Improving the Semantics of Imperfect Security

Information flow policies that evolve over time (including, for example, declassification) are widely recognised as an essential ingredient in useable information flow control system. In previous work ([BS06a, BS06b]) we have shown one approach to such policies, flow locks, which is a very general and flexible system capable of encoding many other proposed approaches. However, any such policy approach is only useful if we have a precise specification --- a semantic model --- of what we are trying to enforce. A semantic model gives us insight into what a policy actually guarantees, and defines the precise goals of any enforcement mechanism. Unfortunately, semantic models of declassification can be both inaccurate and difficult to understand. This was definitely the case for the flow locks system as presented in [BS06a, BS06b], and we have found that the main problem is one common to most proposed models to date. We will start by discussing the problem in general, and then go on to sketch its solution for the flow locks system specifically.

[1]  Heiko Mantel,et al.  Controlling the What and Where of Declassification in Language-Based Security , 2007, ESOP.

[2]  Frédéric Prost,et al.  Security policy in a declarative style , 2005, PPDP.

[3]  Heiko Mantel,et al.  Who Can Declassify? , 2008, Formal Aspects in Security and Trust.

[4]  Gérard Boudol,et al.  On Declassification and the Non-Disclosure Policy , 2005, CSFW.

[5]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[6]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[7]  David Sands,et al.  Flow-sensitive semantics for dynamic information flow policies (abstract only) , 2009, SIGP.

[8]  David Sands,et al.  Flow-sensitive semantics for dynamic information flow policies , 2009, PLAS '09.

[9]  David Sands,et al.  Flow Locks: Towards a Core Calculus for Dynamic Flow Policies , 2006, ESOP.

[10]  Mads Dam,et al.  Decidability and proof systems for language-based noninterference relations , 2006, POPL '06.

[11]  Gilles Barthe,et al.  Tractable Enforcement of Declassification Policies , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[12]  David Sands,et al.  Controlled Declassification Based on Intransitive Noninterference , 2004, APLAS.

[13]  Andrei Sabelfeld,et al.  Gradual Release: Unifying Declassification, Encryption and Key Release Policies , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[14]  Gilles Dowek,et al.  Principles of programming languages , 1981, Prentice Hall International Series in Computer Science.