Decentralized Delimited Release

  • Jonas Magazinius
  • Aslan Askarov
  • Andrei Sabelfeld
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7078)

Abstract

Decentralization is a major challenge for secure computing. In a decentralized setting, principals are free to distrust each other. The key challenge is to provide support for expressing and enforcing expressive decentralized policies. This paper focuses on declassification policies, i.e., policies for intended information release.We propose a decentralized language-independent framework for expressing what information can be released. The framework enables combination of data owned by different principals without compromising their respective security policies. A key feature is that information release is permitted only when the owners of the data agree on releasing it. We instantiate the framework for a simple imperative language to show how the decentralized declassification policies can be enforced by a runtime monitor and discuss a prototype that secures programs by inlining the monitor in the code.

Keywords

Social Networking Site Security Policy Security Level Information Release Execution Context 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Abadi, M., Banerjee, A., Heintze, N., Riecke, J.: A core calculus of dependency. In: Proc. ACM Symp. on Principles of Programming Languages, pp. 147–160 (January 1999)Google Scholar
  2. 2.
    ANTLR Parser Generator, http://www.antlr.org/
  3. 3.
    Askarov, A., Myers, A.: A Semantic Framework for Declassification and Endorsement. In: Gordon, A.D. (ed.) ESOP 2010. LNCS, vol. 6012, pp. 64–84. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  4. 4.
    Askarov, A., Sabelfeld, A.: Localized delimited release: Combining the what and where dimensions of information release. In: Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), pp. 53–60 (June 2007)Google Scholar
  5. 5.
    Askarov, A., Sabelfeld, A.: Tight enforcement of information-release policies for dynamic languages. In: Proc. IEEE Computer Security Foundations Symposium (July 2009)Google Scholar
  6. 6.
    Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS) (June 2009)Google Scholar
  7. 7.
    Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. Technical Report UCSC-SOE-09-34, University of California, Santa Cruz (2009)Google Scholar
  8. 8.
    Banerjee, A., Naumann, D., Rosenberg, S.: Expressive declassification policies and modular static enforcement. In: Proc. IEEE Symp. on Security and Privacy, pp. 339–353 (May 2008)Google Scholar
  9. 9.
    Barthe, G., Cavadini, S., Rezk, T.: Tractable enforcement of declassification policies. In: Proc. IEEE Computer Security Foundations Symposium (June 2008)Google Scholar
  10. 10.
    Broberg, N., Sands, D.: Paralocks: role-based information flow control and beyond. In: Proc. ACM Symp. on Principles of Programming Languages (January 2010)Google Scholar
  11. 11.
    Chen, H., Chong, S.: Owned policies for information security. In: Proc. IEEE Computer Security Foundations Workshop (June 2004)Google Scholar
  12. 12.
    Cheng, W.: Information Flow for Secure Distributed Applications. PhD thesis, Massachusetts Institute of Technology (September 2009)Google Scholar
  13. 13.
    Chong, S.: Required information release. In: Proc. IEEE Computer Security Foundations Symposium (July 2010)Google Scholar
  14. 14.
    Chong, S., Myers, A.C.: Decentralized robustness. In: Proc. IEEE Computer Security Foundations Workshop, pp. 242–253 (July 2006)Google Scholar
  15. 15.
    Chudnov, A., Naumann, D.A.: Information flow monitor inlining. In: Proc. IEEE Computer Security Foundations Symposium (July 2010)Google Scholar
  16. 16.
    Cohen, E.S.: Information transmission in sequential programs. In: DeMillo, R.A., Dobkin, D.P., Jones, A.K., Lipton, R.J. (eds.) Foundations of Secure Computation, pp. 297–335. Academic Press (1978)Google Scholar
  17. 17.
    Decat, M., De Ryck, P., Desmet, L., Piessens, F., Joosen, W.: Towards building secure web mashups. In: Proc. AppSec Research (June 2010)Google Scholar
  18. 18.
    Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Comm. of the ACM 20(7), 504–513 (1977)CrossRefMATHGoogle Scholar
  19. 19.
    Efstathopoulos, P., Krohn, M., VanDeBogart, S., Frey, C., Ziegler, D., Kohler, E., Mazières, D., Kaashoek, F., Morris, R.: Labels and event processes in the Asbestos operating system. In: Proc. 20th ACM Symp. on Operating System Principles (SOSP) (October 2005)Google Scholar
  20. 20.
    Eich, B.: Flowsafe: Information flow security for the browser (October 2009), https://wiki.mozilla.org/FlowSafe
  21. 21.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proc. IEEE Symp. on Security and Privacy, pp. 11–20 (April 1982)Google Scholar
  22. 22.
    Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E., Morris, R.: Information flow control for standard OS abstractions. In: Proc. 21st ACM Symp. on Operating System Principles, SOSP (2007)Google Scholar
  23. 23.
    Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in distributed systems: Theory and practice. In: Proc. ACM Symp. on Operating System Principles, pp. 165–182 (October 1991); Operating System Review 253(5)Google Scholar
  24. 24.
    Lux, A., Mantel, H.: Who Can Declassify? In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 35–49. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  25. 25.
    Maffeis, S., Mitchell, J.C., Taly, A.: Object capabilities and isolation of untrusted web applications. In: Proc. IEEE Symp. on Security and Privacy (May 2010)Google Scholar
  26. 26.
    Magazinius, J., Askarov, A., Sabelfeld, A.: A lattice-based approach to mashup security. In: Proc. ACM Symposium on Information, Computer and Communications Security (ASIACCS) (April 2010)Google Scholar
  27. 27.
    Magazinius, J., Askarov, A., Sabelfeld, A.: Decentralized delimited release. Technical report, Chalmers University of Technology (2011), http://www.cse.chalmers.se/~d02pulse/ddr-tr.pdf
  28. 28.
    Magazinius, J., Phung, P., Sands, D.: Safe wrappers and sane policies for self protecting javascript. In: Nordic Conference on Secure IT Systems. Springer, Heidelberg (2010)Google Scholar
  29. 29.
    Magazinius, J., Russo, A., Sabelfeld, A.: On-the-Fly Inlining of Dynamic Security Monitors. In: Rannenberg, K., Varadharajan, V., Weber, C. (eds.) SEC 2010. IFIP AICT, vol. 330, pp. 173–186. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  30. 30.
    Mantel, H., Reinhard, A.: Controlling the What and Where of Declassification in Language-Based Security. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 141–156. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  31. 31.
    Miller, M., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja: Safe active content in sanitized javascript (2008)Google Scholar
  32. 32.
    Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: Proc. ACM Symp. on Operating System Principles, pp. 129–142 (October 1997)Google Scholar
  33. 33.
    Myers, A.C., Liskov, B.: Complete, safe information flow with decentralized labels. In: Proc. IEEE Symp. on Security and Privacy, pp. 186–197 (May 1998)Google Scholar
  34. 34.
    Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering and Methodology 9(4), 410–442 (2000)CrossRefGoogle Scholar
  35. 35.
    Myers, A.C., Sabelfeld, A., Zdancewic, S.: Enforcing robust declassification and qualified robustness. J. Computer Security 14(2), 157–196 (2006)CrossRefGoogle Scholar
  36. 36.
    Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow. Software release. Located (July 2001-2009), http://www.cs.cornell.edu/jif
  37. 37.
    Opera, User JavaScript, http://www.opera.com/docs/userjs/
  38. 38.
    Praxis High Integrity Systems. Sparkada examiner. Software release, http://www.praxis-his.com/sparkada/
  39. 39.
    Russo, A., Sabelfeld, A.: Securing timeout instructions in web applications. In: Proc. IEEE Computer Security Foundations Symposium (July 2009)Google Scholar
  40. 40.
    Russo, A., Sabelfeld, A.: Dynamic vs. static flow-sensitive security analysis. In: Proc. IEEE Computer Security Foundations Symposium (July 2010)Google Scholar
  41. 41.
    Russo, A., Sabelfeld, A., Chudnov, A.: Tracking Information Flow in Dynamic Tree Structures. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 86–103. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  42. 42.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
  43. 43.
    Sabelfeld, A., Myers, A.C.: A Model for Delimited Information Release. In: Futatsugi, K., Mizoguchi, F., Yonezaki, N. (eds.) ISSS 2003. LNCS, vol. 3233, pp. 174–191. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  44. 44.
    Sabelfeld, A., Russo, A.: From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research. In: Pnueli, A., Virbitskaite, I., Voronkov, A. (eds.) PSI 2009. LNCS, vol. 5947, pp. 352–365. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  45. 45.
    Sabelfeld, A., Sands, D.: A Per Model of Secure Information Flow in Sequential Programs. In: Swierstra, S.D. (ed.) ESOP 1999. LNCS, vol. 1576, pp. 40–58. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  46. 46.
    Sabelfeld, A., Sands, D.: Declassification: Dimensions and principles. J. Computer Security 17(5), 517–548 (2009)CrossRefGoogle Scholar
  47. 47.
    Simonet, V.: The Flow Caml system. Software release. Located (July 2003), http://cristal.inria.fr/~simonet/soft/flowcaml/
  48. 48.
    Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. J. Computer Security 4(3), 167–187 (1996)CrossRefGoogle Scholar
  49. 49.
    Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazières, D.: Making information flow explicit in HiStar. In: Proc. 7th USENIX Symp. on Operating Systems Design and Implementation (OSDI), pp. 263–278 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Jonas Magazinius
    • 1
  • Aslan Askarov
    • 2
  • Andrei Sabelfeld
    • 1
  1. 1.Chalmers University of TechnologySweden
  2. 2.Cornell UniversityUSA

Personalised recommendations