Towards Static Flow-Based Declassification for Legacy and Untrusted Programs

Simple non-interference is too restrictive for specifying and enforcing information flow policies in most programs. Exceptions to non-interference are provided using declassification policies. Several approaches for enforcing declassification have been proposed in the literature. In most of these approaches, the declassification policies are embedded in the program itself or heavily tied to the variables in the program being analyzed, thereby providing little separation between the code and the policy. Consequently, the previous approaches essentially require that the code be trusted, since to trust that the correct policy is being enforced, we need to trust the source code. In this paper, we propose a novel framework in which declassification policies are related to the source code being analyzed via its I/O channels. The framework supports many of the of declassification policies identified in the literature. Based on flow-based static analysis, it represents a first step towards a new approach that can be applied to untrusted and legacy source code to automatically verify that the analyzed program complies with the specified declassification policies. The analysis works by constructing a conservative approximation of expressions over input channel values that could be output by the program, and by determining whether all such expressions satisfy the declassification requirements stated in the policy. We introduce a representation of such expressions that resembles tree automata. We prove that if a program is considered safe according to our analysis then it satisfies a property we call Policy Controlled Release, which formalizes information-flow correctness according to our notion of declassification policy. We demonstrate, through examples, that our approach works for several interesting and useful declassification policies, including one involving declassification of the average of several confidential values.

[1]  Hanspeter Mössenböck,et al.  Single-pass generation of static single-assignment form for structured languages , 1994, TOPL.

[2]  Steve Zdancewic,et al.  Challenges for Information-flow Security , 2004 .

[3]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[4]  Andrei Sabelfeld,et al.  Tight Enforcement of Information-Release Policies for Dynamic Languages , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[5]  Andrew C. Myers,et al.  A Model for Delimited Information Release , 2003, ISSS.

[6]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[7]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[8]  Marianne Winslett,et al.  A Trust Management Approach for Flexible Policy Management in Security-Typed Languages , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[9]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[10]  Andrew C. Myers,et al.  Security policies for downgrading , 2004, CCS '04.

[11]  Andrei Sabelfeld,et al.  Localized delimited release: combining the what and where dimensions of information release , 2007, PLAS '07.

[12]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[13]  Andrei Sabelfeld,et al.  Gradual Release: Unifying Declassification, Encryption and Key Release Policies , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[14]  Torben Amtoft,et al.  A logic for information flow in object-oriented programs , 2006, POPL '06.

[15]  Torben Amtoft,et al.  Information Flow Analysis in Logical Form , 2004, SAS.

[16]  Gregor Snelting,et al.  Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs , 2009, International Journal of Information Security.

[17]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[18]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[19]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[20]  Michael Hicks,et al.  Verified enforcement of stateful information release policies , 2008, PLAS '08.

[21]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[22]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[23]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[24]  Mads Dam,et al.  On the Secure Implementation of Security Protocols , 2003, ESOP.

[25]  H. Stamer Security-Typed Languages for Implementation of Cryptographic Protocols : A Case Study , 2007 .

[26]  Andrew C. Myers,et al.  End-to-End Enforcement of Erasure and Declassification , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[27]  Joe Hendrix,et al.  Combining Equational Tree Automata over AC and ACI Theories , 2008, RTA.

[28]  Daniel Le Métayer,et al.  Compile-Time Detection of Information Flow in Sequential Programs , 1994, ESORICS.

[29]  Anindya Banerjee,et al.  Expressive Declassification Policies and Modular Static Enforcement , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[30]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[31]  Boniface Hicks,et al.  Declassification with Cryptographic Functions in a Security-Typed Language , 2005 .

[32]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[33]  Bernard Carré,et al.  Information-flow and data-flow analysis of while-programs , 1985, TOPL.

[34]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[35]  Steve Zdancewic,et al.  A Design for a Security-Typed Language with Certificate-Based Declassification , 2005, ESOP.

[36]  Michael Hicks,et al.  Managing policy updates in security-typed languages , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[37]  Roberto Giacobazzi,et al.  Abstract non-interference: parameterizing non-interference by abstract interpretation , 2004, POPL.

[38]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[39]  Boniface Hicks,et al.  Trusted declassification:: high-level policy for a security-typed language , 2006, PLAS '06.

[40]  Gregor Snelting,et al.  Information Flow Control for Java Based on Path Conditions in Dependence Graphs , 2006, ISSSE.

[41]  Keshav Pingali,et al.  Algorithms for computing the static single assignment form , 2003, JACM.

[42]  Chris Hankin,et al.  Information flow for Algol-like languages , 2002, Comput. Lang. Syst. Struct..