Adjoining classified and unclassified information by abstract interpretation

Completeness in abstract interpretation models the ideal situation where no loss of precision is introduced in computations by approximating concrete data by their abstractions. If we interpret the abstraction as the ability of an attacker to distinguish, i.e., observe, properties of public computations, and the computation as the concrete denotational semantics of the program, then the lack of precision, encoded in abstract interpretation as a lack of completeness, corresponds precisely to the leakage of information corresponding to a violated security policy. This correspondence allows us to inherit, in the field of language-based security, the whole theory and methodology for making abstract domains complete. In particular, we prove that an adjoint relation exists between the power of the attacker and the amount of the information released - the more the attacker can observe, the less information can be kept private. This characterisation is achieved by interpreting, in the security context, the standard adjoint transformations making an abstract domain complete by refining and simplifying abstractions.

[1]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[2]  Roberto Giacobazzi,et al.  Refining and Compressing Abstract Domains , 1997, ICALP.

[3]  Roberto Giacobazzi,et al.  Incompleteness, Counterexamples, and Refinements in Abstract Model-Checking , 2001, SAS.

[4]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[5]  Ellis S. Cohen Information transmission in computational systems , 1977, SOSP '77.

[6]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[7]  Gilberto Filé,et al.  A unifying view of abstract domain design , 1996, CSUR.

[8]  Pasquale Malacaria,et al.  Lagrange multipliers and maximum information leakage in different observational models , 2008, PLAS '08.

[9]  Isabella Mastroeni,et al.  On the Rôle of Abstract Non-interference in Language-Based Security , 2005, APLAS.

[10]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[11]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[12]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, High. Order Symb. Comput..

[13]  Isabella Mastroeni,et al.  The PER Model of Abstract Non-interference , 2005, SAS.

[14]  K. Rustan M. Leino,et al.  A semantic approach to secure information flow , 2000, Sci. Comput. Program..

[15]  Roberto Giacobazzi,et al.  Abstract non-interference: parameterizing non-interference by abstract interpretation , 2004, POPL.

[16]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[17]  Chris Hankin,et al.  Approximate non-interference , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[18]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[19]  Peeter Laud Semantics and Program Analysis of Computationally Secure Information Flow , 2001, ESOP.

[20]  Roberto Giacobazzi,et al.  Proving Abstract Non-interference , 2004, CSL.

[21]  Sebastian Hunt,et al.  Quantified Interference : Information Theory and Information Flow ( Extended Abstract ) , 2004 .

[22]  Roberto Giacobazzi,et al.  Transforming Abstract Interpretations by Abstract Interpretation , 2008, SAS.

[23]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[24]  Anindya Banerjee,et al.  Modelling declassification policies using abstract domain completeness , 2011, Math. Struct. Comput. Sci..

[25]  Damiano Zanardini,et al.  Data dependencies and program slicing: from syntax to abstract semantics , 2008, PEPM '08.

[26]  Roberto Giacobazzi,et al.  What You Lose is What You Leak: Information Leakage in Declassification Policies , 2007, MFPS.

[27]  Dennis M. Volpano Safety versus Secrecy , 1999, SAS.

[28]  Andrew C. Myers,et al.  A Model for Delimited Information Release , 2003, ISSS.

[29]  Andrew C. Myers,et al.  Robust declassification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[30]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[31]  David Clark,et al.  Quantitative Analysis of the Leakage of Confidential Data , 2002, QAPL.

[32]  Roberto Giacobazzi,et al.  Adjoining Declassification and Attack Models by Abstract Interpretation , 2005, ESOP.

[33]  Francesco Ranzato,et al.  Strong Preservation as Completeness in Abstract Interpretation , 2004, ESOP.

[34]  Roberto Giacobazzi,et al.  Making abstract interpretations complete , 2000, JACM.

[35]  Gavin Lowe,et al.  Quantifying information flow , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[36]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[37]  Patrick Cousot,et al.  Constructive design of a hierarchy of semantics of a transition system by abstract interpretation , 2002, MFPS.

[38]  Andrew C. Myers,et al.  Enforcing robust declassification , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[39]  David Sands,et al.  Declassification: Dimensions and principles , 2009, J. Comput. Secur..

[40]  Roberto Giacobazzi,et al.  Transforming Abstract Interpretations by Abstract Interpretation New Challenges in Language-based Security , 2008 .

[41]  Isabella Mastroeni Deriving Bisimulations by Simplifying Partitions , 2008, VMCAI.

[42]  David M. Clark,et al.  Quantified Interference: Information Theory and Information Flow , 2004 .