Very Static Enforcement of Dynamic Policies

Security policies are naturally dynamic. Reflecting this, there has been a growing interest in studying information-flow properties which change during program execution, including concepts such as declassification, revocation, and role-change. A static verification of a dynamic information flow policy, from a semantic perspective, should only need to concern itself with two things: 1 the dependencies between data in a program, and 2 whether those dependencies are consistent with the intended flow policies as they change over time. In this paper we provide a formal ground for this intuition. We present a straightforward extension to the principal flow-sensitive type system introduced by Hunt and Sands POPL '06, ESOP '11 to infer both end-to-end dependencies and dependencies at intermediate points in a program. This allows typings to be applied to verification of both static and dynamic policies. Our extension preserves the principal type system's distinguishing feature, that type inference is independent of the policy to be enforced: a single, generic dependency analysis typing can be used to verify many different dynamic policies of a given program, thus achieving a clean separation between 1 and 2. We also make contributions to the foundations of dynamic information flow. Arguably, the most compelling semantic definitions for dynamic security conditions in the literature are phrased in the so-called knowledge-based style. We contribute a new definition of knowledge-based progress insensitive security for dynamic policies. We show that the new definition avoids anomalies of previous definitions and enjoys a simple and useful characterisation as a two-run style property.

[1]  David Sands,et al.  On flow-sensitive security types , 2006, POPL '06.

[2]  Michael Hicks,et al.  Managing policy updates in security-typed languages , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[3]  David Sands,et al.  Paragon for Practical Programming with Information-Flow Control , 2013, APLAS.

[4]  Andrei Sabelfeld,et al.  Gradual Release: Unifying Declassification, Encryption and Key Release Policies , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[5]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[6]  David Sands,et al.  Flow-sensitive semantics for dynamic information flow policies , 2009, PLAS '09.

[7]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012 .

[8]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012, Haskell '11.

[9]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[10]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[11]  David Sands,et al.  From Exponential to Polynomial-Time Security Typing via Principal Types , 2011, ESOP.

[12]  Chris Hankin,et al.  Information flow for Algol-like languages , 2002, Comput. Lang. Syst. Struct..

[13]  Mads Dam,et al.  ENCoVer: Symbolic Exploration for Information Flow Security , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[14]  David Sands,et al.  Paralocks: role-based information flow control and beyond , 2010, POPL '10.

[15]  Mads Dam,et al.  Epistemic temporal logic for information flow security , 2011, PLAS '11.

[16]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[17]  Stephen Chong,et al.  Learning is Change in Knowledge: Knowledge-Based Security for Dynamic Policies , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[18]  Gregory R. Andrews,et al.  An Axiomatic Approach to Information Flow in Programs , 1980, TOPL.

[19]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[20]  Chenyi Zhang,et al.  Conditional Information Flow Policies and Unwinding Relations , 2011, TGC.

[21]  Boniface Hicks,et al.  Dynamic updating of information-flo w policies , 2005 .

[22]  Torben Amtoft,et al.  Information Flow Analysis in Logical Form , 2004, SAS.

[23]  Daniel Le Métayer,et al.  Compile-Time Detection of Information Flow in Sequential Programs , 1994, ESORICS.

[24]  Anindya Banerjee,et al.  Expressive Declassification Policies and Modular Static Enforcement , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).