A Policy Semantics and a Programming Language for Securing Software

The work presented in this thesis contributes to the information flow policy specification language Paralocks and the enforcement of Paralocks policies in the programming language Paragon. The thesis starts with a programming tutorial on Paragon. The tutorial aims to make Paragon accessible for programmers without any familiarity with information flow theory. We gradually introduce the Java programmer to various information flow concepts using the Paragon programming lan- guage. The tutorial also provides information and design patterns needed to set up realistic software applications in Paragon. Next we focus our attention on the design and implementation of Paragon. We discuss how the Paralocks language is generalised to integrate more tightly with Java’s object-oriented programming style, on which Paragon is built. Combined with the dynamic nature of Paralocks policies, Paragon promises to be a flexible and expressive programming language. Finally we present an alternative semantics for Paralocks, based on the declarative language Datalog. Compared to Paralocks’ original semantics, the Datalog-inspired semantics provides a more natural and intuitive inter- pretation for Paralocks policies. We show that the new semantics coincides with the original semantics. It also allows us to adopt Datalog extensions and algorithms into Paralocks and Paragon.

[1]  Kathi Fisler,et al.  Specifying and Reasoning About Dynamic Access-Control Policies , 2006, IJCAR.

[2]  Georg Gottlob,et al.  Complexity and expressive power of logic programming , 2001, CSUR.

[3]  Limin Jia,et al.  Encoding information flow in Aura , 2009, PLAS '09.

[4]  Yehoshua Sagiv,et al.  Optimizing datalog programs , 1987, Foundations of Deductive Databases and Logic Programming..

[5]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2011, Journal of Functional Programming.

[6]  Sören Preibusch Information Flow Control for Static Enforcement of User-Defined Privacy Policies , 2011, 2011 IEEE International Symposium on Policies for Distributed Systems and Networks.

[7]  Adrian Hilton,et al.  Enforcing security and safety models with an information flow analysis tool , 2004 .

[8]  Anthony C. Klug On conjunctive queries containing inequalities , 1988, JACM.

[9]  Alejandro Russo,et al.  Towards a taint mode for cloud computing web applications , 2012, PLAS.

[10]  Alejandro Russo,et al.  Securing interaction between threads and the scheduler , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[11]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[12]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[13]  David Sands,et al.  Declassification: Dimensions and principles , 2009, J. Comput. Secur..

[14]  Michael R. Clarkson,et al.  Civitas: Toward a Secure Voting System , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[15]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[16]  Armando Solar-Lezama,et al.  A language for automatically enforcing privacy policies , 2012, POPL '12.

[17]  John DeTreville,et al.  Binder, a logic-based security language , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[18]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[19]  Jeffrey D. Ullman,et al.  Principles of Database and Knowledge-Base Systems, Volume II , 1988, Principles of computer science series.

[20]  Daniel R. Licata,et al.  Security-typed programming within dependently typed programming , 2010, ICFP '10.

[21]  Boniface Hicks,et al.  Trusted declassification:: high-level policy for a security-typed language , 2006, PLAS '06.

[22]  Jakob Rehof,et al.  Tractable Constraints in Finite Semilattices , 1996, Sci. Comput. Program..

[23]  Gary McGraw,et al.  Securing Java: getting down to business with mobile code , 1999 .

[24]  Anindya Banerjee,et al.  Expressive Declassification Policies and Modular Static Enforcement , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[25]  Niklas Broberg,et al.  Practical, Flexible programming with Information Flow Control , 2011 .

[26]  Diego Calvanese,et al.  Dwq : Esprit Long Term Research Project, No 22469 on the Decidability of Query Containment under Constraints on the Decidability of Query Containment under Constraints , 2022 .

[27]  Abram Glaser This world of ours , 1955 .

[28]  Andrew D. Gordon,et al.  Design and Semantics of a Decentralized Authorization Language , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[29]  Dan Suciu,et al.  Query containment for conjunctive queries with regular expressions , 1998, PODS.

[30]  Letizia Tanca,et al.  What you Always Wanted to Know About Datalog (And Never Dared to Ask) , 1989, IEEE Trans. Knowl. Data Eng..

[31]  David Sands,et al.  Paralocks: role-based information flow control and beyond , 2010, POPL '10.

[32]  Trevor Jim,et al.  SD3: a trust management system with certified evaluation , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[33]  David Sands,et al.  A Datalog Semantics for Paralocks , 2012, STM.

[34]  David Sands,et al.  Paragon for Practical Programming with Information-Flow Control , 2013, APLAS.

[35]  Boniface Hicks,et al.  From Languages to Systems: Understanding Practical Application Development in Security-typed Languages , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[36]  Oded Shmueli,et al.  Decidability and expressiveness aspects of logic queries , 1987, XP7.52 Workshop on Database Theory.

[37]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[38]  Juan Chen,et al.  Enforcing Stateful Authorization and Information Flow Policies in Fine , 2010, ESOP.

[39]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[40]  David Zook,et al.  Typed Datalog , 2009, PADL.

[41]  Thom W. Frühwirth,et al.  Logic programs as types for logic programs , 1991, [1991] Proceedings Sixth Annual IEEE Symposium on Logic in Computer Science.

[42]  Jonathan Aldrich,et al.  Typestate-oriented programming , 2009, OOPSLA Companion.

[43]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[44]  Deian Stefan,et al.  Hails: Protecting Data Privacy in Untrusted Web Applications , 2012, OSDI.

[45]  Peng Li,et al.  Arrows for secure information flow , 2010, Theor. Comput. Sci..

[46]  Ernest Teniente,et al.  Checking query containment with the CQC method , 2005, Data Knowl. Eng..

[47]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[48]  Ninghui Li,et al.  DATALOG with Constraints: A Foundation for Trust Management Languages , 2003, PADL.

[49]  Serge Abiteboul,et al.  Foundations of Databases , 1994 .

[50]  Andrew C. Myers,et al.  Dynamic security labels and static information flow control , 2007, International Journal of Information Security.

[51]  David Sands,et al.  Flow Locks: Towards a Core Calculus for Dynamic Flow Policies , 2006, ESOP.

[52]  Jeffrey D. Ullman,et al.  Information integration using logical views , 1997, Theor. Comput. Sci..

[53]  Robert E. Strom,et al.  Typestate: A programming language concept for enhancing software reliability , 1986, IEEE Transactions on Software Engineering.

[54]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[55]  Gregor Snelting,et al.  Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs , 2009, International Journal of Information Security.

[56]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[57]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[58]  Boniface Hicks,et al.  Jifclipse: development tools for security-typed languages , 2007, PLAS '07.

[59]  Koen Claessen,et al.  A library for light-weight information-flow security in haskell , 2008, Haskell '08.

[60]  David Maier,et al.  Magic sets and other strange ways to implement logic programs (extended abstract) , 1985, PODS '86.

[61]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[62]  Peng Li,et al.  Encoding information flow in Haskell , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[63]  Andrei Sabelfeld,et al.  Security-Typed Languages for Implementation of Cryptographic Protocols: A Case Study , 2005, ESORICS.

[64]  Alan Mycroft,et al.  A Polymorphic Type System for Prolog , 1984, Logic Programming Workshop.

[65]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012 .

[66]  Martin C. Rinard,et al.  Compositional pointer and escape analysis for Java programs , 1999, OOPSLA '99.

[67]  Danfeng Zhang,et al.  Toward general diagnosis of static errors , 2014, POPL.

[68]  Deian Stefan,et al.  Disjunction Category Labels , 2011, NordSec.

[69]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[70]  Andrew C. Myers,et al.  End-to-End Enforcement of Erasure and Declassification , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[71]  Anand Rajaraman,et al.  Conjunctive query containment revisited , 2000, Theor. Comput. Sci..

[72]  François Pottier,et al.  Information flow inference for ML , 2002, POPL '02.