Confidentiality Policies and Their Extraction from Programs

Abstract : We examine a well known confidentiality requirement called noninterference and argue that many systems do not meet this requirement despite maintaining the privacy of its users. We discuss a weaker requirement called incident-insensitive noninterference that captures why these systems maintain the privacy of its users while possibly not satisfying noninterference. We extend this requirement to depend on dynamic information in a novel way. Lastly, we present a method based on model checking to extract from program source code the dynamic incident-insensitive noninterference policy that the given program obeys.

[1]  Gavin Lowe,et al.  Quantifying information flow , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[2]  C. A. R. Hoare,et al.  Communicating Sequential Processes (Reprint) , 1983, Commun. ACM.

[3]  Jeannette M. Wing,et al.  Scenario graphs and attack graphs , 2004 .

[4]  Reiner Hähnle,et al.  A Theorem Proving Approach to Analysis of Secure Information Flow , 2005, SPC.

[5]  Jan Jürjens,et al.  Secrecy-Preserving Refinement , 2001, FME.

[6]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[7]  Kenneth L. McMillan,et al.  Symbolic model checking , 1992 .

[8]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[9]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[10]  Somesh Jha,et al.  Survivability analysis of networked systems , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[11]  Harry M. Sneed Extracting business logic from existing COBOL programs as a basis for redevelopment , 2001, Proceedings 9th International Workshop on Program Comprehension. IWPC 2001.

[12]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[13]  Akinori Yonezawa,et al.  Combining type-based analysis and model checking for finding counterexamples against non-interference , 2006, PLAS '06.

[14]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[15]  Wei-Tek Tsai,et al.  Business rule extraction from legacy code , 1996, Proceedings of 20th International Computer Software and Applications Conference: COMPSAC '96.

[16]  Gregor Snelting,et al.  Efficient path conditions in dependence graphs for software safety analysis , 2006, TSEM.

[17]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[18]  Rebekah Leslie,et al.  Dynamic Intransitive Noninterference , 2006 .

[19]  Gregor Snelting,et al.  Information flow control for Java based on path conditions in dependence graphs , 2006 .

[20]  Daryl McCullough,et al.  A Hookup Theorem for Multilevel Security , 1990, IEEE Trans. Software Eng..

[21]  Paul F. Syverson,et al.  A logical approach to multilevel security of probabilistic systems , 1998, Distributed Computing.

[22]  J. Todd Wittbold,et al.  Information flow in nondeterministic systems , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[23]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[24]  Michael R. Clarkson,et al.  Information-flow security for interactive programs , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[25]  A. W. Roscoe,et al.  What is intransitive noninterference? , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[26]  Chris Hankin,et al.  Approximate non-interference , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[27]  Somesh Jha,et al.  Retrofitting legacy code for authorization policy enforcement , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[28]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[29]  Joseph Y. Halpern,et al.  Secrecy in multiagent systems , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[30]  Daryl McCullough,et al.  Specifications for Multi-Level Security and a Hook-Up , 1987, 1987 IEEE Symposium on Security and Privacy.

[31]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[32]  Pavol Cerný,et al.  Preserving Secrecy Under Refinement , 2006, ICALP.

[33]  James W. Gray,et al.  Toward a mathematical foundation for information flow security , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[34]  Heiko Mantel,et al.  Preserving information flow properties under refinement , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[35]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1987, TOPL.