JRIF: Reactive Information Flow Control for Java

A reactive information flow (RIF) automaton for a value v specifies (i) allowed uses for v and (ii) the RIF automaton for any value that might be directly or indirectly derived from v. RIF automata thus specify how transforming a value alters how the result might be used. Such labels are more expressive than existing approaches for controlling downgrading. We devised a type system around RIF automata and incorporated it into Jif, a dialect of Java that supports a classic form of labels for information flow. By implementing a compiler for the resulting JRIF language, we demonstrate how easy it is to replace a classic information-flow type system by a more expressive RIF-based type system. We programmed two example applications in JRIF, and we discuss insights they provide into the benefits of RIF-based security labels.Supported in part by AFOSR grants F9550-06-0019 and FA9550-11-1-0137, National Science Foundation grants 0430161, 0964409, and CCF-0424422 (TRUST), ONR grants N00014-01- 1-0968 and N00014-09-1-0652, and grants from Microsoft

The third country problem under the GDPR: enhancing protection of data transfers with technology

The overall objective of the General Data Protection Regulation (GDPR)1 is two-fold: To contribute to the protection of privacy and personal data and to promote the free flow of personal data within the protected area2 through uniform regulations and homogenized interpretations of those regulations. If a controller or processor in the protected area (the exporter) transfers personal data to a country, region, or international organization outside the EEA, the exporter gets the advantage of the free flow of personal data to an area without homogenized data protection rules and interpretations. Under such circumstances, it is imperative to establish requirements that contribute to the initial objective of the GDPR, the protection of privacy and personal data. In EU data protection law, this requirement is known as the ‘essentially equivalent’ requirement.4 If personal data are to be transferred outside the protected area, the receiving country must have a level of personal data protection ‘essentially equivalent’ to the protected area

A progress-sensitive flow-sensitive inlined information-flow control monitor (extended version)

We present a novel progress-sensitive, flow-sensitive hybrid information-flow control monitor for an imperative interactive language. Progress-sensitive information-flow control is a strong information security guarantee which ensures that a program's progress (or lack of) does not leak information. Flow-sensitivity means that this strong security guarantee is enforced fairly precisely: our monitor tracks information flow per variable and per program point. We illustrate our approach on an imperative interactive language. Our hybrid monitor is inlined: source programs are translated, by a type-based analysis, into a target language that supports dynamic security levels. A key benefit of this is that the resulting monitored program is amenable to standard optimization techniques such as partial evaluation. One of the distinguishing features of our hybrid monitor is that it uses sets of levels to track the different possible security types of variables. This feature allows us to distinguish outputs that never leak information from those that may leak information.Engineering and Applied Science

RIF: Reactive Information Flow Labels

Restrictions that a reactive information flow (RIF) label imposes on a value are determined by the sequence of operations used to derive that value. This allows declassification, endorsement, and other forms of reclassification to be supported in a uniform way. Piecewise noninterference (PWNI) is introduced as a fitting security policy, because noninterference is not suitable. A type system is given for static enforcement of PWNI in programs that associate checkable classes of RIF labels with variables. Two checkable classes of RIF labels are described: RIF automata are general-purpose and based on finite-state automata; κ-labels concern confidentiality in programs that use cryptographic operations

ENHANCING EXPRESSIVENESS OF INFORMATION FLOW LABELS: RECLASSIFICATION AND PERMISSIVENESS

Increasing the expressiveness of information flow labels can improve the permissiveness of an enforcement mechanism. This thesis studies two formulations of expressive information flow labels: RIF labels and label chains. Restrictions that a reactive information flow (RIF) label imposes on a value depend on the sequence of operations used to derive that value. This allows declassification, endorsement, and other forms of reclassification to be supported in a uniform way. Piecewise noninterference (PWNI) is introduced as the appropriate security policy. A type system is given for static enforcement of PWNI in programs that associate checkable classes of RIF labels with variables. Two checkable classes of RIF labels are described: general-purpose RIF automata and κ-labels for programs that use cryptographic operations. But labels themselves can encode information, and thus, certain restrictions should be imposed on their use, too. A new family of dynamic enforcement mechanisms is derived to leverage arbitrarily long label chains, where each label in the chain defines restrictions for its predecessor. These enforcers satisfy Block-safe Noninterference (BNI), which proscribes leaks from observing variables, label chains, and blocked executions. Theorems characterize where longer label chains improve permissiveness of dynamic enforcement mechanisms that satisfy BNI. These theorems depend on semantic attributes of such mechanisms as well as on initialization, threat model, and size of lattice of labels

Block-safe Information Flow Control

Flow-sensitive dynamic enforcement mechanisms for information flow labels offer increased permissiveness. However, these mechanisms may leak sensitive information when deciding to block insecure executions. When enforcing two labels (e.g., secret and public), sensitive information is leaked from the context in which this decision is taken. When enforcing arbitrary labels, additional sensitive information is leaked from the labels involved in the decision to block an execution. We give examples where, contrary to a common belief, a mechanism designed to enforce two labels may not be able to enforce arbitrary labels, due to this additional leakage. In fact, it is not trivial to design a dynamic enforcement that offers increased permissiveness, handles multiple labels, and does not introduce information leakage due to blocking insecure executions. In this paper, we present a dynamic enforcement mechanism of information flow labels that has all these three attributes. Our mechanism is not purely dynamic, since it uses a light-weight, on-the-fly, static analysis of untaken branches. We prove that the set of all normally terminated and blocked traces of a program, which is executed under our mechanism, satisfies noninterference, against principals that make observations throughout execution

Beyond Labels: Permissiveness for Dynamic Information Flow Enforcement

Flow-sensitive labels used by dynamic enforcement mechanisms might themselves encode sensitive information, which can leak. Metalabels, employed to represent the sensitivity of labels, exhibit the same problem. This paper derives a new family of enforcers k-Enf , for k>1 that uses label chains, where each label defines the sensitivity of its predecessor. These enforcers satisfy Block-safe Noninterference (BNI), which proscribes leaks from observing variables, label chains, and blocked executions. Theorems in this paper characterize where longer label chains can improve the permissiveness of dynamic enforcement mechanisms that satisfy BNI. These theorems depend on semantic attributes---k-precise, k-varying, and k-dependent---of such mechanisms, as well as on initialization, threat model, and lattice size