Automated enforcement for relaxed information release with reference points

AbstractLanguage-based information flow security is a promising approach for enforcement of strong security and protection of the data confidentiality for the end-to-end communications. Here, noninterference is the standard and most restricted security property that completely forbids confidential data from being released to public context. Although this baseline property has been extensively enforced in various cases, there are still many programs, which are considered secure enough, violating this property in some way. In order to control the information release in these programs, the predetermined ways should be specified by means of which confidential data can be released. These intentional releases, also called declassifications, are regulated by several more relaxed security properties than noninterference. The security properties for controlled declassification have been developed on different dimensions with declassification goals. However, the mechanisms used to enforce these properties are still unaccommodating, unspecific, and insufficiently studied. In this work, a new security property, the Relaxed Release with Reference Points (R3P), is presented to limit the information that can be declassified in a program. Moreover, a new mechanism using reachability analysis has been proposed for the pushdown system to enforce R3P on programs. In order to show R3P is competent for use, it has been proved that it complies with the well-known prudent principles of declassification, and in addition finds some restrictions on our security policy. The widespread usage, precision, efficiency, and the influencing factors of our enforcement have been evaluated.摘要创新点: (1)提出一种更通用的安全属性 (R3P), 该属性可由自动程序验证进行实现(2)证明了该安全属性与一些通用的机密消去谨慎性原则相一致, 并提出一种新的谨慎性原则—“条件持久性”, 用以说明安全策略的局限性(3)首次使用可达性分析来实现“What”维度的机密消去安全属性, 实现方法比现有的基于自动程序验证的方法更通用(4)提出了用于模型转换的“存储—匹配”模式, 能够有效减小状态空间并降低验证开销.

[1]  Zhong Chen,et al.  Secure Information Flow in Java via Reachability Analysis of Pushdown System , 2010, 2010 10th International Conference on Quality Software.

[2]  Somesh Jha,et al.  Weighted pushdown systems and their application to interprocedural dataflow analysis , 2005, Sci. Comput. Program..

[3]  David A. Naumann From Coupling Relations to Mated Invariants for Checking Information Flow , 2006, ESORICS.

[4]  James Cheney,et al.  Notions of Bidirectional Computation and Entangled State Monads , 2015, MPC.

[5]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[6]  Steve Zdancewic,et al.  Challenges for Information-flow Security , 2004 .

[7]  Qing Si Design of secure operating systems with high security levels , 2007 .

[8]  Heiko Mantel,et al.  Scheduler-Independent Declassification , 2012, MPC.

[9]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[10]  Qing Si-han,et al.  Design of secure operating systems with high security levels , 2007 .

[11]  Atta Badii,et al.  A Policy Model for Secure Information Flow , 2009, ARSPA-WITS.

[12]  Gavin Lowe,et al.  Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security , 2010, Lecture Notes in Computer Science.

[13]  Rocco De Nicola,et al.  Proceedings of the 16th European Symposium on Programming , 2007 .

[14]  Zhong Chen,et al.  A Multi-compositional Enforcement on Information Flow Security , 2011, ICICS.

[15]  Somesh Jha,et al.  Weighted pushdown systems and their application to interprocedural dataflow analysis , 2003, Sci. Comput. Program..

[16]  Zhong Chen,et al.  Secure Information Flow by Model Checking Pushdown System , 2009, 2009 Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing.

[17]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[18]  Li Guo,et al.  A novel logic-based automatic approach to constructing compliant security policies , 2011, Science China Information Sciences.

[19]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[20]  Song Chen,et al.  Symbolic algorithmic verification of intransitive generalized noninterference , 2011, Science China Information Sciences.

[21]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[22]  Jianying Zhou,et al.  Information and Communications Security , 2013, Lecture Notes in Computer Science.

[23]  Andrew C. Myers,et al.  A Model for Delimited Information Release , 2003, ISSS.

[24]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[25]  David Sands,et al.  Declassification: Dimensions and principles , 2009, J. Comput. Secur..

[26]  Heiko Mantel,et al.  Declassification with Explicit Reference Points , 2009, ESORICS.

[27]  Zhong Chen,et al.  A new enforcement on declassification with reachability analysis , 2011, 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[28]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[29]  Heiko Mantel,et al.  Controlling the What and Where of Declassification in Language-Based Security , 2007, ESOP.

[30]  Stefan Schwoon,et al.  Model checking pushdown systems , 2002 .

[31]  Heiko Mantel,et al.  Who Can Declassify? , 2008, Formal Aspects in Security and Trust.

[32]  Andrei Sabelfeld,et al.  Localized delimited release: combining the what and where dimensions of information release , 2007, PLAS '07.

[33]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[34]  J DenningPeter,et al.  Certification of programs for secure information flow , 1977 .

[35]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..