Mostly-static decentralized information flow control

The growing use of mobile code in downloaded programs such as applets and servlets has increased interest in robust mechanisms for ensuring privacy and secrecy. Common security mechanisms such as sandboxing and access control are either too restrictive or too weak—they prevent applications from sharing data usefully, or allow private information to leak. For example, security mechanisms in Java prevent many useful applications while still permitting Trojan horse applets to leak private information. This thesis describes the decentralized label model, a new model of information flow control that protects private data while allowing applications to share data. Unlike previous approaches to privacy protection based on information flow, this label model is decentralized: it allows cooperative computation by mutually distrusting principals, without mediation by highly trusted agents. Cooperative computation is possible because individual principals can declassify their own data without infringing on other principals' privacy. The decentralized label model permits programs using it to be checked statically, which is important for the precise detection of information leaks. This thesis also presents the new language JFlow, an extension to the Java programming language that incorporates the decentralized label model and permits static checking of information flows within programs. Variable declarations in JFlow programs are annotated with labels that allow the static checker to check programs for information leaks efficiently, in a manner similar to type checking. Often, these labels can be inferred automatically, so annotating programs is not onerous. Dynamic checks also may be used safely when static checks are insufficiently powerful. A compiler has been implemented for the JFlow language. Because most checking is performed statically at compile time, the compiler generates code with few additional dynamic tests, improving performance. (Copies available exclusively from MIT Libraries, Rm. 14-0551, Cambridge, MA 02139-4307. Ph. 617-253-5668; Fax 617-253-1690.)

[1]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[2]  Ravi Sandhu A Lattice Interpretation Of The Chinese Wall Policy , 1992 .

[3]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[4]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[5]  Barbara Liskov,et al.  A language extension for expressing constraints on data access , 1978, CACM.

[6]  Tatu Ylonen,et al.  SSH: secure login connections over the internet , 1996 .

[7]  Dorothy E. Denning,et al.  Secure information flow in computer systems. , 1975 .

[8]  John McLean,et al.  Reasoning About Security Models , 1987, 1987 IEEE Symposium on Security and Privacy.

[9]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[10]  Jeffrey I. Schiller,et al.  An Authentication Service for Open Network Systems. In , 1998 .

[11]  Daniel Jackson,et al.  Elements of style: analyzing a software design feature with a counterexample detector , 1996, ISSTA '96.

[12]  Jonathan K. Millen Information Flow Analysis of Formal Specifications , 1981, 1981 IEEE Symposium on Security and Privacy.

[13]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[14]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[15]  W. F. Dowling,et al.  Tractable Constraints in Finite Semilattices , 1996 .

[16]  Sophia Drossopoulou,et al.  Java is Type Safe - Probably , 1997, ECOOP.

[17]  Pierre Jouvelot,et al.  Algebraic reconstruction of types and effects , 1991, POPL '91.

[18]  Jean H. Gallier,et al.  Linear-Time Algorithms for Testing the Satisfiability of Propositional Horn Formulae , 1984, J. Log. Program..

[19]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.

[20]  Luca Cardelli,et al.  Typeful Programming , 1989, Formal Description of Programming Concepts.

[21]  Dan S. Wallach,et al.  Extensible security architectures for Java , 1997, SOSP.

[22]  Dan S. Wallach,et al.  Understanding Java stack inspection , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[23]  Gary McGraw,et al.  Java security - hostile applets, holes and antidotes: what every netscape and internet explorer user needs to know , 1997 .

[24]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[25]  Andrew C. Myers,et al.  Parameterized types for Java , 1997, POPL '97.

[26]  L. Sweeney Replacing personally-identifying information in medical records, the Scrub system. , 1996, Proceedings : a conference of the American Medical Informatics Association. AMIA Fall Symposium.

[27]  Martín Abadi,et al.  A Theory of Objects , 1996, Monographs in Computer Science.

[28]  Jeffrey D. Ullman,et al.  Global Data Flow Analysis and Iterative Algorithms , 1976, J. ACM.

[29]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[30]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[31]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[32]  H. Lipkin Where is the ?c? , 1978 .

[33]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[34]  Li Gong,et al.  Implementing Protection Domains in the JavaTM Development Kit 1.2 , 1998, NDSS.

[35]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[36]  Lawrence Robinson,et al.  Proving multilevel security of a system design , 1977, SOSP '77.

[37]  John McLean,et al.  Security models and information flow , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[38]  Martín Abadi,et al.  Secrecy by Typing inSecurity Protocols , 1997, TACS.

[39]  Andrew C. Myers,et al.  Subtypes vs. where clauses: constraining parametric polymorphism , 1995, OOPSLA.

[40]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[41]  Luis-Felipe Cabrera,et al.  CACL: efficient fine-grained protection for objects , 1992, OOPSLA.

[42]  Simon N. Foley A taxonomy for information flow policies and models , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[43]  Dennis M. Volpano,et al.  Provably-secure programming languages for remote evaluation , 1997, SIGP.

[44]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.

[45]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[46]  Don Syme,et al.  Proving Java Type Soundness , 1999, Formal Syntax and Semantics of Java.

[47]  Martín Abadi,et al.  Dynamic typing in a statically-typed language , 1989, POPL '89.

[48]  LouAnna Notargiacomo,et al.  Beyond the pale of MAC and DAC-defining new forms of access control , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[49]  Elisa Bertino,et al.  Providing flexibility in information flow control for object oriented systems , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[50]  Gary A. Kildall,et al.  A unified approach to global program optimization , 1973, POPL.

[51]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[52]  Gregory R. Andrews,et al.  An Axiomatic Approach to Information Flow in Programs , 1980, TOPL.

[53]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[54]  Jonathan K. Millen,et al.  Security Kernel validation in practice , 1976, CACM.

[55]  Pierangela Samarati,et al.  Generalizing Data to Provide Anonymity when Disclosing Information , 1998, PODS 1998.

[56]  Brian Postow Book review: A Theory of Objects by Martin Abadi and Luca Cardelli (Springer-Verlag, 1996): Series--Monographs in Computer Science , 1999, SIGA.

[57]  Martin Odersky,et al.  Pizza into Java: translating theory into practice , 1997, POPL '97.

[58]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[59]  Richard J. Lipton,et al.  The enforcement of security policies for computation , 1975, J. Comput. Syst. Sci..

[60]  Troy Downing,et al.  Java Virtual Machine , 1997 .

[61]  Ravi S. Sandhu Role Hierarchies and Constraints for Lattice-Based Access Controls , 1996, ESORICS.

[62]  Jonathan K. Millen,et al.  Covert Channel Capacity , 1987, 1987 IEEE Symposium on Security and Privacy.

[63]  Bjarne Stroustrup,et al.  C++ Programming Language , 1986, IEEE Softw..

[64]  Martín Abadi,et al.  A Calculus for Access Control in Distributed Systems , 1991, CRYPTO.

[65]  James A. Reeds,et al.  Multilevel security in the UNIX tradition , 1992, Softw. Pract. Exp..

[66]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[67]  Scott Oaks,et al.  Java Security , 1998 .

[68]  Richard J. Feiertag A Technique for Proving Specifications are Multilevel Secure , 1980 .

[69]  William A. Wulf,et al.  HYDRA , 1974, Commun. ACM.

[70]  Jeffrey S. Fenton Information Protection Systems , 1973 .

[71]  Tobias Nipkow,et al.  Javalight is type-safe—definitely , 1998, POPL '98.

[72]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[73]  Greg Nelson,et al.  Systems programming in modula-3 , 1991 .

[74]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[75]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[76]  Robin Milner,et al.  Definition of standard ML , 1990 .

[77]  Alley Stoughton Access Flow: A Protection Model which Integrates Access Control and Information Flow , 1981, 1981 IEEE Symposium on Security and Privacy.