Handling declared information leakage: extended abstract

We address the problem of controlling information leakage in a concurrent declarative programming setting. Our aim is to define formal tools in order to distinguish between authorized, or declared, information flows such as password testing (e.g., ATM, login processes, etc.) and non-authorized ones. We propose to define security policies as rewriting systems. Such policies define how the privacy levels of information evolve. A formal definition of secure processes with respect to a given security policy is given.

[1]  Andrew C. Myers,et al.  Enforcing robust declassification , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[2]  Ilaria Castellani,et al.  Noninterference for concurrent programs and thread systems , 2002, Theor. Comput. Sci..

[3]  Rachid Echahed,et al.  Integrating Action Definitions into Concurrent Declarative Programming , 2001 .

[4]  Chris Hankin,et al.  Approximate Confinement under Uniform Attacks , 2002 .

[5]  Chris Hankin,et al.  Analysing Approximate Confinement under Uniform Attacks , 2002, SAS.

[6]  Jonathan K. Millen,et al.  Non-interference, who needs it? , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[7]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[8]  Chris Hankin,et al.  Approximate non-interference , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[9]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[10]  Steve Zdancewic,et al.  A Type System for Robust Declassification , 2003, MFPS.

[11]  David Sands,et al.  Controlled Declassification Based on Intransitive Noninterference , 2004, APLAS.

[12]  Frédéric Prost,et al.  Statically assuring secrecy for dynamic concurrent processes , 2003, PPDP '03.

[13]  Rachid Echahed,et al.  Combining Mobile Processes and Declarative Programming , 2000, Computational Logic.

[14]  Andrew C. Myers,et al.  Robust declassification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..