A Model for Delimited Information Release

  • Andrei Sabelfeld
  • Andrew C. Myers
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3233)

Abstract

Much work on security-typed languages lacks a satisfactory account of intentional information release. In the context of confidentiality, a typical security guarantee provided by security type systems is noninterference, which allows no information flow from secret inputs to public outputs. However, many intuitively secure programs do allow some release, or declassification, of secret information (e.g., password checking, information purchase, and spreadsheet computation). Noninterference fails to recognize such programs as secure. In this respect, many security type systems enforcing noninterference are impractical. On the other side of the spectrum are type systems designed to accommodate some information leakage. However, there is often little or no guarantee about what is actually being leaked. As a consequence, such type systems are vulnerable to laundering attacks, which exploit declassification mechanisms to reveal more secret data than intended. To bridge this gap, this paper introduces a new security property, delimited release, an end-to-end guarantee that declassification cannot be exploited to construct laundering attacks. In addition, a security type system is given that straightforwardly and provably enforces delimited release.

Keywords

Computer security confidentiality information flow noninterference security-type systems security policies declassification 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Abadi, M.: Secrecy by typing in security protocols. J. ACM 46(5), 749–786 (1999)MATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    Abadi, M., Banerjee, A., Heintze, N., Riecke, J.: A core calculus of dependency. In: Proc. ACM Symp. on Principles of Programming Languages, January 1999, pp. 147–160 (1999)Google Scholar
  3. 3.
    Abadi, M., Gordon, A.D.: A calculus for cryptographic protocols: The Spi calculus. Information and Computation 148(1), 1–70 (1999)MATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Agat, J.: Transforming out timing leaks. In: Proc. ACM Symp. on Principles of Programming Languages, January 2000, pp. 40–53 (2000)Google Scholar
  5. 5.
    Banerjee, A., Naumann, D.A.: Secure information flow and pointer confinement in a Java-like language. In: Proc. IEEE Computer Security Foundations Workshop, June 2002, pp. 253–267 (2002)Google Scholar
  6. 6.
    Bossi, A., Piazza, C., Rossi, S.: Modelling downgrading in information flow security. In: Proc. IEEE Computer Security Foundations Workshop (June 2004) (to appear)Google Scholar
  7. 7.
    Clark, D., Hunt, S., Malacaria, P.: Quantitative analysis of the leakage of confidential data. In: Proc. Quantitative Aspects of Programming Languages. ENTCS, vol. 59. Elsevier, Amsterdam (2002)Google Scholar
  8. 8.
    Cohen, E.S.: Information transmission in sequential programs. In: DeMillo, R.A., Dobkin, D.P., Jones, A.K., Lipton, R.J. (eds.) Foundations of Secure Computation, pp. 297–335. Academic Press, London (1978)Google Scholar
  9. 9.
    Dam, M., Giambiagi, P.: Confidentiality for mobile code: The case of a simple payment protocol. In: Proc. IEEE Computer Security Foundations Workshop, July 2000, pp. 233–244 (2000)Google Scholar
  10. 10.
    Denning, D.E.: Cryptography and Data Security. Addison-Wesley, Reading (1982)MATHGoogle Scholar
  11. 11.
    Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Comm. of the ACM 20(7), 504–513 (1977)MATHCrossRefGoogle Scholar
  12. 12.
    Di Pierro, A., Hankin, C., Wiklicky, H.: Approximate non-interference. In: Proc. IEEE Computer Security Foundations Workshop, June 2002, pp. 1–17 (2002)Google Scholar
  13. 13.
    Duggan, D.: Cryptographic types. In: Proc. IEEE Computer Security Foundations Workshop, June 2002, pp. 238–252 (2002)Google Scholar
  14. 14.
    Giacobazzi, R., Mastroeni, I.: Abstract non-interference: Parameterizing non-interference by abstract interpretation. In: Proc. ACM Symp. on Principles of Programming Languages, January 2004, pp. 186–197 (2004)Google Scholar
  15. 15.
    Giambiagi, P., Dam, M.: On the secure implementation of security protocols. In: Degano, P. (ed.) ESOP 2003 and ETAPS 2003. LNCS, vol. 2618, pp. 144–158. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  16. 16.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proc. IEEE Symp. on Security and Privacy, April 1982, pp. 11–20 (1982)Google Scholar
  17. 17.
    Goguen, J.A., Meseguer, J.: Unwinding and inference control. In: Proc. IEEE Symp. on Security and Privacy, April 1984, pp. 75–86 (1984)Google Scholar
  18. 18.
    Gosling, J., Joy, B., Steele, G.: The Java Language Specification. Addison-Wesley, Reading (1996)MATHGoogle Scholar
  19. 19.
    Heintze, N., Riecke, J.G.: The SLam calculus: programming with secrecy and integrity. In: Proc. ACM Symp. on Principles of Programming Languages, January 1998, pp. 365–377 (1998)Google Scholar
  20. 20.
    Joshi, R., Leino, K.R.M.: A semantic approach to secure information flow. Science of Computer Programming 37(1–3), 113–138 (2000)MATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    Laud, P.: Semantics and program analysis of computationally secure information flow. In: Sands, D. (ed.) ESOP 2001 and ETAPS 2001. LNCS, vol. 2028, pp. 77–91. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. 22.
    Laud, P.: Handling encryption in an analysis for secure information flow. In: Degano, P. (ed.) ESOP 2003 and ETAPS 2003. LNCS, vol. 2618, pp. 159–173. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  23. 23.
    Lowe, G.: Quantifying information flow. In: Proc. IEEE Computer Security Foundations Workshop, June 2002, pp. 18–31 (2002)Google Scholar
  24. 24.
    Mantel, H.: Information flow control and applications—Bridging a gap. In: Oliveira, J.N., Zave, P. (eds.) FME 2001. LNCS, vol. 2021, pp. 153–172. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  25. 25.
    Mantel, H., Sands, D.: Controlled downgrading based on intransitive (non)interference. Draft (July 2003)Google Scholar
  26. 26.
    McLean, J.: The specification and modeling of computer security. Computer 23(1), 9–16 (1990)CrossRefGoogle Scholar
  27. 27.
    Myers, A.C.: JFlow: Practical mostly-static information flow control. In: Proc. ACM Symp. on Principles of Programming Languages, January 1999, pp. 228–241 (1999)Google Scholar
  28. 28.
    Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: Proc. ACM Symp. on Operating System Principles, October 1997, pp. 129–142 (1997)Google Scholar
  29. 29.
    Myers, A.C., Liskov, B.: Complete, safe information flow with decentralized labels. In: Proc. IEEE Symp. on Security and Privacy, May 1998, pp. 186–197 (1998)Google Scholar
  30. 30.
    Myers, A.C., Sabelfeld, A., Zdancewic, S.: Enforcing robust declassification. In: Proc. IEEE Computer Security Foundations Workshop (June 2004) (to appear)Google Scholar
  31. 31.
    Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow. Software release, Located at: http://www.cs.cornell.edu/jif (July 2001–2003)
  32. 32.
    Pinsky, S.: Absorbing covers and intransitive non-interference. In: Proc. IEEE Symp. on Security and Privacy, May 1995, pp. 102–113 (1995)Google Scholar
  33. 33.
    Pottier, F., Conchon, S.: Information flow inference for free. In: Proc. ACM International Conference on Functional Programming, September 2000, pp. 46–57 (2000)Google Scholar
  34. 34.
    Pottier, F., Simonet, V.: Information flow inference for ML. In: Proc. ACM Symp. on Principles of Programming Languages, January 2002, pp. 319–330 (2002)Google Scholar
  35. 35.
    Roscoe, A.W., Goldsmith, M.H.: What is intransitive noninterference? In: Proc. IEEE Computer Security Foundations Workshop, June 1999, pp. 228–238 (1999)Google Scholar
  36. 36.
    Rushby, J.M.: Noninterference, transitivity, and channel-control security policies. Technical Report CSL-92-02, SRI International (1992)Google Scholar
  37. 37.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
  38. 38.
    Sabelfeld, A., Sands, D.: Probabilistic noninterference for multi-threaded programs. In: Proc. IEEE Computer Security Foundations Workshop, July 2000, pp. 200–214 (2000)Google Scholar
  39. 39.
    Sabelfeld, A., Sands, D.: A per model of secure information flow in sequential programs. Higher Order and Symbolic Computation 14(1), 59–91 (2001)MATHCrossRefGoogle Scholar
  40. 40.
    Saltzer, J.H., Reed, D.P., Clark, D.D.: End-to-end arguments in system design. ACM Transactions on Computer Systems 2(4), 277–288 (1984)CrossRefGoogle Scholar
  41. 41.
    Shannon, C.E., Weaver, W.: The Mathematical Theory of Communication. University of Illinois Press, US (1963)Google Scholar
  42. 42.
    Smith, G., Volpano, D.: Secure information flow in a multi-threaded imperative language. In: Proc. ACM Symp. on Principles of Programming Languages, January 1998, pp. 355–364 (1998)Google Scholar
  43. 43.
    Sumii, E., Pierce, B.: Logical relations for encryption. In: Proc. IEEE Computer Security Foundations Workshop, June 2001, pp. 256–269 (2001)Google Scholar
  44. 44.
    Volpano, D.: Secure introduction of one-way functions. In: Proc. IEEE Computer Security Foundations Workshop, July 2000, pp. 246–254 (2000)Google Scholar
  45. 45.
    Volpano, D., Smith, G.: Probabilistic noninterference in a concurrent language. J. Computer Security 7(2–3), 231–253 (1999)Google Scholar
  46. 46.
    Volpano, D., Smith, G.: Verifying secrets and relative secrecy. In: Proc. ACM Symp. on Principles of Programming Languages, January 2000, pp. 268–276 (2000)Google Scholar
  47. 47.
    Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. J. Computer Security 4(3), 167–187 (1996)Google Scholar
  48. 48.
    Winskel, G.: The Formal Semantics of Programming Languages: An Introduction. MIT Press, Cambridge (1993)MATHGoogle Scholar
  49. 49.
    Zdancewic, S.: A type system for robust declassification. In: Proc. Mathematical Foundations of Programming Semantics. ENTCS. Elsevier, Amsterdam (2003)Google Scholar
  50. 50.
    Zdancewic, S., Myers, A.C.: Robust declassification. In: Proc. IEEE Computer Security Foundations Workshop, June 2001, pp. 15–23 (2001)Google Scholar
  51. 51.
    Zdancewic, S., Myers, A.C.: Secure information flow and CPS. In: Sands, D. (ed.) ESOP 2001 and ETAPS 2001. LNCS, vol. 2028, pp. 46–61. Springer, Heidelberg (2001)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Andrei Sabelfeld
    • 1
  • Andrew C. Myers
    • 2
  1. 1.Department of Computer ScienceChalmers University of TechnologyGothenburgSweden
  2. 2.Department of Computer ScienceCornell UniversityIthacaUSA

Personalised recommendations