Flow Locks: Towards a Core Calculus for Dynamic Flow Policies

Security is rarely a static notion. What is considered to be confidential or untrusted data varies over time according to changing events and states. The static verification of secure information flow has been a popular theme in recent programming language research, but information flow policies considered are based on multilevel security which presents a static view of security levels. In this paper we introduce a very simple mechanism for specifying dynamic information flow policies, flow locks, which specify conditions under which data may be read by a certain actor. The interface between the policy and the code is via instructions which open and close flow locks. We present a type and effect system for an ML-like language with references which permits the completely static verification of flow lock policies, and prove that the system satisfies a semantic security property generalising noninterference. We show that this simple mechanism can represent a number of recently proposed information flow paradigms for declassification.

[1]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[2]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[3]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[4]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[5]  Steve Zdancewic,et al.  A Design for a Security-Typed Language with Certificate-Based Declassification , 2005, ESOP.

[6]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[7]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[8]  Andrew C. Myers,et al.  Dynamic Security Labels and Noninterference (Extended Abstract) , 2004, Formal Aspects in Security and Trust.

[9]  Andrew C. Myers,et al.  Dynamic Security Labels and Noninterference , 2004 .

[10]  Boniface Hicks,et al.  Dynamic updating of information-flo w policies , 2005 .

[11]  H. Stamer Security-Typed Languages for Implementation of Cryptographic Protocols : A Case Study , 2007 .

[12]  Gérard Boudol,et al.  On Declassification and the Non-Disclosure Policy , 2005, CSFW.

[13]  Sylvan Pinsky,et al.  Absorbing covers and intransitive non-interference , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[14]  Andrew C. Myers,et al.  Security policies for downgrading , 2004, CCS '04.

[15]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[16]  David Sands,et al.  Controlled Declassification Based on Intransitive Noninterference , 2004, APLAS.

[17]  Steve Zdancewic,et al.  Designing a Security-typed Language with Certificate-based Declassification , 2004 .

[18]  Andrew C. Myers,et al.  Robust declassification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[19]  Anindya Banerjee,et al.  Stack-based access control and secure information flow , 2005, J. Funct. Program..

[20]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[21]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[22]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[23]  Andrew C. Myers,et al.  Enforcing robust declassification , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[24]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[25]  Dieter Gollmann,et al.  Computer Security - ESORICS 2005, 10th European Symposium on Research in Computer Security, Milan, Italy, September 12-14, 2005, Proceedings , 2005, ESORICS.

[26]  Steve Zdancewic,et al.  Run-time principals in information-flow type systems , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.