Dimensions and principles of declassification

Computing systems often deliberately release (or declassify) sensitive information. A principal security concern for systems permitting information release is whether this release is safe: is it possible that the attacker compromises the information release mechanism and extracts more secret information than intended? While the security community has recognised the importance of the problem, the state-of-the-art in information release is, unfortunately, a number of approaches with somewhat unconnected semantic goals. We provide a road map of the main directions of current research, by classifying the basic goals according to what information is released, who releases information, where in the system information is released, and when information can be released. With a general declassification framework as a long-term goal, we identify some prudent principles of declassification. These principles shed light on existing definitions and may also serve as useful "sanity checks" for emerging models.

[1]  Roberto Giacobazzi,et al.  Adjoining Declassification and Attack Models by Abstract Interpretation , 2005, ESOP.

[2]  Ellis S. Cohen Information transmission in computational systems , 1977, SOSP '77.

[3]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[4]  John C. Mitchell,et al.  A probabilistic poly-time framework for protocol analysis , 1998, CCS '98.

[5]  Heiko Mantel,et al.  Information Flow Control and Applications - Bridging a Gap , 2001, FME.

[6]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[7]  Peeter Laud Semantics and Program Analysis of Computationally Secure Information Flow , 2001, ESOP.

[8]  Jaisook Landauer,et al.  A lattice of information , 1993, [1993] Proceedings Computer Security Foundations Workshop VI.

[9]  Mads Dam,et al.  On the Secure Implementation of Security Protocols , 2003, ESOP.

[10]  Sylvain Conchon,et al.  Information flow inference for free , 2000, ICFP '00.

[11]  G.D. Plotkin,et al.  LCF Considered as a Programming Language , 1977, Theor. Comput. Sci..

[12]  Frédéric Prost,et al.  Handling declared information leakage: extended abstract , 2005, WITS '05.

[13]  Mads Dam,et al.  Confidentiality for mobile code: the case of a simple payment protocol , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[14]  Heiko Mantel,et al.  A generic approach to the security of multi-threaded programs , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[15]  Steve Zdancewic,et al.  A Design for a Security-Typed Language with Certificate-Based Declassification , 2005, ESOP.

[16]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[17]  Andrew C. Myers,et al.  Language-based information erasure , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[18]  Andrew C. Myers,et al.  A Model for Delimited Information Release , 2003, ISSS.

[19]  Geoffrey L. Burn The Abstract Interpretation of Functional Languages , 1993, Theory and Formal Methods.

[20]  Anindya Banerjee,et al.  Stack-based access control and secure information flow , 2005, J. Funct. Program..

[21]  John Mullins Nondeterministic Admissible Interference , 2000, J. Univers. Comput. Sci..

[22]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[23]  Gérard Boudol,et al.  On Declassification and the Non-Disclosure Policy , 2005, CSFW.

[24]  Andrew C. Myers,et al.  Robust declassification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[25]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[26]  David Clark,et al.  Quantitative Analysis of the Leakage of Confidential Data , 2002, QAPL.

[27]  David M. Clark,et al.  Non-Interference For Weak Observers , 2004 .

[28]  Heiko Mantel,et al.  A Unifying Approach to the Security of Distributed and Multi-Threaded Programs , 2003, J. Comput. Secur..

[29]  John C. Mitchell Probabilistic Polynomial-Time Process Calculus and Security Protocol Analysis , 2001, ESOP.

[30]  A. W. Roscoe,et al.  What is intransitive noninterference? , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[31]  Birgit Pfitzmann,et al.  Intransitive non-interference for cryptographic purposes , 2003, 2003 Symposium on Security and Privacy, 2003..

[32]  R. Echahed,et al.  Handling Declared Information Leakage [ Extended , 2004 .

[33]  Dennis M. Volpano Secure introduction of one-way functions , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[34]  Chris Hankin,et al.  Approximate non-interference , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[35]  Riccardo Focardi,et al.  Bridging Language-Based and Process Calculi Security , 2005, FoSSaCS.

[36]  R.,et al.  A CLASSIFICATION OF SECURITY PROPERTIES FOR PROCESS ALGEBRAS 1 , 1994 .

[37]  Frédéric Prost On the semantics of non-interference type-based analysis , 2001, JFLA.

[38]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[39]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[40]  Roberto Gorrieri,et al.  Foundations of Security Analysis and Design - Tutorial Lectures , 2000 .

[41]  Elisa Bertino,et al.  Providing flexibility in information flow control for object oriented systems , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[42]  Heiko Mantel,et al.  Possibilistic definitions of security-an assembly kit , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[43]  Sebastian Hunt,et al.  Abstract interpretation of functional languages: from theory to practice , 1991 .

[44]  Steve Zdancewic,et al.  Challenges for Information-flow Security , 2004 .

[45]  David A. Schmidt,et al.  The essence of computation: complexity, analysis, transformation , 2002 .

[46]  Roberto Giacobazzi,et al.  Abstract non-interference: parameterizing non-interference by abstract interpretation , 2004, POPL.

[47]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[48]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[49]  Peter Y. A. Ryan,et al.  Process algebra and non-interference , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[50]  Carla Piazza,et al.  Modelling downgrading in information flow security , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[51]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[52]  Michael R. Clarkson,et al.  Belief in information flow , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[53]  Andrew C. Myers,et al.  Enforcing robust declassification , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[54]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[55]  Andrew C. Myers,et al.  Security policies for downgrading , 2004, CCS '04.

[56]  Peeter Laud,et al.  Handling Encryption in an Analysis for Secure Information Flow , 2003, ESOP.

[57]  Sylvan Pinsky,et al.  Absorbing covers and intransitive non-interference , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[58]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[59]  David Sands,et al.  Controlled Declassification Based on Intransitive Noninterference , 2004, APLAS.

[60]  Andrew Moran,et al.  Lambda Calculi and Linear Speedups , 2002, The Essence of Computation.

[61]  Geoffrey Smith,et al.  Verifying secrets and relative secrecy , 2000, POPL '00.

[62]  K. Rustan M. Leino,et al.  A semantic approach to secure information flow , 2000, Sci. Comput. Program..

[63]  John C. Mitchell On Abstraction and the Expressive Power of Programming Languages , 1991, Sci. Comput. Program..

[64]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, ESOP.

[65]  Gavin Lowe,et al.  Quantifying information flow , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.