Abstract
This paper presents a language in which information flow is securely controlled by a type system, yet the security class of data can vary dynamically. Information flow policies provide the means to express strong security requirements for data confidentiality and integrity. Recent work on security-typed programming languages has shown that information flow can be analyzed statically, ensuring that programs will respect the restrictions placed on data. However, real computing systems have security policies that vary dynamically and that cannot be determined at the time of program analysis. For example, a file has associated access permissions that cannot be known with certainty until it is opened. Although one security-typed programming language has included support for dynamic security labels, there has been no demonstration that a general mechanism for dynamic labels can securely control information flow. In this paper, we present an expressive language-based mechanism for reasoning about dynamic security labels. The mechanism is formally presented in a core language based on the typed lambda calculus; any well-typed program in this language is provably secure because it satisfies noninterference.
Chapter PDF
Similar content being viewed by others
Keywords
- Security Class
- Core Language
- Information Flow Control
- Dynamic Label
- Computer Security Foundation Workshop
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Johan Agat. Transforming out timing leaks. In Proc. 27th ACM Symp. on Principles of Programming Languages (POPL), pages 40–53, Boston, MA, January 2000.
Anindya Banerjee and David A. Naumann. Secure information flow and pointer confinement in a Java-like language. In IEEE Computer Security Foundations Workshop (CSFW), June 2002.
Anindya Banerjee and David A. Naumann. Using access control for secure information flow in a java-like language. In Proc. 16th IEEE Computer Security Foundations Workshop, pages 155–169, June 2003.
Dorothy E. Denning. Cryptography and Data Security. Addison-Wesley, Reading, Massachusetts, 1982.
Dorothy E. Denning and Peter J. Denning. Certification of programs for secure information flow. Comm. of the ACM, 20(7):504–513, July 1977.
Department of Defense. Department of Defense Trusted Computer System Evaluation Criteria, DOD 5200.28-STD (The Orange Book) edition, December 1985.
Simon Foley, Li Gong, and Xiaolei Qian. A security model of dynamic labeling providing a tiered approach to verification. In IEEE Symposium on Security and Privacy, pages 142–154, Oakland, CA, 1996. IEEE Computer Society Press.
Joseph A. Goguen and Jose Meseguer. Security policies and security models. In Proc. IEEE Symposium on Security and Privacy, pages 11–20, April 1982.
Nevin Heintze and Jon G. Riecke. The SLam calculus: Programming with secrecy and integrity. In Proc. 25th ACM Symp. on Principles of Programming Languages (POPL), pages 365–377, San Diego, California, January 1998.
John McLean. The algebra of security. In IEEE Symposium on Security and Privacy, pages 2–7, Oakland, California, 1988.
Catherine Meadows. Policies for dynamic upgrading. In Database Security, IV: Status and Prospects, pages 241–250. North Holland, 1991.
John C. Mitchell. Foundations for Programming Languages. The MIT Press, Cambridge, Massachusetts, 1996.
Andrew C. Myers. JFlow: Practical mostly-static information flow control. In Proc. 26th ACM Symp. on Principles of Programming Languages (POPL), pages 228–241, San Antonio, TX, January 1999.
Andrew C. Myers and Barbara Liskov. A decentralized model for information flow control. In Proc. 17th ACM Symp. on Operating System Principles (SOSP), pages 129–142, Saint-Malo, France, 1997.
Andrew C. Myers, Lantian Zheng, Steve Zdancewic, Stephen Chong, and Nathaniel Nystrom. Jif: Java information flow. Software release. Located at http://www.cs.cornell.edu/jif, July 2001–2003.
Jens Palsberg and Peter Ørbæk. Trust in the λ-calculus. In Proc. 2nd International Symposium on Static Analysis, number 983 in Lecture Notes in Computer Science, pages 314–329. Springer, September 1995.
François Pottier and Vincent Simonet. Information flow inference for ML. In Proc. 29th ACM Symp. on Principles of Programming Languages (POPL), pages 319–330, 2002.
Andrei Sabelfeld and Heiko Mantel. Static confidentiality enforcement for distributed programs. In Proceedings of the 9th International Static Analysis Symposium, volume 2477 of LNCS, Madrid, Spain, September 2002. Springer-Verlag.
Andrei Sabelfeld and Andrew Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1):5–19, January 2003.
Ravi S. Sandhu and Sushil Jajodia. Honest databases that can keep secrets. In Proceedings of the 14th National Computer Security Conference, Washington, DC, 1991.
Ian Sutherland, Stanley Perlo, and Rammohan Varadarajan. Deducibility security with dynamic level assignments. In Proc. 2nd IEEE Computer Security Foundations Workshop, Franconia, NH, June 1989.
Stephen Tse and Steve Zdancewic. Run-time principals in information-flow type systems. In IEEE Symposium on Security and Privacy, Oakland, CA, May 2004.
Dennis Volpano, Geoffrey Smith, and Cynthia Irvine. A sound type system for secure flow analysis. Journal of Computer Security, 4(3):167–187, 1996.
Clark Weissman. Security controls in the ADEPT-50 time-sharing system. In AFIPS Conference Proceedings, volume 35, pages 119–133, 1969.
John P. L. Woodward. Exploiting the dual nature of sensitivity labels. In IEEE Symposium on Security and Privacy, pages 23–30, Oakland, California, 1987.
Hongwei Xi and Frank Pfenning. Dependent types in practical programming. In Proc. 26th ACM Symp. on Principles of Programming Languages (POPL), pages 214–227, San Antonio, TX, January 1999.
Steve Zdancewic and Andrew C. Myers. Secure information flow via linear continuations. Higher Order and Symbolic Computation, 15(2–-3):209–234, September 2002.
Steve Zdancewic and Andrew C. Myers. Observational determinism for concurrent program security. In Proc. 16th IEEE Computer Security Foundations Workshop, pages 29–43, Pacific Grove, California, June 2003.
Lantian Zheng and Andrew C. Myers. Dynamic security labels and noninterference. Technical Report 2004-1924, Cornell University Computing and Information Science, 2004.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 International Federation for Information Processing
About this paper
Cite this paper
Zheng, L., Myers, A.C. (2005). Dynamic Security Labels and Noninterference (Extended Abstract). In: Dimitrakos, T., Martinelli, F. (eds) Formal Aspects in Security and Trust. IFIP WCC TC1 2004. IFIP International Federation for Information Processing, vol 173. Springer, Boston, MA. https://doi.org/10.1007/0-387-24098-5_3
Download citation
DOI: https://doi.org/10.1007/0-387-24098-5_3
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-24050-3
Online ISBN: 978-0-387-24098-5
eBook Packages: Computer ScienceComputer Science (R0)