Declassification: Dimensions and principles

Computing systems often deliberately release (or declassify) sensitive information. A principal security concern for systems permitting information release is whether this release is safe: is it possible that the attacker compromises the information release mechanism and extracts more secret information than intended? While the security community has recognised the importance of the problem, the state-of-the-art in information release is, unfortunately, a number of approaches with somewhat unconnected semantic goals. We provide a road map of the main directions of current research, by classifying the basic goals according to what information is released, who releases information, where in the system information is released and when information can be released. With a general declassification framework as a long-term goal, we identify some prudent principles of declassification. These principles shed light on existing definitions and may also serve as useful “sanity checks” for emerging models.

[1]  Andrew D. Gordon,et al.  Secrecy Despite Compromise: Types, Cryptography, and the Pi-Calculus , 2005, CONCUR.

[2]  Steve Zdancewic,et al.  A Design for a Security-Typed Language with Certificate-Based Declassification , 2005, ESOP.

[3]  Mads Dam,et al.  Confidentiality for mobile code: the case of a simple payment protocol , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[4]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[5]  Sylvan Pinsky,et al.  Absorbing covers and intransitive non-interference , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[6]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.

[7]  Andrew C. Myers,et al.  Security policies for downgrading , 2004, CCS '04.

[8]  Reiner Hähnle,et al.  A Theorem Proving Approach to Analysis of Secure Information Flow , 2005, SPC.

[9]  Peeter Laud,et al.  Handling Encryption in an Analysis for Secure Information Flow , 2003, ESOP.

[10]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[11]  Steve Zdancewic,et al.  Challenges for Information-flow Security , 2004 .

[12]  Andrew C. Myers,et al.  Robust declassification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[13]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[14]  Jaisook Landauer,et al.  A lattice of information , 1993, [1993] Proceedings Computer Security Foundations Workshop VI.

[15]  Gérard Boudol,et al.  On declassification and the non-disclosure policy , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[16]  Mads Dam,et al.  On the Secure Implementation of Security Protocols , 2003, ESOP.

[17]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[18]  David Clark,et al.  Quantitative Analysis of the Leakage of Confidential Data , 2002, QAPL.

[19]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[20]  Elisa Bertino,et al.  Providing flexibility in information flow control for object oriented systems , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[21]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[22]  John C. Mitchell,et al.  A probabilistic poly-time framework for protocol analysis , 1998, CCS '98.

[23]  Heiko Mantel,et al.  Information Flow Control and Applications - Bridging a Gap , 2001, FME.

[24]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[25]  Anindya Banerjee,et al.  Stack-based access control and secure information flow , 2005, J. Funct. Program..

[26]  John Mullins Nondeterministic Admissible Interference , 2000, J. Univers. Comput. Sci..

[27]  David A. Schmidt,et al.  The essence of computation: complexity, analysis, transformation , 2002 .

[28]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[29]  Andrew C. Myers,et al.  Language-based information erasure , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[30]  Boniface Hicks,et al.  Dynamic updating of information-flo w policies , 2005 .

[31]  Heiko Mantel,et al.  Possibilistic definitions of security-an assembly kit , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[32]  Sebastian Hunt,et al.  Abstract interpretation of functional languages: from theory to practice , 1991 .

[33]  Mads Dam,et al.  Decidability and proof systems for language-based noninterference relations , 2006, POPL '06.

[34]  G.D. Plotkin,et al.  LCF Considered as a Programming Language , 1977, Theor. Comput. Sci..

[35]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, ESOP.

[36]  Andrew C. Myers,et al.  Enforcing Robust Declassification and Qualified Robustness , 2006, J. Comput. Secur..

[37]  Gavin Lowe,et al.  Quantifying information flow , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[38]  Carla Piazza,et al.  Modelling downgrading in information flow security , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[39]  Isabella Mastroeni,et al.  On the Rôle of Abstract Non-interference in Language-Based Security , 2005, APLAS.

[40]  Andrew C. Myers,et al.  A Model for Delimited Information Release , 2003, ISSS.

[41]  Roberto Giacobazzi,et al.  Abstract non-interference: parameterizing non-interference by abstract interpretation , 2004, POPL.

[42]  Sylvain Conchon,et al.  Information flow inference for free , 2000, ICFP '00.

[43]  Peng Li,et al.  Unifying Confidentiality and Integrity in Downgrading Policies , 2005 .

[44]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[45]  Peeter Laud Semantics and Program Analysis of Computationally Secure Information Flow , 2001, ESOP.

[46]  Michael R. Clarkson,et al.  Belief in information flow , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[47]  Peter Y. A. Ryan,et al.  Process algebra and non-interference , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[48]  Riccardo Focardi,et al.  Bridging Language-Based and Process Calculi Security , 2005, FoSSaCS.

[49]  Frédéric Prost On the semantics of non-interference type-based analysis , 2001, JFLA.

[50]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[51]  K. Rustan M. Leino,et al.  A semantic approach to secure information flow , 2000, Sci. Comput. Program..

[52]  John C. Mitchell On Abstraction and the Expressive Power of Programming Languages , 1991, Sci. Comput. Program..

[53]  Dennis M. Volpano Secure introduction of one-way functions , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[54]  R.,et al.  A CLASSIFICATION OF SECURITY PROPERTIES FOR PROCESS ALGEBRAS 1 , 1994 .

[55]  David M. Clark,et al.  Non-Interference For Weak Observers , 2004 .

[56]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[57]  Boniface Hicks,et al.  Declassification with Cryptographic Functions in a Security-Typed Language , 2005 .

[58]  Ellis S. Cohen Information transmission in computational systems , 1977, SOSP '77.

[59]  David Clark,et al.  Quantified Interference for a While Language , 2005, QAPL.

[60]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[61]  Andrew Moran,et al.  Lambda Calculi and Linear Speedups , 2002, The Essence of Computation.

[62]  Geoffrey Smith,et al.  Verifying secrets and relative secrecy , 2000, POPL '00.

[63]  Frédéric Prost,et al.  Security policy in a declarative style , 2005, PPDP.

[64]  Andrew C. Myers,et al.  Enforcing robust declassification , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[65]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[66]  Heiko Mantel,et al.  A Unifying Approach to the Security of Distributed and Multi-Threaded Programs , 2003, J. Comput. Secur..

[67]  John C. Mitchell Probabilistic Polynomial-Time Process Calculus and Security Protocol Analysis , 2001, ESOP.

[68]  Isabella Mastroeni,et al.  The PER Model of Abstract Non-interference , 2005, SAS.

[69]  A. W. Roscoe,et al.  What is intransitive noninterference? , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[70]  Birgit Pfitzmann,et al.  Intransitive non-interference for cryptographic purposes , 2003, 2003 Symposium on Security and Privacy, 2003..

[71]  R. Echahed,et al.  Handling Declared Information Leakage [ Extended , 2004 .

[72]  Chris Hankin,et al.  Approximate non-interference , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[73]  Fredrik Hultin,et al.  Bridging Model-Based and Language-Based Security , 2003, ESORICS.

[74]  Roberto Giacobazzi,et al.  Adjoining Declassification and Attack Models by Abstract Interpretation , 2005, ESOP.

[75]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[76]  Frédéric Prost,et al.  Handling declared information leakage: extended abstract , 2005, WITS '05.