Secure Information Flow as a Safety Property

In this paper we argue that, in the perspective of developing "security-minded" programming languages, the secure information flow property should be defined (as well as disciplined access) as a standard safety property, based on a notion of a security error, namely that one should not put in a public location a value elaborated using confidential information. We show that this is the property guaranteed by a standard security type system, and that, for a simple language, it is strictly stronger than non-interference. Moreover, we show that this notion of secure information flow allows us to give natural semantics to various security-minded programming constructs, including declassification.

[1]  Scott F. Smith,et al.  A systematic approach to static access control , 2001, TOPL.

[2]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[3]  Andrew C. Myers,et al.  Programming Languages for Information Security , 2002 .

[4]  Gérard Boudol,et al.  On declassification and the non-disclosure policy , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[5]  Gérard Boudol,et al.  Access Control and Declassification , 2007 .

[6]  Scott F. Smith,et al.  Static enforcement of security with types , 2000, ICFP '00.

[7]  Akinori Yonezawa,et al.  Combining type-based analysis and model checking for finding counterexamples against non-interference , 2006, PLAS '06.

[8]  Vincent Simonet The Flow Caml System: Documentation and user's manual , 2003 .

[9]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[10]  Gérard Boudol,et al.  On Declassification and the Non-Disclosure Policy , 2005, CSFW.

[11]  Ellis S. Cohen Information transmission in computational systems , 1977, SOSP '77.

[12]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[13]  Cédric Fournet,et al.  Stack inspection: Theory and variants , 2003, TOPL.

[14]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[15]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[16]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[17]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[18]  Gérard Boudol,et al.  On Typing Information Flow , 2005, ICTAC.

[19]  Andrew C. Myers,et al.  Secure Information Flow via Linear Continuations , 2002, High. Order Symb. Comput..

[20]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[21]  Jonathan K. Millen,et al.  Non-interference, who needs it? , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[22]  Torben Amtoft,et al.  Information Flow Analysis in Logical Form , 2004, SAS.

[23]  Gilles Barthe,et al.  Non-interference for a JVM-like language , 2005, TLDI '05.

[24]  Frank Pfenning,et al.  A monadic analysis of information flow security with mutable state , 2005, J. Funct. Program..

[25]  Anindya Banerjee,et al.  Stack-based access control and secure information flow , 2005, J. Funct. Program..

[26]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[27]  Marco Pistoia,et al.  Beyond Stack Inspection: A Unified Access-Control and Information-Flow Security Model , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[28]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[29]  BanerjeeAnindya,et al.  Stack-based access control and secure information flow , 2005 .

[30]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..