End-to-End Availability Policies and Noninterference Lantian

This paper introduces the use of static information flow analysis for the specification and enforcement of end-toend availability policies in programs. We generalize the decentralized label model, which is about confidentiality and integrity, to also include security policies for availability. These policies characterize acceptable risks by representing them as principals. We show that in this setting, a suitable extension of noninterference corresponds to a strong, endto-end availability guarantee. This approach provides a natural way to specify availability policies and enables existing static dependency analysis techniques to be adapted for availability. The paper presents a simple language in which fine-grained information security policies can be specified as type annotations. These annotations can include requirements for all three major security properties: confidentiality, integrity, and availability. The type system for the language provably guarantees that any well-typed program has the desired noninterference properties, ensuring confidentiality, integrity, and availability.

[1]  Stephen Chong,et al.  Owned policies for information security , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[2]  Joshua D. Guttman,et al.  Trust Management in Strand Spaces: A Rely-Guarantee Method , 2004, ESOP.

[3]  Andrew C. Myers,et al.  Dynamic Security Labels and Noninterference , 2004 .

[4]  John Mullins,et al.  Using Admissible Interference to Detect Denial of Service Vulnerabilities , 2003, IWFM.

[5]  John I. McCool,et al.  Probability and Statistics With Reliability, Queuing and Computer Science Applications , 2003, Technometrics.

[6]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[7]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[8]  Peng Li Yun Mao Steve Zdancewic Information Integrity Policies , 2003 .

[9]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[10]  Heiko Mantel,et al.  Static Confidentiality Enforcement for Distributed Programs , 2002 .

[11]  Andrew C. Myers,et al.  Secure Information Flow via Linear Continuations , 2002, High. Order Symb. Comput..

[12]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[13]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[14]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[15]  John G. Brainard,et al.  Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks , 1999, NDSS.

[16]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[17]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[18]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[19]  Geoffrey Smith,et al.  Eliminating covert flows with minimum typings , 1997, Proceedings 10th Computer Security Foundations Workshop.

[20]  Michael K. Reiter,et al.  Byzantine quorum systems , 1997, STOC '97.

[21]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[22]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[23]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[24]  Martín Abadi,et al.  A calculus for access control in distributed systems , 1991, TOPL.

[25]  Jonathan K. Millen,et al.  A resource allocation model for denial of service , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[26]  Fred B. Schneider,et al.  Implementing fault-tolerant services using the state machine approach: a tutorial , 1990, CSUR.

[27]  Virgil D. Gligor,et al.  A Specification and Verification Method for Preventing Denial of Service , 1990, IEEE Trans. Software Eng..

[28]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[29]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[30]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[31]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.