Lenient array operations for practical secure information flow

Our goal in this paper is to make secure information flow typing more practical. We propose simple and permissive typing rules for array operations in a simple sequential imperative language. Arrays are given types of the form /spl tau//sub 1/ arr /spl tau//sub 2/, where /spl tau//sub 1/ is the security class of the array's contents and /spl tau//sub 2/ is the security class of the array's length. To keep the typing rules permissive, we propose a novel, lenient semantics for out-of-bounds array indices. We show that our type system ensures a noninterference property, and we present an example that suggests that it will not be too difficult in practice to write programs that satisfy the typing rules.

[1]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[2]  Ken Arnold,et al.  The Java Programming Language , 1996 .

[3]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[4]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[5]  Geoffrey Smith,et al.  Eliminating covert flows with minimum typings , 1997, Proceedings 10th Computer Security Foundations Workshop.

[6]  Robert D. Tennent,et al.  Semantics of programming languages , 1991, Prentice Hall International Series in Computer Science.

[7]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[8]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[9]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[10]  Andrew C. Myers,et al.  Enforcing robust declassification , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[11]  David Holmes,et al.  The Java Programming Language, Third Edition , 2000 .

[12]  Vincent Simonet The Flow Caml System: Documentation and user's manual , 2003 .