Secure information flow in a multi-threaded imperative language

Previously, we developed a type system to ensure secure information flow in a sequential, imperative programming language [VSI96]. Program variables are classified as either high or low security; intuitively, we wish to prevent information from flowing from high variables to low variables. Here, we extend the analysis to deal with a multithreaded language. We show that the previous type system is insufficient to ensure a desirable security property called noninterference. Noninterference basically means that the final values of low variables are independent of the initial values of high variables. By modifying the sequential type system, we are able to guarantee noninterference for concurrent programs. Crucial to this result, however, is the use of purely nondeterministic thread scheduling. Since implementing such scheduling is problematic, we also show how a more restrictive type system can guarantee noninterference, given a more deterministic (and easily implementable) scheduling policy, such as round-robin time slicing. Finally, we consider the consequences of adding a clock to the language.

[1]  Daniel Le Métayer,et al.  Compile-Time Detection of Information Flow in Sequential Programs , 1994, ESORICS.

[2]  Hemma Prafullchandra,et al.  Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2 , 1997, USENIX Symposium on Internet Technologies and Systems.

[3]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[4]  Jeffrey S. Fenton Information Protection Systems , 1973 .

[5]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.

[6]  Dorothy E. Denning,et al.  Secure information flow in computer systems. , 1975 .

[7]  James W. Gray,et al.  Probabilistic interference , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[9]  Jens Palsberg,et al.  Trust in the lambda-Calculus , 1997, J. Funct. Program..

[10]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[11]  Robert D. Tennent,et al.  Semantics of programming languages , 1991, Prentice Hall International Series in Computer Science.

[12]  J. Todd Wittbold,et al.  Information flow in nondeterministic systems , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[13]  Martín Abadi,et al.  Secrecy by Typing inSecurity Protocols , 1997, TACS.

[14]  Carl A. Gunter Semantics of programming languages: structures and techniques , 1993, Choice Reviews Online.

[15]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[16]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[17]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[18]  Geoffrey Smith,et al.  A Type-Based Approach to Program Security , 1997, TAPSOFT.

[19]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[20]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[21]  James W. Gray,et al.  Toward a mathematical foundation for information flow security , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[22]  John McLean,et al.  Security models and information flow , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[23]  Peter J. Denning,et al.  Proving Protection Systems Safe , 1976 .

[24]  Cliff B. Jones,et al.  Some Practical Problems and Their Influence on Semantics , 1996, ESOP.

[25]  Geoffrey Smith,et al.  Eliminating covert flows with minimum typings , 1997, Proceedings 10th Computer Security Foundations Workshop.

[26]  VolpanoDennis,et al.  A sound type system for secure flow analysis , 1996 .

[27]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[28]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[29]  Jingsha He,et al.  Formal Methods and Automated Tool for Timing-Channel Identification in TCB Source Code , 1992, ESORICS.

[30]  Dan S. Wallach,et al.  Extensible security architectures for Java , 1997, SOSP.