A semantic approach to secure information flow

A classic problem in security is to determine whether a program has secure information flow. Informally, this problem is described as follows: Given a program with variables partitioned into two disjoint sets of “high-security” and “low-security” variables, check whether observations of the low-security variables reveal any information about the initial values of the high-security variables. Although the problem has been studied for several decades, most previous approaches have been syntactic in nature, often using type systems and compiler data flow analysis techniques to analyze program texts. This paper presents a considerably different approach to checking secure information flow, based on a semantic characterization. A semantic approach has several desirable features. Firstly, it gives a more precise characterization of security than that provided by most previous approaches. Secondly, it applies to any programming constructs whose semantics are definable; for instance, the introduction of nondeterminism and exceptions poses no additional problems. Thirdly, it can be used for reasoning about indirect leaking of information through variations in program behavior (e.g., whether or not the program terminates).

[1]  Geoffrey Smith,et al.  A Type-Based Approach to Program Security , 1997, TAPSOFT.

[2]  K. Rustan M. Leino,et al.  Semantics of Exceptions , 1994, PROCOMET.

[3]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, ESOP.

[4]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[5]  Morrie Gasser,et al.  Building a Secure Computer System , 1988 .

[6]  Eric C. R. Hehner,et al.  Predicative programming Part I , 1984, CACM.

[7]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[8]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[9]  K. Rustan M. Leino,et al.  A semantic approach to secure information flow , 2000, Sci. Comput. Program..

[10]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[11]  Geoffrey Smith,et al.  Eliminating covert flows with minimum typings , 1997, Proceedings 10th Computer Security Foundations Workshop.

[12]  James P. Titus,et al.  Security and Privacy , 1967, 2022 IEEE Future Networks World Forum (FNWF).

[13]  A. W. Roscoe CSP and determinism in security modelling , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[14]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[15]  Tony Hoare,et al.  Notes on Data Structuring , 1972 .

[16]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[17]  J DenningPeter,et al.  Certification of programs for secure information flow , 1977 .

[18]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[19]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[20]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, High. Order Symb. Comput..

[21]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[22]  Edsger W. Dijkstra,et al.  Predicate Calculus and Program Semantics , 1989, Texts and Monographs in Computer Science.

[23]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[24]  Gregory R. Andrews,et al.  An Axiomatic Approach to Information Flow in Programs , 1980, TOPL.

[25]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[26]  Daniel Le Métayer,et al.  Compile-Time Detection of Information Flow in Sequential Programs , 1994, ESORICS.

[27]  Flaviu Cristian,et al.  Correct and Robust Programs , 1984, IEEE Transactions on Software Engineering.