Language-based information-flow security

Current standard security practices do not provide substantial assurance that the end-to-end behavior of a computing system satisfies important security policies such as confidentiality. An end-to-end confidentiality policy might assert that secret input data cannot be inferred by an attacker through the attacker's observations of system output; this policy regulates information flow. Conventional security mechanisms such as access control and encryption do not directly address the enforcement of information-flow policies. Previously, a promising new approach has been developed: the use of programming-language techniques for specifying and enforcing information-flow policies. In this paper, we survey the past three decades of research on information-flow security, particularly focusing on work that uses static program analysis to enforce information-flow policies. We give a structured view of work in the area and identify some important open challenges.

[1]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[2]  Jeffrey S. Fenton Information Protection Systems , 1973 .

[3]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[4]  William A. Wulf,et al.  HYDRA , 1974, Commun. ACM.

[5]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[6]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[7]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[8]  Ellis S. Cohen Information transmission in computational systems , 1977, SOSP '77.

[9]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[10]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[11]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[12]  Richard Philip Reitman,et al.  Information Flow in Parallel Programs: An Axiomatic Approach , 1978 .

[13]  Richard J. Feiertag A Technique for Proving Specifications are Multilevel Secure , 1980 .

[14]  Gregory R. Andrews,et al.  An Axiomatic Approach to Information Flow in Programs , 1980, TOPL.

[15]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[16]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[17]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[18]  Jerome H. Saltzer,et al.  End-to-end arguments in system design , 1984, TOCS.

[19]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[20]  Henk Barendregt,et al.  The Lambda Calculus: Its Syntax and Semantics , 1985 .

[21]  John McHugh An Information Flow Tool for Gypsy , 1985, 1985 IEEE Symposium on Security and Privacy.

[22]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[23]  J. Limb,et al.  Editorial on the IEEE/OSA Journal of Lightwave Technology and the IEEE Journal on Selected Areas in Communications , 1986 .

[24]  Daryl McCullough,et al.  Specifications for Multi-Level Security and a Hook-Up , 1987, 1987 IEEE Symposium on Security and Privacy.

[25]  Harold T. Hodes,et al.  The | lambda-Calculus. , 1988 .

[26]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[27]  Masaaki Mizuno,et al.  A Least Fixed Point Approach To Inter-Procedural Information Flow Control , 1989 .

[28]  John McLean,et al.  Security models and information flow , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[29]  James W. Gray,et al.  Probabilistic interference , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[30]  Mark A. Sheldon,et al.  Static dependent types for first class modules , 1990, LISP and Functional Programming.

[31]  Andrew W. Appel,et al.  Compiling with Continuations , 1991 .

[32]  Kim G. Larsen,et al.  Bisimulation through Probabilistic Testing , 1991, Inf. Comput..

[33]  John McLean,et al.  Proving Noninterference and Functional Correctness Using Traces , 1992, J. Comput. Secur..

[34]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[35]  Jean-Pierre Banâtre,et al.  Information flow control in a parallel language framework , 1993, [1993] Proceedings Computer Security Foundations Workshop VI.

[36]  Daniel Le Métayer,et al.  Compile-Time Detection of Information Flow in Sequential Programs , 1994, ESORICS.

[37]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[38]  Daniel Le Métayer,et al.  An approach to information security in distributed systems , 1995, Proceedings of the Fifth IEEE Computer Society Workshop on Future Trends of Distributed Computing Systems.

[39]  Paul F. Syverson,et al.  The epistemic representation of information flow security in probabilistic systems , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[40]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.

[41]  A. W. Roscoe CSP and determinism in security modelling , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[42]  Greg Morrisett,et al.  Compiling with Types , 1995 .

[43]  Jens Palsberg,et al.  Trust in the lambda-calculus , 1995 .

[44]  Peter Ørbæk Can you Trust your Data? , 1995, TAPSOFT.

[45]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[46]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[47]  VolpanoDennis,et al.  A sound type system for secure flow analysis , 1996 .

[48]  Len LaPadula,et al.  Secure Computer Systems: A Mathematical Model , 1996 .

[49]  John McLean,et al.  A General Theory of Composition for a Class of "Possibilistic'' Properties , 1996, IEEE Trans. Software Eng..

[50]  Martín Abadi,et al.  A Theory of Objects , 1996, Monographs in Computer Science.

[51]  Peter Ørbæk,et al.  Trust and Dependence Analysis , 1997 .

[52]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[53]  Geoffrey Smith,et al.  A Type-Based Approach to Program Security , 1997, TAPSOFT.

[54]  Troy Downing,et al.  Java Virtual Machine , 1997 .

[55]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[56]  Geoffrey Smith,et al.  Eliminating covert flows with minimum typings , 1997, Proceedings 10th Computer Security Foundations Workshop.

[57]  Luca Cardelli,et al.  Mobile Ambients , 1998, FoSSaCS.

[58]  Martín Abadi,et al.  Secrecy by Typing inSecurity Protocols , 1997, TACS.

[59]  Jens Palsberg,et al.  Trust in the lambda-Calculus , 1997, J. Funct. Program..

[60]  Scott Oaks,et al.  Java Security , 1998 .

[61]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[62]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[63]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[64]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[65]  Karl Crary,et al.  From system F to typed assembly language , 1999, TOPL.

[66]  Geoffrey Smith,et al.  Probabilistic noninterference in a concurrent language , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[67]  Dennis M. Volpano Safety versus Secrecy , 1999, SAS.

[68]  Martín Abadi,et al.  A Calculus for Cryptographic Protocols: The spi Calculus , 1999, Inf. Comput..

[69]  Frank Pfenning,et al.  Dependent types in practical programming , 1999, POPL '99.

[70]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[71]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[72]  Chris Hankin,et al.  Non-deterministic games and program analysis: An application to security , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).

[73]  S. Abramsky Game Semantics , 1999 .

[74]  Flemming Nielson,et al.  Validating Firewalls in Mobile Ambients , 1999, CONCUR.

[75]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[76]  F. Nielson,et al.  Static Analysis of Processes for No Read-Up and No Write-Down , 1999 .

[77]  Peter Y. A. Ryan,et al.  Process algebra and non-interference , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[78]  David E. Evans,et al.  Flexible policy-directed code safety , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[79]  MorrisettGreg,et al.  From system F to typed assembly language , 1999 .

[80]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[81]  Dexter Kozen,et al.  Language-Based Security , 1999, MFCS.

[82]  Flemming Nielson,et al.  Static Analysis of Processes for No and Read-Up nad No Write-Down , 1999, FoSSaCS.

[83]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[84]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.

[85]  Gilles Barthe,et al.  Partial Evaluation and Non-interference for Object Calculi , 1999, Fuji International Symposium on Functional and Logic Programming.

[86]  Brian Postow Book review: A Theory of Objects by Martin Abadi and Luca Cardelli (Springer-Verlag, 1996): Series--Monographs in Computer Science , 1999, SIGA.

[87]  Geoffrey Smith,et al.  Verifying secrets and relative secrecy , 2000, POPL '00.

[88]  David Wagner,et al.  Static analysis and computer security: new techniques for software assurance , 2000 .

[89]  Andrew W. Appel,et al.  SAFKASI: a security mechanism for language-based systems , 2000, TSEM.

[90]  PottierFrançois,et al.  Information flow inference for free , 2000 .

[91]  K. Rustan M. Leino,et al.  A semantic approach to secure information flow , 2000, Sci. Comput. Program..

[92]  Nobuko Yoshida,et al.  Secure Information Flow as Typed Process Behaviour , 2000, ESOP.

[93]  Xiangmin Zhang,et al.  Java Security , 2000 .

[94]  Roberto Gorrieri,et al.  Information flow analysis in a discrete-time process algebra , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[95]  Heiko Mantel,et al.  Possibilistic definitions of security-an assembly kit , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[96]  Jan Vitek,et al.  Secure composition of untrusted code: wrappers and causality types , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[97]  Dennis M. Volpano Secure introduction of one-way functions , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[98]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[99]  Sylvain Conchon,et al.  Information flow inference for free , 2000, ICFP '00.

[100]  Mads Dam,et al.  Confidentiality for mobile code: the case of a simple payment protocol , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[101]  Flemming Nielson,et al.  Security Analysis using Flow Logics , 2000, Bull. EATCS.

[102]  Johan Agat Type Based Techniques for Covert Channel Elimination and Register Allocation , 2000 .

[103]  D. Box,et al.  Simple object access protocol (SOAP) 1.1 , 2000 .

[104]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[105]  Roberto Gorrieri,et al.  Foundations of Security Analysis and Design - Tutorial Lectures , 2000 .

[106]  Peter Y. A. Ryan,et al.  Mathematical Models of Computer Security , 2000, FOSAD.

[107]  Andrei Sabelfeld,et al.  Semantic Models for the Security of Sequential and Concurrent Programs , 2001 .

[108]  David Sands,et al.  On confidentiality and algorithms: programming under the constraints of noninterference , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[109]  Heiko Mantel,et al.  A generic approach to the security of multi-threaded programs , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[110]  Flemming Nielson,et al.  Static Analysis for Secrecy and Non-interference in Networks of Processes , 2001, PaCT.

[111]  Peeter Laud Semantics and Program Analysis of Computationally Secure Information Flow , 2001, ESOP.

[112]  Andrew C. Myers,et al.  Robust declassification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[113]  David Sands,et al.  On Confidentiality and Algorithms , 2001, S&P 2001.

[114]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, High. Order Symb. Comput..

[115]  Andrew C. Myers,et al.  Untrusted hosts and confidentiality , 2001, SOSP.

[116]  Ilaria Castellani,et al.  Noninterference for Concurrent Programs , 2001, ICALP.

[117]  Benjamin C. Pierce,et al.  Logical Relations for Encryption , 2001, J. Comput. Secur..

[118]  Fred B. Schneider,et al.  A Language-Based Approach to Security , 2001, Informatics.

[119]  大島 正嗣,et al.  Simple Object Access Protocol と,その応用としてのソフトウェアの組み合わせについて (渡邉昭夫教授退任記念号) , 2001 .

[120]  Chris Hankin,et al.  Probabilistic confinement in a declarative framework , 2001, APPIA-GULP-PRODE.

[121]  Geoffrey Smith,et al.  A new type system for secure information flow , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[122]  Andrei Sabelfeld The Impact of Synchronisation on Secure Information Flow in Concurrent Programs , 2001, Ershov Memorial Conference.

[123]  David Clark,et al.  Quantitative Analysis of the Leakage of Confidential Data , 2002, QAPL.

[124]  Andrew C. Myers,et al.  Secure Information Flow and CPS , 2001, ESOP.

[125]  Alessandro Aldini,et al.  Probabilistic Information Flow in a Process Algebra , 2001, CONCUR.

[126]  Flemming Nielson,et al.  Static Analysis for the pi-Calculus with Applications to Security , 2001, Inf. Comput..

[127]  Pablo Giambiagi,et al.  Secrecy for Mobile Implementations of Security Protocols , 2001 .

[128]  Nobuko Yoshida,et al.  A uniform type structure for secure information flow , 2002, POPL '02.

[129]  Heiko Mantel,et al.  Static Confidentiality Enforcement for Distributed Programs , 2002 .

[130]  Dominic Duggan Cryptographic types , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[131]  Ilaria Castellani,et al.  Noninterference for concurrent programs and thread systems , 2002, Theor. Comput. Sci..

[132]  Chris Hankin,et al.  Analysing Approximate Confinement under Uniform Attacks , 2002, SAS.

[133]  Vincent Simonet Fine-grained information flow analysis for a /spl lambda/-calculus with sum types , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[134]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[135]  Gavin Lowe,et al.  Quantifying information flow , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[136]  François Pottier A simple view of type-secure information flow in the /spl pi/-calculus , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[137]  James Riely,et al.  Information flow vs. resource access in the asynchronous pi-calculus , 2000, TOPL.

[138]  Mirko Zanotti Security Typings by Abstract Interpretation , 2002, SAS.

[139]  Chris Hankin,et al.  Information flow for Algol-like languages , 2002, Comput. Lang. Syst. Struct..

[140]  Heiko Mantel,et al.  On the composition of secure systems , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[141]  Andrew C. Myers,et al.  Secure Information Flow via Linear Continuations , 2002, High. Order Symb. Comput..

[142]  Andrew C. Myers,et al.  Programming Languages for Information Security , 2002 .

[143]  Martín Abadi,et al.  Secrecy types for asymmetric communication , 2001, Theor. Comput. Sci..

[144]  Jan Vitek,et al.  Secure composition of untrusted code: box π, wrappers, and causality types , 2003 .

[145]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[146]  Heiko Mantel,et al.  A Unifying Approach to the Security of Distributed and Multi-Threaded Programs , 2003, J. Comput. Secur..

[147]  L.,et al.  SECURE COMPUTER SYSTEMS : MATHEMATICAL FOUNDATIONS , 2022 .