Fine Granularity Access Rights for Information Flow Control in Object Oriented Systems

One of the main features of information flow control is to ensure the enforcement of privacy and regulated accessibility. However, most information flow control models that have been proposed do not provide substantial assurance to enforce end-to-end confidentiality policies or they are too restrictive, overprotected, and inflexible. We present a model for discretionary access controls that is in harmony with the object oriented paradigm. The model uses access rights applied to object attributes and methods, thus allowing considerable flexibility without compromising system security by leaking sensitive information. Models based on message filtering intercept every message exchanged among objects to control the flow of information. We present an algorithm which enforces message filtering based on the defined access rights.

[1]  Shih-Chien Chou,et al.  Embedding role-based access control model in object-oriented systems to protect privacy , 2004, J. Syst. Softw..

[2]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[3]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[4]  Elisa Bertino,et al.  Providing flexibility in information flow control for object oriented systems , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[5]  Chang Nian Zhang,et al.  An object-oriented RBAC model for distributed system , 2001, Proceedings Working IEEE/IFIP Conference on Software Architecture.

[6]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[7]  Elisa Bertino,et al.  Information Flow Control in Object-Oriented Systems , 1997, IEEE Trans. Knowl. Data Eng..

[8]  D. Richard Kuhn,et al.  A role-based access control model and reference implementation within a corporate intranet , 1999, TSEC.

[9]  Abdelaziz Fellah,et al.  Adding Flexibility in Information Flow Control for Object-Oriented Systems Using Versions , 2003, Int. J. Softw. Eng. Knowl. Eng..

[10]  Pierangela Samarati,et al.  Authentication, access control, and audit , 1996, CSUR.

[11]  Ravi S. Sandhu,et al.  Role activation hierarchies , 1998, RBAC '98.

[12]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[13]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[14]  Geoffrey Smith,et al.  A new type system for secure information flow , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[15]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[16]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[17]  Andrew C. Myers,et al.  Secure Information Flow and CPS , 2001, ESOP.

[18]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[19]  Sushil Jajodia,et al.  Integrating an object-oriented data model with multilevel security , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[20]  Sylvain Conchon,et al.  Information flow inference for free , 2000, ICFP '00.

[21]  François Pottier A simple view of type-secure information flow in the /spl pi/-calculus , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[22]  Chang Nian Zhang,et al.  Information flow analysis on role-based access control model , 2002, Inf. Manag. Comput. Secur..

[23]  Shih-Chien Chou,et al.  Information flow control in multithread applications based on access control lists , 2006, Inf. Softw. Technol..

[24]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).