indeed, no real policy ever guarantees a total absence of information flow. In order to deal with real applications, it is often necessary to allow mechanisms for downgrading or declassifying information such as information filters and channel control. In this paper we generalize the notion of Persistent Stochastic Non-Interference (PSNI) in order to allow information to flow from a higher to a lower security level through a downgrader. We introduce the notion of Delimited Persistent Stochastic Non-Interference (D_PSNI) and provide two characterizations of it, one expressed in terms of bisimulation-like equivalence checks and another one formulated through unwinding conditions. Then we prove some compositionality properties. Finally, we present a decision algorithm and discuss its complexity

GAMES AND STRATEGIES IN ANALYSIS OF SECURITY PROPERTIES

Information security problems typically involve decision makers who choose and adjust their behaviors in the interaction with each other in order to achieve their goals. Consequently, game theoretic models can potentially be a suitable tool for better understanding the challenges that the interaction of participants in information security scenarios bring about. In this dissertation, we employ models and concepts of game theory to study a number of subjects in the field of information security. In the first part, we take a game-theoretic approach to the matter of preventing coercion in elections. Our game models for the election involve an honest election authority that chooses between various protection methods with different levels of resistance and different implementation costs. By analysing these games, it turns out that the society is better off if the security policy is publicly announced, and the authorities commit to it. Our focus in the second part is on the property of noninterference in information flow security. Noninterference is a property that captures confidentiality of actions executed by a given process. However, the property is hard to guarantee in realistic scenarios. We show that the security of a system can be seen as an interplay between functionality requirements and the strategies adopted by users, and based on this we propose a weaker notion of noninterference, which we call strategic noninterference. We also give a characterisation of strategic noninterference through unwinding relations for specific subclasses of goals and for the simplified setting where a strategy is given as a parameter. In the third part, we study the security of information flow based on the consequences of information leakage to the adversary. Models of information flow security commonly prevent any information leakage, regardless of how grave or harmless the consequences the leakage can be. Even in models where each piece of information is classified as either sensitive or insensitive, the classification is “hardwired” and given as a parameter of the analysis, rather than derived from more fundamental features of the system. We suggest that information security is not a goal in itself, but rather a means of preventing potential attackers from compromising the correct behavior of the system. To formalize this, we first show how two information flows can be compared by looking at the adversary’s ability to harm the system. Then, we propose that the information flow in a system is effectively secure if it is as good as its idealized variant based on the classical notion of noninterference. Finally, we shift our focus to the strategic aspect of information security in voting procedures. We argue that the notions of receipt-freeness and coercion resistance are underpinned by existence (or nonexistence) of a suitable strategy for some participants of the voting process. In order toback the argument formally, we provide logical “transcriptions” of the informal intuitions behind coercion-related properties that can be found in the existing literature. The transcriptions are formulatedin the modal game logic ATL*, well known in the area of multi-agent systems