Abstract
Whenever data is communicated outside a security domain there is the risk that it may influence data coming back in a way that is not permitted by the security domain. This may arise when different security domains relate to different parallel processes that exchange information through communication. We provide general definitions of the demands on the communication and sanitisation primitives so as to mitigate the risk. For interesting instantiations of these definitions we provide algorithms for checking that the demands have been met. The development is illustrated by a worked example dealing with the outsourcing of data management to the cloud.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Arden, O., George, M.D., Liu, J., Vikram, K., Askarov, A., Myers, A.C.: Sharing mobile code securely with information flow control. In: Proceedings of the Symposium on Security and Privacy (SP 2012), pp. 191–205 (2012). https://doi.org/10.1109/SP.2012.22
Arden, O., Liu, J., Myers, A.C.: Flow-limited authorization. In: Proceedings of the 28th Computer Security Foundations Symposium (CSF 2015), pp. 569–583 (2015). https://doi.org/10.1109/CSF.2015.42
Arden, O., Myers, A.C.: A calculus for flow-limited authorization. In: Proceedings of the 29th Computer Security Foundations Symposium (CSF 2016), pp. 135–149 (2016). https://doi.org/10.1109/CSF.2016.17
Aslanyan, Z., Nielson, F.: Pareto efficient solutions of attack-defence trees. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 95–114. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46666-7_6
Bhardwaj, C., Prasad, S.: Only connect, securely. In: Pérez, J.A., Yoshida, N. (eds.) FORTE 2019. LNCS, vol. 11535, pp. 75–92. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21759-4_5
Dijkstra, E.W.: Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM 18(8), 453–457 (1975)
Gollmann, D.: Computer Security, 3rd edn. Wiley, Hoboken (2011)
Hansen, R.R., Probst, C.W., Nielson, F.: Sandboxing in myKlaim. In: Proceedings of the International Conference on Availability, Reliability and Security (ARES 2006), pp. 174–181 (2006). https://doi.org/10.1109/ARES.2006.115
Liu, J., Arden, O., George, M.D., Myers, A.C.: Fabric: building open distributed systems securely by construction. J. Comput. Secur. 25(4–5), 367–426 (2017). https://doi.org/10.3233/JCS-15805
de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78800-3_24
Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: Proceedings of the 16th ACM Symposium on Operating Systems Principles (SOSP 1997) (1997)
Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol. 9(4), 410–442 (2000)
Nielson, F., Hansen, R.R., Nielson, H.R.: Adaptive security policies. In: Margaria, T., Steffen, B. (eds.) ISoLA 2020. LNCS, vol. 12477, pp. 280–294. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-61470-6_17
Nielson, F., Nielson, H.R.: Lightweight information flow. In: Boreale, M., Corradini, F., Loreti, M., Pugliese, R. (eds.) Models, Languages, and Tools for Concurrent and Distributed Programming. LNCS, vol. 11665, pp. 455–470. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21485-2_25
Nielson, F., Nielson, H.R.: Secure guarded commands. In: Di Pierro, A., Malacaria, P., Nagarajan, R. (eds.) From Lambda Calculus to Cybersecurity Through Program Analysis. LNCS, vol. 12065, pp. 201–215. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-41103-9_7
Ramli, C.D.P.K., Nielson, H.R., Nielson, F.: The logic of XACML. Sci. Comput. Program. 83, 80–105 (2014)
Volpano, D.M., Irvine, C.E.: Secure flow typing. Comput. Secur. 16(2), 137–144 (1997)
Volpano, D.M., Irvine, C.E., Smith, G.: A sound type system for secure flow analysis. J. Comput. Secur. 4(2/3), 167–188 (1996)
Acknowledgement
The first author was supported in part by the EU H2020-SU-ICT-03-2018 Project No. 830929 CyberSec4Europe (cybersec4europe.eu). The first and second authors were supported in part by the Danish project Security by Design granted by The Danish Industry Foundation. The third author is retired from the Department of Mathematics and Computer Science, Technical University of Denmark, Kgs. Lyngby, Denmark.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Semantics
A Semantics
As in [15] and [13] we use operational semantics to define the semantics of Secure Guarded Commands with Security Domains.
Expressions are evaluated with respect to a memory \(\sigma \) that assigns values to all variables of interest and the semantic judgement defined in Fig. 7 takes the form \( \sigma \vdash e \rhd v \). Evaluation is undefined if the expression accesses a variable for which the memory does not assign a value. Note that the value of is the same as the value of \(e_1\).
Commands are executed with respect to a memory and produce a new memory. The semantic judgement defined in Fig. 8 takes the form \( (C,\sigma )\rightarrow ^\varphi (C',\sigma ') \). the superscript \(\varphi \) indicates whether the action is silent (\(\tau \)), an input (\(c\,\mathtt{?}\,{v}\)) or an output (\(c\,\mathtt{!}\,{v}\)). We allow C and \(C'\) to range both over commands and the special symbol \(\surd \) indicating a terminated configuration.
Processes have disjoint memories so they can only exchange values by communicating over the channels. More precisely this means that for each process we will have a local memory assigning values to the variables of interest and we shall be based on synchronous communication. For processes the semantic judgement defined in Fig. 9 takes the form
where once more we allow C and \(C'\) to range both over commands and the special symbol \(\surd \) indicating a terminated configuration. The first rule says that we can let one of the constituent processes perform a silent step adn the second rule says (omitting the details needed to deal with input and output being placed in another order) that we can let two constituent processes produce matching input and output actions. The side conditions of the rules insist that the domain of local memories (written \(\mathsf{dom}(\sigma _i)\)) includes the local variables declared in the program (written \(\mathsf{dom}(\mathsf{env}(D_i))\)) and that the channel used for communication is indeed declared in the program (written \(\mathsf{dom}(\mathsf{env}(E))\)) where the environments and declarations are constructed using \(\mathsf{env}(\cdots )\) as defined previously. Note that if one of the processes terminates then the corresponding component in the configuration will contain \(\surd \) and it will not be able to evolve further.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Nielson, F., Hansen, R.R., Nielson, H.R. (2021). Benign Interaction of Security Domains. In: Dougherty, D., Meseguer, J., Mödersheim, S.A., Rowe, P. (eds) Protocols, Strands, and Logic. Lecture Notes in Computer Science(), vol 13066. Springer, Cham. https://doi.org/10.1007/978-3-030-91631-2_17
Download citation
DOI: https://doi.org/10.1007/978-3-030-91631-2_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-91630-5
Online ISBN: 978-3-030-91631-2
eBook Packages: Computer ScienceComputer Science (R0)