Paragon for Practical Programming with Information-Flow Control

Conventional security policies for software applications are adequate for managing concerns on the level of access control. But standard abstraction mechanisms of mainstream programming languages are not sufficient to express how information is allowed to flow between resources once access to them has been obtained. In practice we believe that such control - information flow control - is needed to manage the end-to-end security properties of applications. In this paper we present Paragon, a Java-based language with first-class support for static checking of information flow control policies. Paragon policies are specified in a logic-based policy language. By virtue of their explicitly stateful nature, these policies appear to be more expressive and flexible than those used in previous languages with information-flow support. Our contribution is to present the design and implementation of Paragon, which smoothly integrates the policy language with Java's object-oriented setting, and reaps the benefits of the marriage with a fully fledged programming language.

[1]  David Zook,et al.  Typed Datalog , 2009, PADL.

[2]  Thom W. Frühwirth,et al.  Logic programs as types for logic programs , 1991, [1991] Proceedings Sixth Annual IEEE Symposium on Logic in Computer Science.

[3]  James Cheney,et al.  Functional programs that explain their work , 2012, ICFP.

[4]  Koen Claessen Proceedings of the 4th ACM symposium on Haskell , 2011, ICFP 2011.

[5]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[6]  Gregor Snelting,et al.  Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs , 2009, International Journal of Information Security.

[7]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[8]  Vincent Simonet The Flow Caml system , 2003 .

[9]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[10]  Andrew C. Myers,et al.  Dynamic security labels and static information flow control , 2007, International Journal of Information Security.

[11]  David Sands,et al.  Flow Locks: Towards a Core Calculus for Dynamic Flow Policies , 2006, ESOP.

[12]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[13]  David Sands,et al.  A Datalog Semantics for Paralocks , 2012, STM.

[14]  Martin C. Rinard,et al.  Compositional pointer and escape analysis for Java programs , 1999, OOPSLA '99.

[15]  Andrew D. Gordon,et al.  Design and Semantics of a Decentralized Authorization Language , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[16]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[17]  Armando Solar-Lezama,et al.  A language for automatically enforcing privacy policies , 2012, POPL '12.

[18]  Koen Claessen,et al.  A library for light-weight information-flow security in haskell , 2008, Haskell '08.

[19]  Robert E. Strom,et al.  Typestate: A programming language concept for enhancing software reliability , 1986, IEEE Transactions on Software Engineering.

[20]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[21]  Adrian Hilton,et al.  Enforcing security and safety models with an information flow analysis tool , 2004 .

[22]  Jakob Rehof,et al.  Tractable Constraints in Finite Semilattices , 1999, Sci. Comput. Program..

[23]  Yehoshua Sagiv,et al.  Optimizing datalog programs , 1987, Foundations of Deductive Databases and Logic Programming..

[24]  Michael Hicks,et al.  Fable: A Language for Enforcing User-defined Security Policies , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[25]  Larry Wos,et al.  What Is Automated Reasoning? , 1987, J. Autom. Reason..

[26]  Rafael Accorsi,et al.  Security and Trust Management , 2013, Lecture Notes in Computer Science.

[27]  Daniel R. Licata,et al.  Security-typed programming within dependently typed programming , 2010, ICFP '10.

[28]  Alan Mycroft,et al.  A Polymorphic Type System for Prolog , 1984, Logic Programming Workshop.

[29]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012 .

[30]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[31]  Letizia Tanca,et al.  What you Always Wanted to Know About Datalog (And Never Dared to Ask) , 1989, IEEE Trans. Knowl. Data Eng..

[32]  David Sands,et al.  Paralocks: role-based information flow control and beyond , 2010, POPL '10.

[33]  Trevor Jim,et al.  SD3: a trust management system with certified evaluation , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[34]  H. Stamer Security-Typed Languages for Implementation of Cryptographic Protocols : A Case Study , 2007 .

[35]  Kathi Fisler,et al.  Specifying and Reasoning About Dynamic Access-Control Policies , 2006, IJCAR.

[36]  Jonathan Aldrich,et al.  Typestate-oriented programming , 2009, OOPSLA Companion.

[37]  Peng Li,et al.  Arrows for secure information flow , 2010, Theor. Comput. Sci..

[38]  Boniface Hicks,et al.  From Languages to Systems: Understanding Practical Application Development in Security-typed Languages , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[39]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2013, J. Funct. Program..

[40]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[41]  David Sands,et al.  Declassification: Dimensions and principles , 2009, J. Comput. Secur..

[42]  Dieter Gollmann,et al.  Computer Security - ESORICS 2005, 10th European Symposium on Research in Computer Security, Milan, Italy, September 12-14, 2005, Proceedings , 2005, ESORICS.