Towards a General-Purpose Dynamic Information Flow Policy

Noninterference offers a rigorous end-to-end guarantee for secure propagation of information. However, real-world systems almost always involve security requirements that change during program execution, making noninterference inapplicable. Prior works alleviate the limitation to some extent, but even for a veteran in information flow security, understanding the subtleties in the syntax and semantics of each policy is challenging, largely due to very different policy specification languages, and more fundamentally, semantic requirements of each policy. We take a top-down approach and present a novel information flow policy, called Dynamic Release, which allows information flow restrictions to downgrade and upgrade in arbitrary ways. Dynamic Release is formalized on a novel framework that, for the first time, allows us to compare and contrast various dynamic policies in the literature. We show that Dynamic Release generalizes declassification, erasure, delegation and revocation. Moreover, it is the only dynamic policy that is both applicable and correct on a benchmark of tests with dynamic policy.

[1]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[2]  Thomas H. Austin,et al.  Multiple facets for dynamic information flow , 2012, POPL '12.

[3]  Jerry den Hartog,et al.  Towards Static Flow-Based Declassification for Legacy and Untrusted Programs , 2010, 2010 IEEE Symposium on Security and Privacy.

[4]  David Sands,et al.  The Anatomy and Facets of Dynamic Policies , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[5]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[6]  Boniface Hicks,et al.  Dynamic updating of information-flo w policies , 2005 .

[7]  Roberto Giacobazzi,et al.  Adjoining Declassification and Attack Models by Abstract Interpretation , 2005, ESOP.

[8]  David Sands,et al.  Flow Locks: Towards a Core Calculus for Dynamic Flow Policies , 2006, ESOP.

[9]  David Sands,et al.  Very Static Enforcement of Dynamic Policies , 2015, POST.

[10]  Andrew C. Myers,et al.  Language-based information erasure , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[11]  D. Richard Kuhn,et al.  Role-Based Access Control ( RBAC ) : Features and Motivations , 2014 .

[12]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[13]  Andrei Sabelfeld,et al.  Gradual Release: Unifying Declassification, Encryption and Key Release Policies , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[14]  Andrei Sabelfeld,et al.  Tight Enforcement of Information-Release Policies for Dynamic Languages , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[15]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[16]  Andrei Popescu,et al.  CoSMeDis: A Distributed Social Media Platform with Formally Verified Confidentiality Guarantees , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[17]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[18]  David Sands,et al.  Paralocks: role-based information flow control and beyond , 2010, POPL '10.

[19]  Fred B. Schneider,et al.  RIF: Reactive information flow labels , 2020, J. Comput. Secur..

[20]  Stephen Chong,et al.  Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security , 2009, PLDI 2009.

[21]  Andrei Popescu,et al.  A Conference Management System with Verified Document Confidentiality , 2014, CAV.

[22]  Anindya Banerjee,et al.  Expressive Declassification Policies and Modular Static Enforcement , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[23]  Andrew C. Myers,et al.  Flow-Limited Authorization , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[24]  Boniface Hicks,et al.  From Languages to Systems: Understanding Practical Application Development in Security-typed Languages , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[25]  Andrei Sabelfeld,et al.  Security-Typed Languages for Implementation of Cryptographic Protocols: A Case Study , 2005, ESORICS.

[26]  René Rydhof Hansen,et al.  Non-Interference and Erasure Policies for Java Card Bytecode. - DTU Orbit , 2017 .

[27]  Andrew C. Myers,et al.  End-to-End Enforcement of Erasure and Declassification , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[28]  ChongStephen,et al.  Automatic enforcement of expressive security policies using enclaves , 2016 .

[29]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[30]  David Sands,et al.  A Semantic Hierarchy for Erasure Policies , 2011, ICISS.

[31]  Andrei Sabelfeld,et al.  Localized delimited release: combining the what and where dimensions of information release , 2007, PLAS '07.

[32]  Sören Preibusch Information Flow Control for Static Enforcement of User-Defined Privacy Policies , 2011, 2011 IEEE International Symposium on Policies for Distributed Systems and Networks.

[33]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, High. Order Symb. Comput..

[34]  Alley Stoughton,et al.  You Sank My Battleship!: A Case Study in Secure Programming , 2014, PLAS@ECOOP.

[35]  Roberto Giacobazzi,et al.  Abstract non-interference: parameterizing non-interference by abstract interpretation , 2004, POPL.

[36]  Andrew C. Myers,et al.  A Model for Delimited Information Release , 2003, ISSS.

[37]  Stephen Chong,et al.  Learning is Change in Knowledge: Knowledge-Based Security for Dynamic Policies , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[38]  Gérard Boudol,et al.  On declassification and the non-disclosure policy , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[39]  Pablo Buiras,et al.  Dynamic Enforcement of Dynamic Policies , 2015, PLAS@ECOOP.

[40]  Michael R. Clarkson,et al.  Civitas: Toward a Secure Voting System , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[41]  Fred B. Schneider,et al.  JRIF: Reactive Information Flow Control for Java , 2016, Foundations of Security, Protocols, and Equational Reasoning.

[42]  Limin Jia,et al.  Knowledge-Based Security of Dynamic Secrets for Reactive Programs , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[43]  Armando Solar-Lezama,et al.  Enforcing Information Flow Policies with Type-Targeted Program Synthesis , 2016 .

[44]  Frank Piessens,et al.  Prudent Design Principles for Information Flow Control , 2018, PLAS@CCS.

[45]  David A. Naumann,et al.  Assuming You Know: Epistemic Semantics of Relational Annotations for Expressive Flow Policies , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[46]  David Sands,et al.  Declassification: Dimensions and principles , 2009, J. Comput. Secur..

[47]  David Sands,et al.  Just Forget It - The Semantics and Enforcement of Information Erasure , 2008, ESOP.

[48]  Michael Hicks,et al.  Managing policy updates in security-typed languages , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[49]  Scott Moore,et al.  Cryptographic Enforcement of Language-Based Information Erasure , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[50]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[51]  David Sands,et al.  Flow-sensitive semantics for dynamic information flow policies , 2009, PLAS '09.