Access Control and Declassification

We integrate programming constructs for managing confidentiality in an ML-like imperative and higher-order programming language, dealing with both access control and information flow control. Our language includes in particular a construct for declassifying information, and constructs for granting, restricting or testing the read access level of a program. We introduce a type and effect system to statically check access rights and information flow. We show that typable programs are secure, that is, they do not attempt at making illegal read accesses, nor illegal information leakage. This provides us with a natural restriction on declassification, namely that a program may only declassify information that is has the right to read.

[1]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[2]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[3]  Andrew C. Myers,et al.  Security policies for downgrading , 2004, CCS '04.

[4]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[5]  Gérard Boudol,et al.  On Declassification and the Non-Disclosure Policy , 2005, CSFW.

[6]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[7]  Scott F. Smith,et al.  Static enforcement of security with types , 2000, ICFP '00.

[8]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[9]  Steve Zdancewic,et al.  Challenges for Information-flow Security , 2004 .

[10]  David Sands,et al.  Flow Locks: Towards a Core Calculus for Dynamic Flow Policies , 2006, ESOP.

[11]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[12]  Ellis S. Cohen Information transmission in computational systems , 1977, SOSP '77.

[13]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[14]  Matthias Felleisen,et al.  A Syntactic Approach to Type Soundness , 1994, Inf. Comput..

[15]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[16]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[17]  David K. Gifford,et al.  Polymorphic effect systems , 1988, POPL '88.

[18]  Cédric Fournet,et al.  Stack inspection: Theory and variants , 2003, TOPL.

[19]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[20]  Andrew C. Myers,et al.  Enforcing Robust Declassification and Qualified Robustness , 2006, J. Comput. Secur..

[21]  Andrew C. Myers,et al.  A Model for Delimited Information Release , 2003, ISSS.

[22]  Scott F. Smith,et al.  A Systematic Approach to Static Access Control , 2001, ESOP.

[23]  Gérard Boudol,et al.  On Typing Information Flow , 2005, ICTAC.

[24]  Sylvain Conchon,et al.  Information flow inference for free , 2000, ICFP '00.

[25]  Vincent Simonet The Flow Caml System: Documentation and user's manual , 2003 .

[26]  Peter G. Harrison,et al.  Functional Programming , 1988 .

[27]  Anindya Banerjee,et al.  Stack-based access control and secure information flow , 2005, J. Funct. Program..