Confidentiality and Integrity with Untrusted Hosts

Several security-typed languages have recently been proposed to enforce security properties such as confidentiality or integrity by type checking. We propose a new security-typed language, SPL@, that addresses two important limitations of previous approaches. First, existing languages assume that the underlying execution platform is trusted; this assumption does not scale to distributed computation in which a variety of differently trusted hosts are available to execute programs. Our new approach, secure program partitioning, translates programs written assuming complete trust in a single executing host into programs that execute using a collection of variously trusted hosts to perform computation. As the trust configuration of a distributed system evolves, this translation can be performed as necessary for security. Second, many common program transformations do not work in existing security-typed languages; although they produce equivalent programs, these programs are rejected because of apparent information flows. SPL@ uses a novel mechanism based on ordered linear continuations to permit a richer class of program transformations, including secure program partitioning. This report is the technical companion to [ZM00]. It contains expanded discussion and extensive proofs of both the soundness and noninterference theorems mentioned in Section 3.3 of that work.

[1]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[2]  James A. Reeds,et al.  Multilevel security in the UNIX tradition , 1992, Softw. Pract. Exp..

[3]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[4]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[5]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.

[6]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[7]  Philip Wadler,et al.  Linear Types can Change the World! , 1990, Programming Concepts and Methods.

[8]  Philip Wadler,et al.  A Taste of Linear Logic , 1993, MFCS.

[9]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[10]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[11]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[12]  Jeffrey S. Fenton Information Protection Systems , 1973 .

[13]  Andrzej Filinski Linear continuations , 1992, POPL '92.

[14]  Amr Sabry,et al.  The essence of compiling with continuations , 1993, PLDI '93.

[15]  Luca Cardelli,et al.  A language with distributed scope , 1995, POPL '95.

[16]  Andrew C. Myers,et al.  Confidentiality and Integrity with Untrusted Hosts: Technical Report , 2000 .

[17]  James Riely,et al.  Trust and partial typing in open systems of mobile agents , 1999, POPL '99.

[18]  Andrew S. Tanenbaum,et al.  A Comparison of Two Distributed Systems: Amoeba and Sprite , 1991, Comput. Syst..

[19]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[20]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[21]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[22]  Matthias Felleisen,et al.  A Syntactic Approach to Type Soundness , 1994, Inf. Comput..

[23]  Troy Downing,et al.  Java Virtual Machine , 1997 .

[24]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[25]  Andrew P. Black,et al.  Object structure in the Emerald system , 1986, OOPLSA '86.

[26]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[27]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[28]  Lawrence Robinson,et al.  Proving multilevel security of a system design , 1977, SOSP '77.

[29]  Samson Abramsky,et al.  Computational Interpretations of Linear Logic , 1993, Theor. Comput. Sci..

[30]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[31]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.