Protecting privacy using the decentralized label model

Stronger protection is needed for the confidentiality and integrity of data, because programs containing untrusted code are the rule rather than the exception. Information flow control allows the enforcement of end-to-end security policies, but has been difficult to put into practice. This article describes the decentralized label model, a new label model for control of information flow in systems with mutual distrust and decentralized authority. The model improves on existing multilevel security models by allowing users to declassify information in a decentralized way, and by improving support for fine-grained data sharing. It supports static program analysis of information flow, so that programs can be certified to permit only acceptable information flows, while largely avoiding the overhead of run-time checking. The article introduces the language Jif, an extension to Java that provides static checking of information flow using the decentralized label model.

[1]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.

[2]  Jonathan K. Millen Information Flow Analysis of Formal Specifications , 1981, 1981 IEEE Symposium on Security and Privacy.

[3]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[4]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[5]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[6]  Richard J. Feiertag A Technique for Proving Specifications are Multilevel Secure , 1980 .

[7]  James A. Reeds,et al.  Multilevel security in the UNIX tradition , 1992, Softw. Pract. Exp..

[8]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[9]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[10]  R AndrewsGregory,et al.  An Axiomatic Approach to Information Flow in Programs , 1980 .

[11]  Alley Stoughton Access Flow: A Protection Model which Integrates Access Control and Information Flow , 1981, 1981 IEEE Symposium on Security and Privacy.

[12]  Elisa Bertino,et al.  Providing flexibility in information flow control for object oriented systems , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[13]  J. Todd Wittbold,et al.  Information flow in nondeterministic systems , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[14]  Ravi S. Sandhu Role Hierarchies and Constraints for Lattice-Based Access Controls , 1996, ESORICS.

[15]  John M. Boone,et al.  INTEGRITY-ORIENTED CONTROL OBJECTIVES: PROPOSED REVISIONS TO THE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC), DoD 5200.28-STD , 1991 .

[16]  Jonathan K. Millen,et al.  Covert Channel Capacity , 1987, 1987 IEEE Symposium on Security and Privacy.

[17]  Paul A. Karger,et al.  Storage channels in disk arm optimization , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[18]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[19]  James W. Gray,et al.  Toward a mathematical foundation for information flow security , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[20]  Ira S. Moskowitz,et al.  A network version of the Pump , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[21]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[22]  Martín Abadi,et al.  Secrecy by Typing inSecurity Protocols , 1997, TACS.

[23]  E. Stewart Lee,et al.  A general theory of security properties , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[24]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[25]  Daryl McCullough,et al.  Specifications for Multi-Level Security and a Hook-Up , 1987, 1987 IEEE Symposium on Security and Privacy.

[26]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[27]  Gregory R. Andrews,et al.  An Axiomatic Approach to Information Flow in Programs , 1980, TOPL.

[28]  Jens Palsberg,et al.  Trust in the lambda-Calculus , 1997, J. Funct. Program..

[29]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[30]  John McLean,et al.  Security models and information flow , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[31]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[32]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[33]  Frank Yellin,et al.  The java virtual machine , 1996 .

[34]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[35]  H R C B Air Commodore Brooke-Popham,et al.  The Air Force , 1920 .

[36]  LouAnna Notargiacomo,et al.  Beyond the pale of MAC and DAC-defining new forms of access control , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[37]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[38]  James W. Gray,et al.  Probabilistic interference , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[39]  Steven B. Lipner,et al.  Trusted Computer System Evaluation Criteria ( Orange Book ) December , 2001 .

[40]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[41]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[42]  Roberto Gorrieri,et al.  The Compositional Security Checker: A Tool for the Verification of Information Flow Security Properties , 1997, IEEE Trans. Software Eng..

[43]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[44]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[45]  Jeffrey S. Fenton Information Protection Systems , 1973 .

[46]  Andrew C. Myers,et al.  Mostly-static decentralized information flow control , 1999 .

[47]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[48]  Lawrence Robinson,et al.  Proving multilevel security of a system design , 1977, SOSP '77.

[49]  Jonathan K. Millen,et al.  Security Kernel validation in practice , 1976, CACM.

[50]  Sylvain Conchon,et al.  Information flow inference for free , 2000, ICFP '00.

[51]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.