Flexible dynamic information flow control in the presence of exceptions*

We describe a language-based, dynamic information flow control (IFC) system called LIO. Our system presents a new design point for IFC, influenced by the challenge of implementing IFC as a Haskell library, as opposed to the more typical approach of modifying the language runtime system. In particular, we take a coarse-grained, floating-label approach, previously used by IFC Operating Systems, and associate a single, mutable label - the current label - with all the data in a computation's context. This label is always raised to reflect the reading of sensitive information and it is used to restrict the underlying computation's effects. To preserve the flexibility of fine-grained systems, LIO also provides programmers with a means for associating an explicit label with a piece of data. Interestingly, these labeled values can be used to encapsulate the results of sensitive computations which would otherwise lead to the creeping of the current label. Unlike other language-based systems, LIO also bounds the current label with a current clearance, providing a form of discretionary access control that LIO programs can use to deal with covert channels. Moreover, LIO provides programmers with mutable references and exceptions. The latter, exceptions, are used in LIO to encode and recover from monitor failures, all while preserving data confidentiality and integrity - this addresses a longstanding concern that dynamic IFC is inherently prone to information leakage due to monitor failure.

[1]  James Cheney Scrap your nameplate: (functional pearl) , 2005, ICFP '05.

[2]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[3]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[4]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012, Haskell '11.

[5]  Alejandro Russo,et al.  A Library for Secure Multi-threaded Information Flow in Haskell , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[6]  Patrick Maxim Rondon,et al.  Liquid types , 2008, PLDI '08.

[7]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[8]  Andrei Sabelfeld,et al.  Tight Enforcement of Information-Release Policies for Dynamic Languages , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[9]  Peng Li,et al.  Arrows for secure information flow , 2010, Theor. Comput. Sci..

[10]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[11]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[12]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[13]  Carl E. Landwehr,et al.  Formal Models for Computer Security , 1981, CSUR.

[14]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[15]  StefanDeian,et al.  Flexible dynamic information flow control in Haskell , 2011 .

[16]  Alley Stoughton Access Flow: A Protection Model which Integrates Access Control and Information Flow , 1981, 1981 IEEE Symposium on Security and Privacy.

[17]  John Hughes,et al.  Generalising monads to arrows , 2000, Sci. Comput. Program..

[18]  Alejandro Russo,et al.  Securing Timeout Instructions in Web Applications , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[19]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[20]  Alejandro Russo,et al.  It's My Privilege: Controlling Downgrading in DC-Labels , 2015, STM.

[21]  Benjamin C. Pierce,et al.  All Your IFCException Are Belong to Us , 2013, 2013 IEEE Symposium on Security and Privacy.

[22]  Deian Stefan,et al.  IFC Inside: Retrofitting Languages with Dynamic Information Flow Control , 2015, POST.

[23]  William L. Harrison,et al.  Achieving information flow security through precise control of effects , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[24]  Simon Peyton Jones,et al.  Tackling the Awkward Squad: monadic input/output, concurrency, exceptions, and foreign-language calls in Haskell , 2005 .

[25]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[26]  Daniel R. Licata,et al.  Security-typed programming within dependently typed programming , 2010, ICFP '10.

[27]  Paul Hudak,et al.  Monad transformers and modular interpreters , 1995, POPL '95.

[28]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[29]  Robert Atkey,et al.  Parameterised notions of computation , 2006, J. Funct. Program..

[30]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[31]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[32]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .

[33]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[34]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[35]  Vincent Simonet The Flow Caml system , 2003 .

[36]  Steven B. Lipner,et al.  Trusted Computer System Evaluation Criteria ( Orange Book ) December , 2001 .

[37]  David Sands,et al.  Noninterference in the presence of non-opaque pointers , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[38]  Manfred Broy,et al.  Engineering Theories of Software Construction , 2001 .

[39]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[40]  Steve Zdancewic,et al.  Translating dependency into parametricity , 2004, ICFP '04.

[41]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[42]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[43]  Simon L. Peyton Jones,et al.  Understanding functional dependencies via constraint handling rules , 2007, J. Funct. Program..

[44]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[45]  Frank Pfenning,et al.  A monadic analysis of information flow security with mutable state , 2005, J. Funct. Program..

[46]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[47]  Dominique Devriese,et al.  Information flow enforcement in monadic libraries , 2011, TLDI '11.

[48]  John M. Boone,et al.  INTEGRITY-ORIENTED CONTROL OBJECTIVES: PROPOSED REVISIONS TO THE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC), DoD 5200.28-STD , 1991 .

[49]  Simon L. Peyton Jones,et al.  Imperative functional programming , 1993, POPL '93.

[50]  Peng Li,et al.  Encoding information flow in Haskell , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[51]  Anindya Banerjee,et al.  Stack-based access control and secure information flow , 2005, J. Funct. Program..

[52]  Donald E. Porter,et al.  Laminar: practical fine-grained decentralized information flow control , 2009, PLDI '09.

[53]  Andrew C. Myers,et al.  Programming Languages for Information Security , 2002 .

[54]  Glynn Winskel,et al.  The formal semantics of programming languages - an introduction , 1993, Foundation of computing series.

[55]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[56]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[57]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[58]  Koen Claessen,et al.  A library for light-weight information-flow security in haskell , 2008, Haskell '08.

[59]  Xin Zheng,et al.  Secure web applications via automatic partitioning , 2007, SOSP.

[60]  Deian Stefan,et al.  Hails: Protecting Data Privacy in Untrusted Web Applications , 2012, OSDI.

[61]  Alejandro Russo,et al.  On Formalizing Information-Flow Control Libraries , 2016, PLAS@CCS.

[62]  Deian Stefan,et al.  Addressing covert termination and timing channels in concurrent information flow systems , 2012, ICFP '12.

[63]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[64]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[65]  Swarat Chaudhuri,et al.  Subcubic algorithms for recursive state machines , 2008, POPL '08.

[66]  Deian Stefan,et al.  Disjunction Category Labels , 2011, NordSec.

[67]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .