Run-time principals in information-flow type systems

Information-flow type systems are a promising approach for enforcing strong end-to-end confidentiality and integrity policies. Such policies, however, are usually specified in term of static information-data is labeled high or low security at compile time. In practice, the confidentiality of data may depend on information available only while the system is running. This paper studies language support for run-time principals, a mechanism for specifying information-flow security policies that depend on which principals interact with the system. We establish the basic property of noninterference for programs written in such language, and use run-time principals for specifying run-time authority in downgrading mechanisms such as declassification. In addition to allowing more expressive security policies, run-time principals enable the integration of language-based security mechanisms with other existing approaches such as Java stack inspection and public key infrastructures. We sketch an implementation of run-time principals via public keys such that principal delegation is verified by certificate chains.

[1]  Steve Zdancewic,et al.  A Type System for Robust Declassification , 2003, MFPS.

[2]  Andrew W. Appel,et al.  SAFKASI: a security mechanism for language-based systems , 2000, TSEM.

[3]  Frank Pfenning,et al.  A monadic analysis of information flow security with mutable state , 2005, J. Funct. Program..

[4]  Cédric Fournet,et al.  Stack inspection: Theory and variants , 2003, TOPL.

[5]  Benjamin C. Pierce,et al.  Types and programming languages: the next generation , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[6]  Martín Abadi,et al.  On SDSI's linked local name spaces , 1997, Proceedings 10th Computer Security Foundations Workshop.

[7]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[8]  Andrew C. Myers,et al.  Secure Information Flow via Linear Continuations , 2002, High. Order Symb. Comput..

[9]  François Pottier,et al.  Constraint-Based Type Inference for Guarded Algebraic Data Types , 2005 .

[10]  David Aspinall,et al.  Subtyping with Singleton Types , 1994, CSL.

[11]  Steve Zdancewic,et al.  Designing a Security-typed Language with Certificate-based Declassification , 2004 .

[12]  Joyce L. Vedral,et al.  Functional Programming Languages and Computer Architecture , 1989, Lecture Notes in Computer Science.

[13]  Martín Abadi,et al.  A Calculus for Access Control in Distributed Systems , 1991, CRYPTO.

[14]  David Walker,et al.  Typed memory management in a calculus of capabilities , 1999, POPL '99.

[15]  Sylvain Conchon,et al.  Information flow inference for free , 2000, ICFP '00.

[16]  Andrew C. Myers,et al.  Enforcing Robust Declassification and Qualified Robustness , 2006, J. Comput. Secur..

[17]  Andrew C. Myers,et al.  Dynamic Security Labels and Noninterference , 2004 .

[18]  M. E. R. “If” , 1921, Definitions.

[19]  Morrie Gasser,et al.  An architecture for practical delegation in a distributed system , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[20]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[21]  Jon Howell,et al.  End-to-end authorization , 2000, OSDI.

[22]  Philip Wadler,et al.  Theorems for free! , 1989, FPCA.

[23]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[24]  Dan S. Wallach,et al.  Understanding Java stack inspection , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[25]  Jan Vitek,et al.  Type-based distributed access control , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[26]  Frank Pfenning,et al.  A monadic analysis of info flow security with mutable state , 2004 .

[27]  Carl A. Gunter,et al.  Generalized certificate revocation , 2000, POPL '00.

[28]  John C. Mitchell,et al.  Foundations for programming languages , 1996, Foundation of computing series.

[29]  Vincent Simonet Flow Caml in a Nutshell , 2003 .

[30]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[31]  Steve Zdancewic,et al.  A Design for a Security-Typed Language with Certificate-Based Declassification , 2005, ESOP.

[32]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[33]  Andrew C. Myers,et al.  Enforcing robust declassification , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[34]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[35]  Andrew C. Myers,et al.  Secure Information Flow and CPS , 2001, ESOP.

[36]  Peng Li Yun Mao Steve Zdancewic Information Integrity Policies , 2003 .

[37]  Andrew M. Pitts Existential Types: Logical Relations and Operational Equivalence , 1998, ICALP.

[38]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[39]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[40]  Steve Zdancewic,et al.  Run-time Principals in Information-flow Type Systems , 2004, IEEE Symposium on Security and Privacy.

[41]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[42]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, ESOP.

[43]  Anindya Banerjee,et al.  Using access control for secure information flow in a Java-like language , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[44]  Karl Crary,et al.  Intensional polymorphism in type-erasure semantics , 1998, ICFP '98.

[45]  Trevor Jim,et al.  SD3: a trust management system with certified evaluation , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[46]  Matthias Felleisen,et al.  A Syntactic Approach to Type Soundness , 1994, Inf. Comput..

[47]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[48]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[49]  Andrew C. Myers,et al.  Dynamic Security Labels and Noninterference (Extended Abstract) , 2004, Formal Aspects in Security and Trust.

[50]  Pierre Jouvelot,et al.  Algebraic reconstruction of types and effects , 1991, POPL '91.

[51]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[52]  Scott F. Smith,et al.  A systematic approach to static access control , 2001, TOPL.