Run-time Principals in Information-flow Type Systems

Information-flow type systems are a promising approach for enforcing strong end-to-end confidentiality and integrity policies. Such policies, however, are usually specified in term of static information-data is labeled high or low security at compile time. In practice, the confidentiality of data may depend on information available only while the system is running. This paper studies language support for run-time principals, a mechanism for specifying information-flow security policies that depend on which principals interact with the system. We establish the basic property of noninterference for programs written in such language, and use run-time principals for specifying run-time authority in downgrading mechanisms such as declassification. In addition to allowing more expressive security policies, run-time principals enable the integration of language-based security mechanisms with other existing approaches such as Java stack inspection and public key infrastructures. We sketch an implementation of run-time principals via public keys such that principal delegation is verified by certificate chains.

[1]  Anindya Banerjee,et al.  Using access control for secure information flow in a Java-like language , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[2]  Benjamin C. Pierce,et al.  Types and programming languages: the next generation , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[3]  Steve Zdancewic,et al.  Run-time principals in information-flow type systems , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[4]  Jon Howell,et al.  End-to-end authorization , 2000, OSDI.

[5]  Martín Abadi On SDSI's linked local name spaces , 1998 .

[6]  Andrew M. Pitts Existential Types: Logical Relations and Operational Equivalence , 1998, ICALP.

[7]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[8]  Andrew C. Myers,et al.  Secure Information Flow via Linear Continuations , 2002, High. Order Symb. Comput..

[9]  Andrew C. Myers,et al.  Dynamic Security Labels and Noninterference , 2004 .

[10]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[11]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[12]  Andrew D. Gordon,et al.  Stack inspection: theory and variants , 2002, POPL '02.

[13]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[14]  Morrie Gasser,et al.  An architecture for practical delegation in a distributed system , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[15]  Karl Crary,et al.  Intensional polymorphism in type-erasure semantics , 2002, J. Funct. Program..

[16]  Pierre Jouvelot,et al.  Algebraic reconstruction of types and effects , 1991, POPL '91.

[17]  Steve Zdancewic,et al.  A Type System for Robust Declassification , 2003, MFPS.

[18]  Frank Pfenning,et al.  A monadic analysis of information flow security with mutable state , 2005, J. Funct. Program..

[19]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[20]  Andrew C. Myers,et al.  Enforcing robust declassification , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[21]  Scott F. Smith,et al.  A Systematic Approach to Static Access Control , 2001, ESOP.

[22]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[23]  Dan S. Wallach,et al.  Understanding Java stack inspection , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[24]  Jan Vitek,et al.  Type-based distributed access control , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[25]  Andrew C. Myers,et al.  Secure Information Flow and CPS , 2001, ESOP.

[26]  Steve Zdancewic,et al.  A Design for a Security-Typed Language with Certificate-Based Declassification , 2005, ESOP.

[27]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[28]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[29]  Martín Abadi,et al.  A calculus for access control in distributed systems , 1991, TOPL.

[30]  David Aspinall,et al.  Subtyping with Singleton Types , 1994, CSL.

[31]  Carl A. Gunter,et al.  Generalized certificate revocation , 2000, POPL '00.

[32]  David Walker,et al.  Typed memory management in a calculus of capabilities , 1999, POPL '99.

[33]  Sylvain Conchon,et al.  Information flow inference for free , 2000, ICFP '00.

[34]  François Pottier A simple view of type-secure information flow in the /spl pi/-calculus , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[35]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[36]  John C. Mitchell,et al.  Foundations for programming languages , 1996, Foundation of computing series.

[37]  Vincent Simonet Flow Caml in a Nutshell , 2003 .

[38]  Andrew W. Appel,et al.  SAFKASI: a security mechanism for language-based systems , 2000, TSEM.

[39]  François Pottier,et al.  Information flow inference for ML , 2002, POPL '02.

[40]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, High. Order Symb. Comput..

[41]  Trevor Jim,et al.  SD3: a trust management system with certified evaluation , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[42]  Philip Wadler,et al.  Theorems for free! , 1989, FPCA.