A decentralized model for information flow control

This paper presents a new model for controlling information flo w in systems with mutual distrust and decentralized authority. The model allows users to share information with distrusted code (e.g., downloaded applets), yet still control how that code disseminates the shared information to others. The model improves on existing multilevel security models by allowing users to declassify information in a decentralized way, and by improving support for fine-graineddata sharing. The paper also shows how static program analysis can be used to certify proper information flo ws in this model and to avoid most run-time information flo w checks.

[1]  Torben Æ. Mogensen,et al.  Tractable Constraints in Finite Semilattices , 1996, Sci. Comput. Program..

[2]  Barbara Liskov,et al.  A language extension for expressing constraints on data access , 1978, CACM.

[3]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[4]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[5]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[6]  Simon N. Foley A taxonomy for information flow policies and models , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[8]  Jens Palsberg,et al.  Trust in the lambda-Calculus , 1997, J. Funct. Program..

[9]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[10]  Luis-Felipe Cabrera,et al.  CACL: efficient fine-grained protection for objects , 1992, OOPSLA.

[11]  J DenningPeter,et al.  Certification of programs for secure information flow , 1977 .

[12]  Jean H. Gallier,et al.  Linear-Time Algorithms for Testing the Satisfiability of Propositional Horn Formulae , 1984, J. Log. Program..

[13]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.

[14]  Luis-Felipe Cabrera,et al.  CACL: efficient fine-grained protection for objects , 1992, OOPSLA 1992.

[15]  James A. Reeds,et al.  Multilevel security in the UNIX tradition , 1992, Softw. Pract. Exp..

[16]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[17]  Dennis M. Volpano,et al.  Provably-secure programming languages for remote evaluation , 1997, SIGP.

[18]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[19]  R AndrewsGregory,et al.  An Axiomatic Approach to Information Flow in Programs , 1980 .

[20]  Troy Downing,et al.  Java Virtual Machine , 1997 .

[21]  Pierre Jouvelot,et al.  Algebraic reconstruction of types and effects , 1991, POPL '91.

[22]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[23]  Craig Schaffert,et al.  CLU Reference Manual , 1984, Lecture Notes in Computer Science.

[24]  LouAnna Notargiacomo,et al.  Beyond the pale of MAC and DAC-defining new forms of access control , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[25]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[26]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[27]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.