Adjoining Declassification and Attack Models by Abstract Interpretation
Abstract
In this paper we prove that attack models and robust declassification in language-based security can be viewed as adjoint transformations of abstract interpretations. This is achieved by interpreting the well known Joshi and Leino’s semantic approach to non-interference as a problem of making an abstraction complete relatively to a program’s semantics. This observation allows us to prove that the most abstract property on confidential data which flows, here called private observation, and the most concrete harmless attacker observing public data, here called public observable, both modeled as abstractions of the program’s semantics, are respectively the adjoint solutions of a completeness problem in standard abstract interpretation theory. In particular declassification corresponds to refining the given model of an attacker with the minimal amount of information in order to achieve completeness, which is non-interference, while the harmless attacker corresponds to remove this information. This proves an adjunction relation between two basic approaches to language-based security: declassification and the construction of suitable attack models, and allows us to apply relevant techniques for abstract domain transformation in language-based security.
Keywords
Abstract interpretation language-based security declassification abstract non-interference attack models adjunction completenessReferences
- 1.Bell, D.E., LaPadula, L.J.: Secure computer systems: Mathematical foundations and model. Technical Report M74-244, MITRE Corp. Badford, MA (1973)Google Scholar
- 2.Blyth, T.S., Janowitz, M.F.: Residuation theory. Pergamon Press, Oxford (1972)MATHGoogle Scholar
- 3.Bodei, C., Degano, P., Nielson, F., Nielson, H.R.: Static analysis for secrecy and non-interference in networks of processes. In: Malyshkin, V.E. (ed.) PaCT 2001. LNCS, vol. 2127, pp. 27–41. Springer, Heidelberg (2001)CrossRefGoogle Scholar
- 4.Clark, D., Hankin, C., Hunt, S.: Information flow for algol-like languages. Computer Languages 28(1), 3–28 (2002)MATHGoogle Scholar
- 5.Clark, D., Hunt, S., Malacaria, P.: Quantitative analysis of the leakage of confidential data. In: Workshop on Quantitative Aspects of Programming Laguages (QAPL 2001). Electronic Notes in Theoretical Computer Science, vol. 59. Elsevier, Amsterdam (2001)Google Scholar
- 6.Cohen, E.S.: Information transmission in computational systems. ACM SIGOPS Operating System Review 11(5), 133–139 (1977)CrossRefGoogle Scholar
- 7.Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proc. of Conf. Record of the 4th ACM Symp.on Principles of Programming Languages (POPL 1977), pp. 238–252. ACM Press, New York (1977)Google Scholar
- 8.Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: Proc. of Conf. Record of the 6th ACM Symp. on Principles of Programming Languages (POPL 1979), pp. 269–282. ACM Press, New York (1979)Google Scholar
- 9.Denning, D.E.: A lattice model of secure information flow. Communications of the ACM 19(5), 236–242 (1976)MATHCrossRefMathSciNetGoogle Scholar
- 10.Denning, D.E., Denning, P.: Certification of programs for secure information flow. Communications of the ACM 20(7), 504–513 (1977)MATHCrossRefGoogle Scholar
- 11.Filé, G., Giacobazzi, R., Ranzato, F.: A unifying view of abstract domain design. ACM Comput. Surv. 28(2), 333–336 (1996)CrossRefGoogle Scholar
- 12.Focardi, R., Gorrieri, R.: A classification of security properties for process algebras. Journal of Computer security 3(1), 5–33 (1995)Google Scholar
- 13.Giacobazzi, R., Mastroeni, I.: Abstract non-interference: Parameterizing non-interference by abstract interpretation. In: Proc. of the 31st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 2004), pp. 186–197. ACM Press, NY (2004)CrossRefGoogle Scholar
- 14.Giacobazzi, R., Mastroeni, I.: Proving abstract non-interference. In: Marcinkowski, J., Tarlecki, A. (eds.) CSL 2004. LNCS, vol. 3210, pp. 280–294. Springer, Heidelberg (2004)CrossRefGoogle Scholar
- 15.Giacobazzi, R., Quintarelli, E.: Incompleteness, counterexamples and refinements in abstract model-checking. In: Cousot, P. (ed.) SAS 2001. LNCS, vol. 2126, pp. 356–373. Springer, Heidelberg (2001)CrossRefGoogle Scholar
- 16.Giacobazzi, R., Ranzato, F.: Refining and compressing abstract domains. In: Degano, P., Gorrieri, R., Marchetti-Spaccamela, A. (eds.) ICALP 1997. LNCS, vol. 1256, pp. 771–781. Springer, Heidelberg (1997)Google Scholar
- 17.Giacobazzi, R., Ranzato, F., Scozzari, F.: Making abstract interpretations complete. J. of the ACM 47(2), 361–416 (2000)MATHCrossRefMathSciNetGoogle Scholar
- 18.Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proc. IEEE Symp. on Security and Privacy, pp. 11–20. IEEE Computer Society Press, Los Alamitos (1982)Google Scholar
- 19.Joshi, R., Leino, K.R.M.: A semantic approach to secure information flow. Science of Computer Programming 37, 113–138 (2000)MATHCrossRefMathSciNetGoogle Scholar
- 20.Laud, P.: Semantics and program analysis of computationally secure information flow. In: Sands, D. (ed.) ESOP 2001. LNCS, vol. 2028, pp. 77–91. Springer, Heidelberg (2001)CrossRefGoogle Scholar
- 21.Li, P., Zdancewic, S.: Downgrading policies and relaxed noninterference. In: Proc. of the 32st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 2005). ACM Press, NY (2005) (to appear)Google Scholar
- 22.Mantel, H.: Possibilistic definitions of security – an assemply kit –. In: Proc. of the IEEE Computer Security Foundations Workshop, pp. 185–199. IEEE Computer Society Press, Los Alamitos (2000)Google Scholar
- 23.McLean, J.: Proving noninterference and functional correcteness using traces. Journal of Computer security 1(1), 37–58 (1992)MathSciNetGoogle Scholar
- 24.Ranzato, F., Tapparo, F.: Strong preservation as completeness in abstract interpretation. In: Schmidt, D. (ed.) ESOP 2004. LNCS, vol. 2986, pp. 18–32. Springer, Heidelberg (2004)CrossRefGoogle Scholar
- 25.Ryan, P.: Mathematical models of computer security – tutorial lectures. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 1–62. Springer, Heidelberg (2001)CrossRefGoogle Scholar
- 26.Sabelfeld, A., Myers, A.C.: A model for delimited information release. In: Futatsugi, K., Mizoguchi, F., Yonezaki, N. (eds.) ISSS 2003. LNCS, vol. 3233, pp. 174–191. Springer, Heidelberg (2004)CrossRefGoogle Scholar
- 27.Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. on selected ares in communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
- 28.Sabelfeld, A., Sands, D.: A PER model of secure information flow in sequential programs. Higher-Order and Symbolic Computation 14(1), 59–91 (2001)MATHCrossRefGoogle Scholar
- 29.Skalka, C., Smith, S.: Static enforcement of security with types. In: ICFP 2000, pp. 254–267. ACM Press, New York (2000)Google Scholar
- 30.Volpano, D.: Safety versus secrecy. In: Cortesi, A., Filé, G. (eds.) SAS 1999. LNCS, vol. 1694, pp. 303–311. Springer, Heidelberg (1999)CrossRefGoogle Scholar
- 31.Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. Journal of Computer Security 4(2,3), 167–187 (1996)Google Scholar
- 32.Zdancewic, S., Myers, A.C.: Robust declassification. In: Proc. of the IEEE Computer Security Foundations Workshop, pp. 15–23. IEEE Computer Society Press, Los Alamitos (2001)CrossRefGoogle Scholar