Dynamic updating of information-flo w policies

Applications that manipulate sensitive information should ensure end-to-end security by satisfying two properties: sound execution and some form of noninterference. By the former, we mean the program should always perform actions in keeping with its current policy, and by the latter we mean that these actions should never cause high-security information to be visible to a low-security observer. Over the last decade, securitytyped languages have been developed that exhibit these properties, increasingly improving so as to model important features of real programs. No current security-typed language, however, permits general changes to security policies in use by running programs. This paper presents a simple information flow type system for that allows for dynamic security policy updates while ensuring sound execution and a relaxed form of noninterference we term noninterference between updates. We see this work as an important step toward using language-based techniques to ensure end-to-end security for realistic applications.

[1]  Thierry Coquand,et al.  Inheritance as Implicit Coercion , 1991, Inf. Comput..

[2]  Andrew C. Myers,et al.  Dynamic Security Labels and Noninterference , 2004 .

[3]  Steve Zdancewic,et al.  Run-time Principals in Information-flow Type Systems , 2004, IEEE Symposium on Security and Privacy.

[4]  Carl A. Gunter,et al.  Generalized certificate revocation , 2000, POPL '00.

[5]  Alexander Aiken,et al.  Soft typing with conditional types , 1994, POPL '94.

[6]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[7]  Dan Boneh,et al.  A Method for Fast Revocation of Public Key Certificates and Security Capabilities , 2001, USENIX Security Symposium.

[8]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[9]  David Sands,et al.  Controlled Declassification Based on Intransitive Noninterference , 2004, APLAS.

[10]  Andrew C. Myers,et al.  Enforcing robust declassification , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[11]  Andrew C. Myers,et al.  Robust declassification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[12]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[13]  Benjamin C. Pierce,et al.  Types and programming languages: the next generation , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[14]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[15]  Gavin M. Bierman,et al.  Mutatis Mutandis: Safe and predictable dynamic software updating , 2007, TOPL.

[16]  John McLean,et al.  Security models and information flow , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[17]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[18]  Andrew C. Myers,et al.  Mostly-static decentralized information flow control , 1999 .

[19]  John C. Reynolds,et al.  Syntactic control of interference , 1978, POPL.