Learning is Change in Knowledge: Knowledge-Based Security for Dynamic Policies

In systems that handle confidential information, the security policy to enforce on information frequently changes: new users join the system, old users leave, and sensitivity of data changes over time. It is challenging, yet important, to specify what it means for such systems to be secure, and to gain assurance that a system is secure. We present a language-based model for specifying, reasoning about, and enforcing information security in systems that dynamically change the security policy. We specify security for such systems as a simple and intuitive extensional knowledge-based semantic condition: an attacker can only learn information in accordance with the current security policy. Importantly, the semantic condition is parameterized by the ability of the attacker. Learning is about change in knowledge, and an observation that allows one attacker to learn confidential information may provide a different attacker with no new information. A program that is secure against an attacker with perfect recall may not be secure against a more realistic, weaker, attacker. We introduce a compositional model of attackers that simplifies enforcement of security, and demonstrate that standard information-flow control mechanisms, such as security-type systems and information-flow monitors, can be easily adapted to enforce security for a broad and useful class of attackers.

[1]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[2]  Lennart Beringer,et al.  Noninterference with Dynamic Security Domains and Policies , 2009, ASIAN.

[3]  David Sands,et al.  From Exponential to Polynomial-Time Security Typing via Principal Types , 2011, ESOP.

[4]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[5]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[6]  Stephen Chong,et al.  Required Information Release , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[7]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[8]  Mads Dam,et al.  Epistemic temporal logic for information flow security , 2011, PLAS '11.

[9]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[10]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[11]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[12]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012, Haskell '11.

[13]  Heiko Mantel,et al.  Declassification with Explicit Reference Points , 2009, ESORICS.

[14]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[15]  Michael Hicks,et al.  Managing policy updates in security-typed languages , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[16]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, ESOP.

[17]  Andrew C. Myers,et al.  A Semantic Framework for Declassification and Endorsement , 2010, ESOP.

[18]  Gurvan Le Guernic Automaton-based Confidentiality Monitoring of Concurrent Programs , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[19]  Roberto Giacobazzi,et al.  Abstract non-interference: parameterizing non-interference by abstract interpretation , 2004, POPL.

[20]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[21]  Andrew C. Myers,et al.  Dynamic Security Labels and Noninterference (Extended Abstract) , 2004, Formal Aspects in Security and Trust.

[22]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[23]  David Sands,et al.  Controlled Declassification Based on Intransitive Noninterference , 2004, APLAS.

[24]  Boniface Hicks,et al.  Dynamic updating of information-flo w policies , 2005 .

[25]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[26]  David Sands,et al.  Flow-sensitive semantics for dynamic information flow policies , 2009, PLAS '09.

[27]  David Sands,et al.  Paralocks: role-based information flow control and beyond , 2010, POPL '10.

[28]  Michael R. Clarkson,et al.  Information-flow security for interactive programs , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[29]  Andrei Sabelfeld,et al.  Tight Enforcement of Information-Release Policies for Dynamic Languages , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[30]  Andrew C. Myers,et al.  Dynamic Security Labels and Noninterference , 2004 .

[31]  David Clark,et al.  Non-Interference for Deterministic Interactive Programs , 2009, Formal Aspects in Security and Trust.

[32]  Andrew C. Myers,et al.  A Model for Delimited Information Release , 2003, ISSS.

[33]  David Sands,et al.  On flow-sensitive security types , 2006, POPL '06.

[34]  Gérard Boudol,et al.  On declassification and the non-disclosure policy , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[35]  Vincent Simonet The Flow Caml System: Documentation and user's manual , 2003 .

[36]  David A. Schmidt,et al.  Automata-Based Confidentiality Monitoring , 2006, ASIAN.

[37]  David Sands,et al.  Flow Locks: Towards a Core Calculus for Dynamic Flow Policies , 2006, ESOP.