Modelling declassification policies using abstract domain completeness

This paper explores a three dimensional characterisation of a declassification-based non-interference policy and its consequences. Two of the dimensions consist of specifying: (a) the power of the attacker, that is, what public information a program has that an attacker can observe; and (b) what secret information a program has that needs to be protected. Both these dimensions are regulated by the third dimension: (c) the choice of program semantics, for example, trace semantics or denotational semantics, or any semantics in Cousot's semantics hierarchy. To check whether a program satisfies a non-interference policy, one can compute an abstract domain that over-approximates the information released by the policy and then check whether program execution can release more information than permitted by the policy. Counterexamples to a policy can be generated by using a variant of the Paige-Tarjan algorithm for partition refinement. Given the counterexamples, the policy can be refined so that the least amount of confidential information required for making the program secure is declassified.

[1]  Antoine Miné,et al.  The octagon abstract domain , 2001, Proceedings Eighth Working Conference on Reverse Engineering.

[2]  Roberto Giacobazzi,et al.  What You Lose is What You Leak: Information Leakage in Declassification Policies , 2007, MFPS.

[3]  Andrew C. Myers,et al.  Enforcing robust declassification , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[4]  Robert E. Tarjan,et al.  Three Partition Refinement Algorithms , 1987, SIAM J. Comput..

[5]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[6]  David Sands,et al.  Declassification: Dimensions and principles , 2009, J. Comput. Secur..

[7]  K. Rustan M. Leino,et al.  A semantic approach to secure information flow , 2000, Sci. Comput. Program..

[8]  Andrew C. Myers,et al.  A Model for Delimited Information Release , 2003, ISSS.

[9]  David M. Clark,et al.  Quantified Interference: Information Theory and Information Flow , 2004 .

[10]  Roberto Giacobazzi,et al.  Making abstract interpretations complete , 2000, JACM.

[11]  Gilles Kahn,et al.  Natural Semantics , 1987, STACS.

[12]  Torben Amtoft,et al.  A logic for information flow in object-oriented programs , 2006, POPL '06.

[13]  Roberto Giacobazzi,et al.  Adjoining Declassification and Attack Models by Abstract Interpretation , 2005, ESOP.

[14]  Roberto Giacobazzi,et al.  Incompleteness, Counterexamples, and Refinements in Abstract Model-Checking , 2001, SAS.

[15]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[16]  Glynn Winskel,et al.  The formal semantics of programming languages - an introduction , 1993, Foundation of computing series.

[17]  Philip Wadler,et al.  Views: a way for pattern matching to cohabit with data abstraction , 1987, POPL '87.

[18]  David A. Schmidt Comparing Completeness Properties of Static Analyses and Their Logics , 2006, APLAS.

[19]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[20]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, ESOP.

[21]  Patrick Cousot,et al.  Constructive design of a hierarchy of semantics of a transition system by abstract interpretation , 2002, MFPS.

[22]  Andrew C. Myers,et al.  Robust declassification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[23]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[24]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[25]  Reiner Hähnle,et al.  A Theorem Proving Approach to Analysis of Secure Information Flow , 2005, SPC.

[26]  Ellis S. Cohen Information transmission in computational systems , 1977, SOSP '77.

[27]  Anindya Banerjee,et al.  Expressive Declassification Policies and Modular Static Enforcement , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[28]  Akinori Yonezawa,et al.  Combining type-based analysis and model checking for finding counterexamples against non-interference , 2006, PLAS '06.

[29]  Roberto Giacobazzi,et al.  Abstract non-interference: parameterizing non-interference by abstract interpretation , 2004, POPL.

[30]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[31]  Isabella Mastroeni Deriving Bisimulations by Simplifying Partitions , 2008, VMCAI.

[32]  Sebastian Hunt,et al.  Quantified Interference : Information Theory and Information Flow ( Extended Abstract ) , 2004 .

[33]  Andrei Sabelfeld,et al.  Localized delimited release: combining the what and where dimensions of information release , 2007, PLAS '07.

[34]  Francesco Ranzato,et al.  An Abstract Interpretation-Based Refinement Algorithm for Strong Preservation , 2005, TACAS.

[35]  Isabella Mastroeni,et al.  The PER Model of Abstract Non-interference , 2005, SAS.

[36]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[37]  Chris Hankin,et al.  Approximate non-interference , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[38]  Isabella Mastroeni,et al.  On the Rôle of Abstract Non-interference in Language-Based Security , 2005, APLAS.

[39]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[40]  Pavol Cerný,et al.  Preserving Secrecy Under Refinement , 2006, ICALP.

[41]  Andrei Sabelfeld,et al.  Gradual Release: Unifying Declassification, Encryption and Key Release Policies , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[42]  Ohad Kammar,et al.  Algebraic foundations for effect-dependent optimisations , 2012, POPL '12.