Dynamic Enforcement of Dynamic Policies

This paper presents SLIO, an information-flow control mechanism enforcing dynamic policies: security policies which change the relation between security levels while the system is running. SLIO builds on LIO, a floating-label information-flow control system embedded in Haskell that uses a runtime monitor to enforce security. We identify an implicit flow arising from the decision to change the policy based on sensitive information and introduce a corresponding check in the enforcement mechanism. We provide a formal security guarantee for SLIO, presented as a knowledge-based property, which specifies that observers can only learn information in accordance with the level ordering. Like LIO, SLIO is a generic enforcement mechanism, parametrised on the concrete instantiation of security labels and their policy change mechanism. To illustrate the applicability of our results, we implement well-known label models such as DLM, the Flowlocks framework, and DC labels in SLIO.

[1]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[2]  Mads Dam,et al.  Epistemic temporal logic for information flow security , 2011, PLAS '11.

[3]  Takeshi Koshiba,et al.  Packed Homomorphic Encryption Based on Ideal Lattices and Its Application to Biometrics , 2013, CD-ARES Workshops.

[4]  Chenyi Zhang,et al.  Conditional Information Flow Policies and Unwinding Relations , 2011, TGC.

[5]  Andrei Sabelfeld,et al.  Gradual Release: Unifying Declassification, Encryption and Key Release Policies , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[6]  Gérard Boudol,et al.  On Declassification and the Non-Disclosure Policy , 2005, CSFW.

[7]  Peng Li,et al.  Encoding information flow in Haskell , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[8]  Andrei Sabelfeld,et al.  Security-Typed Languages for Implementation of Cryptographic Protocols: A Case Study , 2005, ESORICS.

[9]  Gérard Boudol,et al.  On declassification and the non-disclosure policy , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[10]  Michael Hicks,et al.  Managing policy updates in security-typed languages , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[11]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[12]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[13]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[14]  Daniel R. Licata,et al.  Security-typed programming within dependently typed programming , 2010, ICFP '10.

[15]  John Hughes Programming with Arrows , 2004, Advanced Functional Programming.

[16]  Benjamin C. Pierce,et al.  All Your IFCException Are Belong to Us , 2013, 2013 IEEE Symposium on Security and Privacy.

[17]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[18]  David Sands,et al.  Paragon for Practical Programming with Information-Flow Control , 2013, APLAS.

[19]  Takeshi Koshiba,et al.  Practical Packing Method in Somewhat Homomorphic Encryption , 2013, DPM/SETOP.

[20]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[21]  David Sands,et al.  Very Static Enforcement of Dynamic Policies , 2015, POST.

[22]  David Sands,et al.  The Anatomy and Facets of Dynamic Policies , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[23]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[24]  Koen Claessen,et al.  A library for light-weight information-flow security in haskell , 2008, Haskell '08.

[25]  David Sands,et al.  Declassification: Dimensions and principles , 2009, J. Comput. Secur..

[26]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012, Haskell '11.

[27]  Ellis S. Cohen Information transmission in computational systems , 1977, SOSP '77.

[28]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[29]  Robert Hieb,et al.  The Revised Report on the Syntactic Theories of Sequential Control and State , 1992, Theor. Comput. Sci..

[30]  Deian Stefan,et al.  Disjunction Category Labels , 2011, NordSec.

[31]  Eugenio Moggi,et al.  Notions of Computation and Monads , 1991, Inf. Comput..

[32]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[33]  Deian Stefan,et al.  Addressing covert termination and timing channels in concurrent information flow systems , 2012, ICFP '12.

[34]  Andrew C. Myers,et al.  Language-based information erasure , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[35]  Boniface Hicks,et al.  Dynamic updating of information-flo w policies , 2005 .

[36]  StefanDeian,et al.  Flexible dynamic information flow control in Haskell , 2011 .

[37]  Vincent Simonet The Flow Caml system , 2003 .

[38]  David Sands,et al.  Paralocks: role-based information flow control and beyond , 2010, POPL '10.

[39]  Andrew C. Myers,et al.  Robust declassification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[40]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[41]  Stephen Chong,et al.  Learning is Change in Knowledge: Knowledge-Based Security for Dynamic Policies , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.