Reactive noninterference

Many programs operate reactively--patiently waiting for user input, running for a while producing output, and eventually returning to a state where they are ready to accept another input (or occasionally diverging). When a reactive program communicates with multiple parties, we would like to be sure that it can be given secret information by one without leaking it to others. Motivated by web browsers and client-side web applications, we explore definitions of noninterference for reactive programs and identify two of special interest--one corresponding to termination-insensitive noninterference for a simple sequential language, the other to termination-sensitive noninterference. We focus on the former and develop a proof technique for showing that program behaviors are secure according to this definition. To demonstrate the viability of the approach, we define a simple reactive language with an information-flow type system and apply our proof technique to show that well-typed programs are secure.

[1]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[2]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[3]  John McLean,et al.  Reasoning About Security Models , 1987, 1987 IEEE Symposium on Security and Privacy.

[4]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[5]  John McLean,et al.  Security models and information flow , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[6]  James W. Gray,et al.  Probabilistic interference , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[9]  VolpanoDennis,et al.  A sound type system for secure flow analysis , 1996 .

[10]  B. Jacobs,et al.  A tutorial on (co)algebras and (co)induction , 1997 .

[11]  E. Stewart Lee,et al.  A general theory of security properties , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[12]  Hugo Herbelin,et al.  The Coq proof assistant : reference manual, version 6.1 , 1997 .

[13]  Christine Paulin-Mohring,et al.  The coq proof assistant reference manual , 2000 .

[14]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[15]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[16]  Heiko Mantel,et al.  A Unifying Approach to the Security of Distributed and Multi-Threaded Programs , 2003, J. Comput. Secur..

[17]  Dan Boneh,et al.  Protecting browser state from web privacy attacks , 2006, WWW '06.

[18]  Michael R. Clarkson,et al.  Information-flow security for interactive programs , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[19]  Helen J. Wang,et al.  Subspace: secure cross-domain communication for web mashups , 2007, WWW '07.

[20]  Charles Reis,et al.  Architectural Principles for Safe Web Programs , 2007, HotNets.

[21]  Ilaria Castellani,et al.  Typing noninterference for reactive programs , 2007, J. Log. Algebraic Methods Program..

[22]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[23]  Joseph Y. Halpern,et al.  Secrecy in Multiagent Systems , 2008, TSEC.

[24]  David Clark,et al.  Non-Interference for Deterministic Interactive Programs , 2009, Formal Aspects in Security and Trust.

[25]  David Sands,et al.  Just Forget It - The Semantics and Enforcement of Information Erasure , 2008, ESOP.