Dynamic Security Labels and Noninterference

This paper explores information flow control in systems in which the security classes of data can vary dynamically. Information flow policies provide the means to express strong security requirements for data confidentiality and integrity. Recent work on security-typed programming languages has shown that information flow can be analyzed statically, ensuring that programs will respect the restrictions placed on data. However, real computing systems have security policies that vary dynamically and that cannot be determined at the time of program analysis. For example, a file has associated access permissions that cannot be known with certainty until it is opened. Although one security-typed programming language has included support for dynamic security labels, there has been no examination of whether such a mechanism can securely control information flow. In this paper, we present an expressive languagebased mechanism for securely manipulating dynamic security labels. The mechanism is presented both in the context of a Java-like programming language and, more formally, in a core language based on the typed lambda calculus. This core language is expressive enough to encode previous dynamic label mechanisms; as importantly, any well-typed program is provably secure because it satisfies noninterference.

[1]  Clark Weissman,et al.  Security controls in the ADEPT-50 time-sharing system , 1899, AFIPS '69 (Fall).

[2]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[3]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[4]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[5]  John P. L. Woodward Exploiting the Dual Nature of Sensitivity Labels , 1987, 1987 IEEE Symposium on Security and Privacy.

[6]  John McLean,et al.  The algebra of security , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[7]  R. Varadarajan,et al.  Deducibility security with dynamic level assignments , 1989, Proceedings of the Computer Security Foundations Workshop II,.

[8]  Catherine A. Meadows,et al.  Policies for Dynamic Upgrading , 1990, Database Security.

[9]  David Aspinall,et al.  Subtyping with Singleton Types , 1994, CSL.

[10]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.

[11]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[12]  Simon N. Foley,et al.  A security model of dynamic labelling providing a tiered approach to verification , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[13]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[14]  John C. Mitchell,et al.  Foundations for programming languages , 1996, Foundation of computing series.

[15]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[16]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[17]  Frank Pfenning,et al.  Dependent types in practical programming , 1999, POPL '99.

[18]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[19]  Hongwei Xi,et al.  Imperative programming with dependent types , 2000, Proceedings Fifteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.99CB36332).

[20]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[21]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[22]  Andrew C. Myers,et al.  Robust declassification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[23]  Heiko Mantel,et al.  Static Confidentiality Enforcement for Distributed Programs , 2002 .

[24]  Vincent Simonet Fine-grained information flow analysis for a /spl lambda/-calculus with sum types , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[25]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[26]  François Pottier,et al.  Information flow inference for ML , 2002, POPL '02.

[27]  Andrew C. Myers,et al.  Secure Information Flow via Linear Continuations , 2002, High. Order Symb. Comput..

[28]  Vincent Simonet An extension of HM(X) with bounded existential and universal data-types , 2003, ICFP '03.

[29]  Anindya Banerjee,et al.  Using access control for secure information flow in a Java-like language , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[30]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[31]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[32]  Steve Zdancewic,et al.  Run-time Principals in Information-flow Type Systems , 2004, IEEE Symposium on Security and Privacy.