Automaton-based Confidentiality Monitoring of Concurrent Programs

Noninterference is typically used as a baseline security policy to formalize confidentiality of secret information manipulated by a program. In contrast to static checking of noninterference, this paper considers dynamic, automaton-based, monitoring of information flow for a single execution of a concurrent program. The monitoring mechanism is based on a combination of dynamic and static analyses. During program execution, abstractions of program events are sent to the automaton, which uses the abstractions to track information flows and to control the execution by forbidding or editing dangerous actions. All monitored executions are proved to be noninterfering (soundness) and executions of programs that are well-typed in a security type system similar to the one of Smith and Volpano [23] are proved to be unaltered by the monitor (partial transparency).

[1]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[2]  Andrei Sabelfeld The Impact of Synchronisation on Secure Information Flow in Concurrent Programs , 2001, Ershov Memorial Conference.

[3]  Charles Antony Richard Hoare Towards a theory of parallel programming , 2002 .

[4]  Scott F. Smith,et al.  Dynamic Dependency Monitoring to Secure Information Flow , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[5]  Gilles Barthe,et al.  Partial Evaluation and Non-interference for Object Calculi , 1999, Fuji International Symposium on Functional and Logic Programming.

[6]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[7]  Anindya Banerjee,et al.  Stack-based access control and secure information flow , 2005, J. Funct. Program..

[8]  Gurvan Le Guernic,et al.  Monitoring Information Flow , 2005 .

[9]  Guilherme Ottoni,et al.  RIFLE: An Architectural Framework for User-Centric Information-Flow Security , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[10]  Ellis S. Cohen Information transmission in computational systems , 1977, SOSP '77.

[11]  Alejandro Russo,et al.  Closing Internal Timing Channels by Transformation , 2006, ASIAN.

[12]  Stephen Brookes A semantics for concurrent separation logic , 2007, Theor. Comput. Sci..

[13]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[14]  David A. Schmidt,et al.  Automata-Based Confidentiality Monitoring , 2006, ASIAN.

[15]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[16]  John P. L. Woodward Exploiting the Dual Nature of Sensitivity Labels , 1987, 1987 IEEE Symposium on Security and Privacy.

[17]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[18]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[19]  David Leon,et al.  Detecting and debugging insecure information flows , 2004, 15th International Symposium on Software Reliability Engineering.

[20]  Clark Weissman,et al.  Security controls in the ADEPT-50 time-sharing system , 1899, AFIPS '69 (Fall).

[21]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[22]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, ESOP.

[23]  Peter W. O'Hearn,et al.  Resources, concurrency, and local reasoning , 2007 .

[24]  Thomas F. Knight,et al.  A Minimal Trusted Computing Base for Dynamically Ensuring Secure Information Flow , 2001 .

[25]  Gurvan Le Guernic Automaton-based Non-interference Monitoring of Concurrent Programs , 2007 .

[26]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.