Non Interference for Intuitionist Necessity

The necessity modality of intuitionist S4 is a comonad. In this paper, we study indexed necessity modalities that provide the logical foundation for a variety of applications; for example, to model possession of capabilities in policy languages for access control, and to track exceptions in type theories for exceptional computation. Noninterference properties of the intuitionist logic of indexed necessity modalities capture the limitations on the information flow between formulas that are under the scope of necessity modalities with different indices. The impact of noninterference is seen in the unprovability of certain formulas. Noninterference is necessary for several applications. In models of capabilities, noninterference facilitates distributed reasoning. In models of exceptions, noninterference is necessary to ensure that the exceptions are tracked conservatively. In this paper, we prove noninterference properties for indexed intuitionist necessity S4 modalities. To our knowledge, this is the first examination of noninterference results for the intuitionist S4 necessity modality (even without indexing)

Lambda-RBAC: Programming with Role-Based Access Control

We study mechanisms that permit program components to express role constraints on clients, focusing on programmatic security mechanisms, which permit access controls to be expressed, in situ, as part of the code realizing basic functionality. In this setting, two questions immediately arise: (1) The user of a component faces the issue of safety: is a particular role sufficient to use the component? (2) The component designer faces the dual issue of protection: is a particular role demanded in all execution paths of the component? We provide a formal calculus and static analysis to answer both questions.Comment: LMC

Succour to the Confused Deputy Types for Capabilities

Abstract. The possession of secrets is a recurrent theme in security literature and practice. We present a refinement type system, based on indexed intuitonist S4 necessity, for an object calculus with explicit locations (corresponding to principals) to control the principals that may possess a secret. Type safety ensures that if the execution of a well-typed program leads to a configuration with an object p located at principal a, then a possesses the capability to p. We illustrate the type system with simple examples drawn from web applications, including an illustration of how Cross-Site Request Forgery (CSRF) vulnerabilities may manifest themselves as absurd refinements on object declarations during type checking. This is an extended version of a paper that appears in APLAS 2012

Succour to the Confused Deputy Types for Capabilities

Abstract. The possession of secrets is a recurrent theme in security literature and practice. We present a refinement type system, based on indexed intuitonist S4 necessity, for an object calculus with explicit locations (corresponding to principals) to control the principals that may possess a secret. Type safety ensures that if the execution of a well-typed program leads to a configuration with an object p located at principal a, then a possesses the capability to p. We illustrate the type system with simple examples drawn from web applications, including an illustration of how Cross-Site Request Forgery (CSRF) vulnerabilities may manifest themselves as absurd refinements on object declarations during type checking. This is an extended version of a paper that appears in APLAS 2012

Games for Controls

We argue that games are expressive enough to encompass (history-based) access control, (resource) usage control (e.g., dynamic adaptive access control of reputation systems) , accountability based controls (e.g., insurance), controls derived from rationality assumptions on participants (e.g., network mechanisms), and their composition. Building on the extensive research into games, we demonstrate that this expressive power coexists with a formal analysis framework comparable to that available for access control. 1

Local memory via layout randomization

Randomization is used in computer security as a tool to introduce unpredictability into the software infrastructure. In this paper, we study the use of randomization to achieve the secrecy and integrity guarantees for local memory. We follow the approach set out by Abadi and Plotkin (2010). We consider the execution of an idealized language in two environments. In the strict environment, opponents cannot access local variables of the user program. In the lax environment, opponents may attempt to guess allocated memory locations and thus, with small probability, gain access the local memory of the user program. We model these environments using two novel calculi: ??hashref and ??proberef. Our contribution to the Abadi-Plotkin program is to enrich the programming language with dynamic memory allocation, first class and higher order references and call/cc-style control. On the one hand, these enhancements allow us to directly model a larger class of system hardening principles. On the other hand, the class of opponents is also enhanced since our enriched language permits natural and direct encoding of attacks that alter the control flow of programs. Our main technical result is a fully abstract translation (upto probability) of ??hashref into ??proberef. Thus, in the presence of randomized layouts, the opponent gains no new power from being able to guess local references of the user program. Our numerical bounds are similar to those of Abadi and Plotkin; thus, the extra programming language features do not cause a concomitant increase in the resources required for protection via randomization