Enforcing Relaxed Declassifications with Reference Points

Language-based information flow security provides a way to enforce either the baseline noninterference property or more relaxed properties specifying intended information release. This paper presents a new approach for enforcing information release policy on programming language with I/O channels. First we present a relaxed security property complying with the security policy on the what-dimension of declassification. Second we propose an enforcement mechanism for the security property based on reach ability analysis of pushdown system. The self-composition is equipped with a store-match pattern, which reduces the cost of verification by avoiding duplication of I/O channels. The pattern also facilitates characterization of the security property. The experimental results show the preciseness of our enforcement.

[1]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[2]  Andrei Sabelfeld,et al.  Localized delimited release: combining the what and where dimensions of information release , 2007, PLAS '07.

[3]  Javier Esparza,et al.  Efficient Algorithms for Model Checking Pushdown Systems , 2000, CAV.

[4]  Benjamin C. Pierce,et al.  Reactive noninterference , 2009, CCS.

[5]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[6]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[7]  Sofia Cassel,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 2012 .

[8]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[9]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[10]  David Sands,et al.  Declassification: Dimensions and principles , 2009, J. Comput. Secur..

[11]  Heiko Mantel,et al.  Declassification with Explicit Reference Points , 2009, ESORICS.

[12]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, ESOP.

[13]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[14]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[15]  Steve Zdancewic,et al.  Challenges for Information-flow Security , 2004 .

[16]  Zhong Chen,et al.  Secure Information Flow by Model Checking Pushdown System , 2009, 2009 Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing.

[17]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[18]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[19]  Anindya Banerjee,et al.  Expressive Declassification Policies and Modular Static Enforcement , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[20]  David A. Naumann From Coupling Relations to Mated Invariants for Checking Information Flow , 2006, ESORICS.

[21]  Heiko Mantel,et al.  Controlling the What and Where of Declassification in Language-Based Security , 2007, ESOP.

[22]  Stefan Schwoon,et al.  Model checking pushdown systems , 2002 .

[23]  Zhong Chen,et al.  Secure Information Flow in Java via Reachability Analysis of Pushdown System , 2010, 2010 10th International Conference on Quality Software.

[24]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[25]  Andrew C. Myers,et al.  A Model for Delimited Information Release , 2003, ISSS.