Dynamic Security Labels and Noninterference (Extended Abstract)

This paper presents a language in which information flow is securely controlled by a type system, yet the security class of data can vary dynamically. Information flow policies provide the means to express strong security requirements for data confidentiality and integrity. Recent work on security-typed programming languages has shown that information flow can be analyzed statically, ensuring that programs will respect the restrictions placed on data. However, real computing systems have security policies that vary dynamically and that cannot be determined at the time of program analysis. For example, a file has associated access permissions that cannot be known with certainty until it is opened. Although one security-typed programming language has included support for dynamic security labels, there has been no demonstration that a general mechanism for dynamic labels can securely control information flow. In this paper, we present an expressive language-based mechanism for reasoning about dynamic security labels. The mechanism is formally presented in a core language based on the typed lambda calculus; any well-typed program in this language is provably secure because it satisfies noninterference.

[1]  John McLean,et al.  The algebra of security , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[2]  Catherine A. Meadows,et al.  Policies for Dynamic Upgrading , 1990, Database Security.

[3]  John C. Mitchell,et al.  Foundations for programming languages , 1996, Foundation of computing series.

[4]  François Pottier,et al.  Information flow inference for ML , 2002, POPL '02.

[5]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[6]  R. Varadarajan,et al.  Deducibility security with dynamic level assignments , 1989, Proceedings of the Computer Security Foundations Workshop II,.

[7]  Frank Pfenning,et al.  Dependent types in practical programming , 1999, POPL '99.

[8]  Andrew C. Myers,et al.  Dynamic Security Labels and Noninterference , 2004 .

[9]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.

[10]  Andrew C. Myers,et al.  Secure Information Flow via Linear Continuations , 2002, High. Order Symb. Comput..

[11]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[12]  Heiko Mantel,et al.  Static Confidentiality Enforcement for Distributed Programs , 2002 .

[13]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[14]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[15]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[16]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[17]  Steve Zdancewic,et al.  Run-time Principals in Information-flow Type Systems , 2004, IEEE Symposium on Security and Privacy.

[18]  Anindya Banerjee,et al.  Using access control for secure information flow in a Java-like language , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[19]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[20]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[21]  Clark Weissman,et al.  Security controls in the ADEPT-50 time-sharing system , 1899, AFIPS '69 (Fall).

[22]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[23]  Simon N. Foley,et al.  A security model of dynamic labelling providing a tiered approach to verification , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[24]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[25]  Jens Palsberg,et al.  Trust in the lambda-Calculus , 1997, J. Funct. Program..

[26]  John P. L. Woodward Exploiting the Dual Nature of Sensitivity Labels , 1987, 1987 IEEE Symposium on Security and Privacy.

[27]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..