Enforcing Robust Declassification and Qualified Robustness

Noninterference requires that there is no information flow from sensitive to public data in a given system. However, many systems release sensitive information as part of their intended function and therefore violate noninterference. To control information flow while permitting information release, some systems have a downgrading or declassification mechanism, but this creates the danger that it may cause unintentional information release. This paper shows that a robustness property can be used to characterize programs in which declassification mechanisms cannot be controlled by attackers to release more information than intended. It describes a simple way to provably enforce this robustness property through a type-based compile-time program analysis. The paper also presents a generalization of robustness that supports upgrading (endorsing) data integrity.

[1]  Gavin Lowe,et al.  Quantifying information flow , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[2]  Geoffrey Smith,et al.  Verifying secrets and relative secrecy , 2000, POPL '00.

[3]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[4]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[5]  Jan Vitek,et al.  Type-based distributed access control , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[6]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[7]  Peeter Laud,et al.  Handling Encryption in an Analysis for Secure Information Flow , 2003, ESOP.

[8]  Andrew C. Myers,et al.  Using replication and partitioning to build secure distributed systems , 2003, 2003 Symposium on Security and Privacy, 2003..

[9]  Peng Li,et al.  Unifying Confidentiality and Integrity in Downgrading Policies , 2005 .

[10]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[11]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[12]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[13]  Peng Li Yun Mao Steve Zdancewic Information Integrity Policies , 2003 .

[14]  Heiko Mantel,et al.  Information Flow Control and Applications - Bridging a Gap , 2001, FME.

[15]  Andrew C. Myers,et al.  Secure program partitioning , 2002, TOCS.

[16]  Dennis M. Volpano Secure introduction of one-way functions , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[17]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[18]  Elisa Bertino,et al.  Providing flexibility in information flow control for object oriented systems , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[19]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[20]  A. W. Roscoe,et al.  What is intransitive noninterference? , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[21]  Chris Hankin,et al.  Approximate non-interference , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[22]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[23]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[24]  Mads Dam,et al.  Confidentiality for mobile code: the case of a simple payment protocol , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[25]  Andrew C. Myers,et al.  Language-based information erasure , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[26]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[27]  Sylvain Conchon,et al.  Information flow inference for free , 2000, ICFP '00.

[28]  Andrew C. Myers,et al.  A Model for Delimited Information Release , 2003, ISSS.

[29]  Steve Zdancewic,et al.  A Type System for Robust Declassification , 2003, MFPS.

[30]  Sylvan Pinsky,et al.  Absorbing covers and intransitive non-interference , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[31]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[32]  Jonathan K. Millen,et al.  Covert Channel Capacity , 1987, 1987 IEEE Symposium on Security and Privacy.

[33]  Geoffrey Smith,et al.  Probabilistic noninterference in a concurrent language , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[34]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[35]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[36]  Andrew C. Myers,et al.  Secure Information Flow and CPS , 2001, ESOP.

[37]  Glynn Winskel,et al.  The formal semantics of programming languages - an introduction , 1993, Foundation of computing series.

[38]  William R. Bevier,et al.  Connection policies and controlled interference , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[39]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[40]  K. Rustan M. Leino,et al.  A semantic approach to secure information flow , 2000, Sci. Comput. Program..

[41]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, High. Order Symb. Comput..

[42]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[43]  Peeter Laud Semantics and Program Analysis of Computationally Secure Information Flow , 2001, ESOP.

[44]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[45]  Andrew C. Myers,et al.  Robust declassification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[46]  David Clark,et al.  Quantitative Analysis of the Leakage of Confidential Data , 2002, QAPL.

[47]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[48]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[49]  LiskovBarbara,et al.  Protecting privacy using the decentralized label model , 2000 .

[50]  Carla Piazza,et al.  Modelling downgrading in information flow security , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[51]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[52]  Michael R. Clarkson,et al.  Belief in information flow , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[53]  Mads Dam,et al.  On the Secure Implementation of Security Protocols , 2003, ESOP.