Information-flow security for interactive programs

Interactive programs allow users to engage in input and output throughout execution. The ubiquity of such programs motivates the development of models for reasoning about their information-flow security, yet no such models seem to exist for imperative programming languages. Further, existing language-based security conditions founded on noninteractive models permit insecure information flows in interactive imperative programs. This paper formulates new strategy-based information-flow security conditions for a simple imperative programming language that includes input and output operators. The semantics of the language enables a fine-grained approach to the resolution of nondeterministic choices. The security conditions leverage this approach to prohibit refinement attacks while still permitting observable nondeterminism. Extending the language with probabilistic choice yields a corresponding definition of probabilistic noninterference. A soundness theorem demonstrates the feasibility of statically enforcing the security conditions via a simple type system. These results constitute a step toward understanding and enforcing information-flow security in real-world programming languages, which include similar input and output operators

[1]  Heiko Mantel,et al.  A Unifying Approach to the Security of Distributed and Multi-Threaded Programs , 2003, J. Comput. Secur..

[2]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[3]  Joseph Y. Halpern,et al.  Knowledge, probability, and adversaries , 1993, JACM.

[4]  Heiko Mantel,et al.  A generic approach to the security of multi-threaded programs , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[5]  R. Focardi,et al.  Information flow ecurity in dynamic contexts , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[6]  Moshe Y. Vardi Automatic verification of probabilistic concurrent finite state programs , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[7]  J. Todd Wittbold,et al.  Information flow in nondeterministic systems , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  A. W. Roscoe CSP and determinism in security modelling , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[9]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[10]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[11]  Riccardo Focardi,et al.  Information flow security in dynamic contexts , 2006, J. Comput. Secur..

[12]  Ilaria Castellani,et al.  Noninterference for concurrent programs and thread systems , 2002, Theor. Comput. Sci..

[13]  Heiko Mantel A uniform framework for the formal specification and verification of information flow security , 2003 .

[14]  Robin Milner,et al.  Processes: A Mathematical Model of Computing Agents , 1975 .

[15]  Michael R. Clarkson,et al.  Belief in information flow , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[16]  Joseph Y. Halpern Reasoning about uncertainty , 2003 .

[17]  Cédric Fournet,et al.  The reflexive CHAM and the join-calculus , 1996, POPL '96.

[18]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[19]  Vincent Simonet The Flow Caml System: Documentation and user's manual , 2003 .

[20]  Roberto Gorrieri,et al.  Classification of Security Properties (Part I: Information Flow) , 2000, FOSAD.

[21]  Peter Y. A. Ryan,et al.  Process algebra and non-interference , 2001 .

[22]  Annabelle McIver,et al.  Probabilistic Models for the Guarded Command Language , 1997, Sci. Comput. Program..

[23]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[24]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[25]  VolpanoDennis,et al.  A sound type system for secure flow analysis , 1996 .

[26]  Vincent Simonet Fine-grained information flow analysis for a /spl lambda/-calculus with sum types , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[27]  David Sands,et al.  On flow-sensitive security types , 2006, POPL '06.

[28]  Riccardo Focardi,et al.  Bridging Language-Based and Process Calculi Security , 2005, FoSSaCS.

[29]  P. Spreij Probability and Measure , 1996 .

[30]  Joseph Y. Halpern,et al.  Secrecy in Multiagent Systems , 2008, TSEC.

[31]  Geoffrey Smith,et al.  Probabilistic noninterference in a concurrent language , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[32]  Heiko Mantel,et al.  Static Confidentiality Enforcement for Distributed Programs , 2002 .

[33]  John McLean,et al.  Proving Noninterference and Functional Correctness Using Traces , 1992, J. Comput. Secur..

[34]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[35]  Daryl McCullough,et al.  Specifications for Multi-Level Security and a Hook-Up , 1987, 1987 IEEE Symposium on Security and Privacy.

[36]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[37]  Geoffrey Smith,et al.  A new type system for secure information flow , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[38]  Paul F. Syverson,et al.  A logical approach to multilevel security of probabilistic systems , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[39]  Robin Milner,et al.  A Calculus of Communicating Systems , 1980, Lecture Notes in Computer Science.

[40]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[41]  Paul F. Syverson,et al.  A logical approach to multilevel security of probabilistic systems , 1998, Distributed Computing.

[42]  Ilaria Castellani,et al.  Typing noninterference for reactive programs , 2007, J. Log. Algebraic Methods Program..

[43]  Peter Y. A. Ryan,et al.  Process algebra and non-interference , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.