Abstract
Language-based information flow security is a promising approach for enforcement of strong security and protection of the data confidentiality for the end-to-end communications. Here, noninterference is the standard and most restricted security property that completely forbids confidential data from being released to public context. Although this baseline property has been extensively enforced in various cases, there are still many programs, which are considered secure enough, violating this property in some way. In order to control the information release in these programs, the predetermined ways should be specified by means of which confidential data can be released. These intentional releases, also called declassifications, are regulated by several more relaxed security properties than noninterference. The security properties for controlled declassification have been developed on different dimensions with declassification goals. However, the mechanisms used to enforce these properties are still unaccommodating, unspecific, and insufficiently studied. In this work, a new security property, the Relaxed Release with Reference Points (R3P), is presented to limit the information that can be declassified in a program. Moreover, a new mechanism using reachability analysis has been proposed for the pushdown system to enforce R3P on programs. In order to show R3P is competent for use, it has been proved that it complies with the well-known prudent principles of declassification, and in addition finds some restrictions on our security policy. The widespread usage, precision, efficiency, and the influencing factors of our enforcement have been evaluated.
摘要
创新点:
-
(1)
提出一种更通用的安全属性 (R3P), 该属性可由自动程序验证进行实现
-
(2)
证明了该安全属性与一些通用的机密消去谨慎性原则相一致, 并提出一种新的谨慎性原则—“条件持久性”, 用以说明安全策略的局限性
-
(3)
首次使用可达性分析来实现“What”维度的机密消去安全属性, 实现方法比现有的基于自动程序验证的方法更通用
-
(4)
提出了用于模型转换的“存储—匹配”模式, 能够有效减小状态空间并降低验证开销.
Similar content being viewed by others
References
Denning D E. A lattice model of secure information flow. Commun ACM, 1976, 19: 236–243
Denning D E, Denning P J. Certification of programs for secure information flow. Commun ACM, 1977, 20: 504–513
Goguen J A, Meseguer J. Security policies and security models. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, California, USA, 1982. 11–20
Zdancewic S. Challenges for information-flow security. In: Proceedings of Programming Language Interference and Dependence, 2004
Sabelfeld A, Sands D. Declassification: Dimensions and principles. J Comp Secur, 2009, 17: 517–548
Sabelfeld A, Myers A C. Language-based information-flow security. IEEE J Select Areas Commun, 2003, 21: 5–19
Lux A, Mantel H. Declassification with explicit reference points. In: Backes M, Ning P, eds. Proceedings of the 14th European Symposium on Research in Computer Security. Berlin/Heidelberg: Springer-Verlag, 2009. 69–85
Terauchi T, Aiken A. Secure information flow as a safety problem. In: Hankin C, Siveroni I, eds. Proceedings of 12th International Symposium on Static Analysis. Berlin/Heidelberg: Springer-Verlag, 2005. 352–367
Sun C, Tang L, Chen Z. A new enforcement on declassification with reachability analysis. In: Proceedings of INFOCOM Workshops, Shanghai, 2011. 1024–1029
Lux A, Mantel H. Who can declassify? In: Degano P, Guttman J D, Martinelli F, eds. Proceedings of 5th International Workshop on Formal Aspects in Security and Trust. Berlin/Heidelberg: Springer-Verlag, 2009. 35–49
Sun C, Tang L, Chen Z. Secure information flow in Java via reachability analysis of pushdown system. In: Wang J, Chan W K, Kuo F C, eds. Proceedings of the 10th International Conference on Quality Software, Zhangjiajie, 2010. 142–150
Barthe G, D’Argenio P R, Rezk T. Secure information flow by self-composition. In: Proceedings of Computer Security Foundations Workshop. Los Alamitos: IEEE, 2004. 100–114
Naumann D. From coupling relations to mated invariants for checking information flow. In: Gollmann D, Meier J, Sabelfeld A, eds. Proceedings of the 11th European Symposium on Research in Computer Security. Berlin/Heidelberg: Springer-Verlag, 2006. 279–296
Qing S, Shen C. Design of secure operating systems with high security levels. Sci China Inf Sci, 2007, 50: 399–418
Bao Y B, Yin L H, Fang B X, et al. A novel logic-based automatic approach to constructing compliant security policies. Sci China Inf Sci, 2012, 55: 149–164
Sabelfeld A, Myers A. A model for delimited information release. In: Futatsugi K, Mizoguchi F, Yonezaki N, eds. Software Security — Theoreis and Systems. Berlin/Heidelberg: Springer-Verlag, 2004. 174–191
Li P, Zdancewic S. Downgrading policies and relaxed noninterference. In: Proceedings of the 32nd ACM SIGPLANSIGACT Symposium on Principles of Programming Languages. New York: ACM, 2005. 158–170
Mantel H, Reinhard A. Controlling the what and where of declassification in language-based security. In: De Nicola R, ed. Proceedings of the 16th European Symposium on Programming. Berlin/Heidelberg: Springer-Verlag, 2007. 141–156
Adetoye A O, Badii A. A policy model for secure information flow. In: Degano P, Viganò L, eds. Joint Workshop on Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security. Berlin/Heidelberg: Springer-Verlag, 2009. 1–17
Cohen E S. Information transmission in sequential programs. Found Secure Comp, 1978, 297–335
Askarov A, Sabelfeld A. Localized delimited release: Combining the what and where dimensions of information release. In: Proceedings of the 2007 Workshop on Programming Languages and Analysis for Security. New York: ACM, 2007. 53–60
Lux A, Mantel H, Perner M. Scheduler-independent declassification. In: Gibbons J, Nogueira P, eds. Mathematics of Program Construction. Berlin/Heidelberg: Springer-Verlag, 2012. 25–47
Myers A C, Liskov B. A decentralized model for information flow control. In: Proceedings of the Sixteenth ACM Symposium on Operating Systems Principles. New York: ACM, 1997. 129–142
Zhou C H, Liu Z F, Wu H L, et al. Symbolic algorithmic verification of intransitive generalized noninterference. Sci China Inf Sci, 2012, 55: 1650–1665
Volpano D M, Irvine C E, Smith G. A sound type system for secure flow analysis. J Comp Secur, 1996, 4: 167–188
Schwoon S. Model checking pushdown systems. Dissertation for Ph.D. Degree. Munich: Technical University of Munich, 2002
Sun C, Zhai E N, Chen Z, et al. A multi-compositional enforcement on information flow security. In: Qing S H, Susilo W, Wang G L, et al., eds. Information and Communications Security. Berlin/Heidelberg: Springer-Verlag, 2011. 345–359
Reps T W, Schwoon S, Jha S, et al. Weighted pushdown systems and their application to interprocedural dataflow analysis. Sci Comput Program, 2005, 58: 206–263
Sun C, Tang L, Chen Z. Secure information flow by model checking pushdown system. In: Proceedings of the 2009 Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing, Brisbane, Australia, 2009. 586–591
Author information
Authors and Affiliations
Corresponding author
Electronic supplementary material
Rights and permissions
About this article
Cite this article
Sun, C., Xi, N., Gao, S. et al. Automated enforcement for relaxed information release with reference points. Sci. China Inf. Sci. 57, 1–19 (2014). https://doi.org/10.1007/s11432-014-5168-7
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11432-014-5168-7