Extracting Conditional Confidentiality Policies

Programs should keep sensitive information, such as medical records, confidential. We present a static analysis that extracts from a program's source code a sound approximation of the most restrictive conditional confidentiality policy that the program obeys. To formalize conditional confidentiality policies, we present a modified definition of noninterference that accommodates runtime information. We implement our analysis and experiment with the resulting tool on C programs. While we focus on using our analysis for policy extraction, the process can more generally be used for information flow analysis. Unlike traditional information flow analysis that simply states what flows are possible in a program, our tool also states what conditions must be satisfied by an execution for each flow to be enabled. Furthermore, our analysis is the first to handle interactive I/O while being compositional and flow sensitive.

[1]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[2]  Somesh Jha,et al.  Retrofitting legacy code for authorization policy enforcement , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[3]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[4]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[5]  Andrew C. Myers,et al.  Security policies for downgrading , 2004, CCS '04.

[6]  Kathi Fisler,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[7]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[9]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[10]  Gregor Snelting Combining Slicing and Constraint Solving for Validation of Measurement Software , 1996, SAS.

[11]  A. Felt Privacy Protection for Social Networking APIs , 2008 .

[12]  Raghavan Komondoor,et al.  Recovering Data Models via Guarded Dependences , 2007, 14th Working Conference on Reverse Engineering (WCRE 2007).

[13]  FerranteJeanne,et al.  The program dependence graph and its use in optimization , 1987 .

[14]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[15]  Daryl McCullough,et al.  A Hookup Theorem for Multilevel Security , 1990, IEEE Trans. Software Eng..

[16]  Benjamin Livshits,et al.  Securing web applications with static and dynamic information flow tracking , 2008, PEPM '08.

[17]  Gregor Snelting,et al.  Efficient path conditions in dependence graphs for software safety analysis , 2006, TSEM.

[18]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1984, TOPL.

[19]  Matthias Felleisen,et al.  DrScheme: a programming environment for Scheme , 2002, J. Funct. Program..

[20]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[21]  Wei-Tek Tsai,et al.  Business rule extraction from legacy code , 1996, Proceedings of 20th International Computer Software and Applications Conference: COMPSAC '96.

[22]  Michael Carl Tschantz,et al.  Confidentiality Policies and Their Extraction from Programs , 2007 .

[23]  Daryl McCullough,et al.  Specifications for Multi-Level Security and a Hook-Up , 1987, 1987 IEEE Symposium on Security and Privacy.

[24]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[25]  Harry M. Sneed Extracting business logic from existing COBOL programs as a basis for redevelopment , 2001, Proceedings 9th International Workshop on Program Comprehension. IWPC 2001.

[26]  J. Todd Wittbold,et al.  Information flow in nondeterministic systems , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[27]  Eli Barzilay,et al.  Foreign Interface for PLT Scheme , 2004 .

[28]  Michael R. Clarkson,et al.  Information-flow security for interactive programs , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).