Stack-based access control and secure information flow

Access control mechanisms are often used with the intent of enforcing confidentiality and integrity policies, but few rigorous connections have been made between information flow and runtime access control. The Java virtual machine and the .NET runtime system provide a dynamic access control mechanism in which permissions are granted to program units and a runtime mechanism checks permissions of code in the calling chain. We investigate a design pattern by which this mechanism can be used to achieve confidentiality and integrity goals: a single interface serves callers of more than one security level and dynamic access control prevents release of high information to low callers. Programs fitting this pattern would be rejected by previous flow analyses. We give a static analysis that admits them, using permission-dependent security types. The analysis is given for a class-based object-oriented language with features including inheritance, dynamic binding, dynamically allocated mutable objects, type casts and recursive types. The analysis is shown to ensure a noninterference property formalizing confidentiality and integrity.

[1]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[2]  Anindya Banerjee,et al.  Ownership confinement ensures representation independence for object-oriented programs , 2002, JACM.

[3]  Scott F. Smith,et al.  Static enforcement of security with types , 2000, ICFP '00.

[4]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.

[5]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[6]  John Hogg,et al.  Islands: aliasing protection in object-oriented languages , 1991, OOPSLA '91.

[7]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[8]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[9]  Sylvain Conchon,et al.  Information flow inference for free , 2000, ICFP '00.

[10]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[11]  David A. Naumann Machine-checked correctness of a secure information flow analyzer , 2003 .

[12]  Anindya Banerjee,et al.  Using access control for secure information flow in a Java-like language , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[13]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[14]  Geoffrey Smith,et al.  A Type-Based Approach to Program Security , 1997, TAPSOFT.

[15]  Anindya Banerjee,et al.  Representation independence, confinement and access control [extended abstract] , 2002, POPL '02.

[16]  John C. Mitchell,et al.  Foundations for programming languages , 1996, Foundation of computing series.

[17]  Andrew W. Appel,et al.  SAFKASI: a security mechanism for language-based systems , 2000, TSEM.

[18]  Geoffrey Smith,et al.  Confinement Properties for Multi-Threaded Programs , 1999, MFPS.

[19]  Z. Chen Java Card Technology for Smart Cards: Architecture and Programmer''s Guide. The Java Series. Addis , 2000 .

[20]  Scott F. Smith,et al.  A systematic approach to static access control , 2001, TOPL.

[21]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, High. Order Symb. Comput..

[22]  田端 利宏,et al.  Network and Distributed System Security Symposiumにおける研究動向の調査 , 2004 .

[23]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[24]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[25]  Martín Abadi,et al.  Access Control Based on Execution History , 2003, NDSS.

[26]  James Riely,et al.  Information flow vs. resource access in the asynchronous pi-calculus , 2000, TOPL.

[27]  Ken Arnold,et al.  The Java programming language (2nd ed.) , 1998 .

[28]  Heiko Mantel,et al.  A generic approach to the security of multi-threaded programs , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[29]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[30]  John Tang Boyland,et al.  Capabilities for Sharing: A Generalisation of Uniqueness and Read-Only , 2001, ECOOP.

[31]  Martin Strecker,et al.  Formal analysis of an information flow type system for microjava (extended version) , 2003 .

[32]  K. Rustan M. Leino,et al.  Data abstraction and information hiding , 2002, TOPL.

[33]  Cédric Fournet,et al.  Stack inspection: Theory and variants , 2003, TOPL.

[34]  Jan Vitek,et al.  Confined types in Java , 2001, Softw. Pract. Exp..

[35]  Elisa Bertino,et al.  Providing flexibility in information flow control for object oriented systems , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[36]  Gilles Barthe,et al.  Security types preserving compilation , 2004, Comput. Lang. Syst. Struct..

[37]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[38]  Andrew C. Myers,et al.  Enforcing robust declassification , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[39]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[40]  Dennis M. Volpano Safety versus Secrecy , 1999, SAS.

[41]  Alley Stoughton Access Flow: A Protection Model which Integrates Access Control and Information Flow , 1981, 1981 IEEE Symposium on Security and Privacy.

[42]  L.,et al.  SECURE COMPUTER SYSTEMS : MATHEMATICAL FOUNDATIONS , 2022 .

[43]  Li Gong,et al.  Inside Java 2 Platform Security: Architecture, API Design, and Implementation , 1999 .

[44]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[45]  Ken Arnold,et al.  The Java Programming Language , 1996 .

[46]  Geoffrey Smith,et al.  A new type system for secure information flow , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[47]  John John Gough,et al.  Compiling for the .NET Common Language Runtime , 2001 .

[48]  Gilles Barthe,et al.  Partial Evaluation and Non-interference for Object Calculi , 1999, Fuji International Symposium on Functional and Logic Programming.

[49]  Zhiqun Chen,et al.  Java CardTM Technology for Smart Cards , 2007 .

[50]  Ken Arnold,et al.  The Java Programming Language, Second Edition , 1999 .

[51]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[52]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[53]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[54]  Qi Sun,et al.  Modular and Constraint-Based Information Flow Inference for an Object-Oriented Language , 2004, SAS.

[55]  John C. Reynolds,et al.  Types, Abstraction and Parametric Polymorphism , 1983, IFIP Congress.

[56]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[57]  James Noble,et al.  Simple Ownership Types for Object Containment , 2001, ECOOP.

[58]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.