The Anatomy and Facets of Dynamic Policies

Information flow policies are often dynamic, the security concerns of a program will typically change during execution to reflect security-relevant events. A key challenge is how to best specify, and give proper meaning to, such dynamic policies. A large number of approaches exist that tackle that challenge, each yielding some important, but unconnected, insight. In this work we synthesise existing knowledge on dynamic policies, with an aim to establish a common terminology, best practices, and frameworks for reasoning about them. We introduce the concept of facets to illuminate subtleties in the semantics of policies, and closely examine the anatomy of policies and the expressiveness of policy specification mechanisms. We further explore the relation between dynamic policies and the concept of declassification.

[1]  Andrew C. Myers,et al.  Security policies for downgrading , 2004, CCS '04.

[2]  Ellis S. Cohen Information transmission in computational systems , 1977, SOSP '77.

[3]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[4]  Andrei Sabelfeld,et al.  Gradual Release: Unifying Declassification, Encryption and Key Release Policies , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[5]  Benjamin C. Pierce,et al.  A Theory of Information-Flow Labels , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[6]  J. G. Cederquist,et al.  Distributed Noninterference , 2014, 2014 22nd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing.

[7]  David Sands,et al.  Very Static Enforcement of Dynamic Policies , 2015, POST.

[8]  Geoffrey Smith,et al.  A new type system for secure information flow , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[9]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, High. Order Symb. Comput..

[10]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[11]  Geoffrey Smith,et al.  Probabilistic noninterference through weak probabilistic bisimulation , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[12]  David Sands,et al.  Programming in Paragon , 2014, Software Systems Safety.

[13]  Sören Preibusch Information Flow Control for Static Enforcement of User-Defined Privacy Policies , 2011, 2011 IEEE International Symposium on Policies for Distributed Systems and Networks.

[14]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[15]  Joseph Y. Halpern,et al.  Secrecy in Multiagent Systems , 2008, TSEC.

[16]  Michael Hicks,et al.  Verified enforcement of stateful information release policies , 2008, PLAS '08.

[17]  Michael Hicks,et al.  Managing policy updates in security-typed languages , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[18]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[19]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[20]  Boniface Hicks,et al.  From Languages to Systems: Understanding Practical Application Development in Security-typed Languages , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[21]  Boniface Hicks,et al.  Dynamic updating of information-flo w policies , 2005 .

[22]  Andrei Sabelfeld,et al.  Tight Enforcement of Information-Release Policies for Dynamic Languages , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[23]  Andrew C. Myers,et al.  Dynamic Security Labels and Noninterference , 2004 .

[24]  David Sands,et al.  Flow-sensitive semantics for dynamic information flow policies , 2009, PLAS '09.

[25]  R.,et al.  A CLASSIFICATION OF SECURITY PROPERTIES FOR PROCESS ALGEBRAS 1 , 1994 .

[26]  David Clark,et al.  Non-Interference for Deterministic Interactive Programs , 2009, Formal Aspects in Security and Trust.

[27]  Andrew C. Myers,et al.  A Model for Delimited Information Release , 2003, ISSS.

[28]  David Sands,et al.  Paralocks: role-based information flow control and beyond , 2010, POPL '10.

[29]  Andrew C. Myers,et al.  Dynamic Security Labels and Noninterference (Extended Abstract) , 2004, Formal Aspects in Security and Trust.

[30]  David Sands,et al.  Paragon for Practical Programming with Information-Flow Control , 2013, APLAS.

[31]  Andrew C. Myers,et al.  Robust declassification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[32]  Stephen Chong,et al.  Learning is Change in Knowledge: Knowledge-Based Security for Dynamic Policies , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[33]  David Clark,et al.  Quantitative Analysis of the Leakage of Confidential Data , 2002, QAPL.

[34]  Pablo Buiras,et al.  Dynamic Enforcement of Dynamic Policies , 2015, PLAS@ECOOP.

[35]  E. Stewart Lee,et al.  A general theory of security properties , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[36]  David Sands,et al.  Flow Locks: Towards a Core Calculus for Dynamic Flow Policies , 2006, ESOP.

[37]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[38]  Mads Dam,et al.  Epistemic temporal logic for information flow security , 2011, PLAS '11.

[39]  Gregor Snelting,et al.  Checking probabilistic noninterference using JOANA , 2014, it Inf. Technol..

[40]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[41]  Heiko Mantel,et al.  Information Flow Control and Applications - Bridging a Gap , 2001, FME.

[42]  Chenyi Zhang,et al.  Conditional Information Flow Policies and Unwinding Relations , 2011, TGC.

[43]  H. Stamer Security-Typed Languages for Implementation of Cryptographic Protocols : A Case Study , 2007 .

[44]  Gérard Boudol,et al.  On Declassification and the Non-Disclosure Policy , 2005, CSFW.

[45]  Anindya Banerjee,et al.  Expressive Declassification Policies and Modular Static Enforcement , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[46]  Musard Balliu,et al.  A Logic for Information Flow Analysis of Distributed Programs , 2013, NordSec.

[47]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[48]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[49]  David Sands,et al.  Declassification: Dimensions and principles , 2009, J. Comput. Secur..

[50]  Ilaria Castellani,et al.  Noninterference for concurrent programs and thread systems , 2002, Theor. Comput. Sci..

[51]  Alley Stoughton,et al.  You Sank My Battleship!: A Case Study in Secure Programming , 2014, PLAS@ECOOP.

[52]  Takeo Kanade,et al.  Formal Aspects in Security and Trust , 2008, Lecture Notes in Computer Science.