ABSTRACT
Specification of information flow policies is classically based on a security labeling and a lattice of security levels that establishes how information can flow between security levels. We present a type and effect system for determining the least permissive relaxation of a given confidentiality policy that allows to type a program, given a fixed security labeling. To this end, sets of illegal information flows are represented as downward closure operators (here referred to as flow kernels) on a given lattice of security levels. Illegal information flows can then be seen as program effects, and their representation as flow kernels subsumes in granularity previous lattice-oriented representations of information flow policies. Effect soundness, optimality and preservation results are presented for the proposed type and effect system, for programs written in a concurrent higher-order imperative lambda-calculus with reference creation.
Our type and effect system provides a mechanism for deriving the flow kernel that characterizes the illegal flows that occur within a program, and which can be used to support runtime decisions of compliance to other policies. This point is illustrated by means of an application to a setting where local programs run under the control of a dynamic allowed flow policy.
- A. Almeida Matos. Flow-policy awareness for distributed mobile code. In Proc. of CONCUR 2009 - Concurrency Theory, volume 5710 of Lecture Notes in Computer Science. Springer, 2009. Google ScholarDigital Library
- A. Almeida Matos and G. Boudol. On declassification and the non-disclosure policy. Journal of Computer Security, 17(5):549--597, 2009. Google ScholarDigital Library
- G. Boudol and I. Castellani. Noninterference for concurrent programs and thread systems. Theoretical Computer Science, 281(1--2):109--130, 2002. Google ScholarDigital Library
- P. Cousot and R. Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In POPL, pages 238--252, 1977. Google ScholarDigital Library
- K. Crary, A. Kliger, and F. Pfenning. A monadic analysis of information flow security with mutable state. Journal of Functional Programming, 15(02), 2005. Google ScholarDigital Library
- D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236--243, 1976. Google ScholarDigital Library
- P. Dwinger. On the closure operators of a complete lattice. In Indagationes Math., volume 16, pages 560--563, 1954.Google ScholarCross Ref
- R. Giacobazzi and I. Mastroeni. Proving abstract noninterference. In Conf. of the European Association for Computer Science Logic, volume 3210 of LNCS, pages 280--294. Springer-Verlag, 2004.Google ScholarCross Ref
- R. Giacobazzi and I. Mastroeni. A proof system for abstract noninterference. Journal of Logic and Computation, 20(2):449--479, 2010. Google ScholarDigital Library
- J. Goguen and J. Meseguer. Security policies and security models. In Proc. of the 1982 IEEE Symposium on Security and Privacy, pages 11--20. IEEE Computer Society, 1982.Google ScholarCross Ref
- M. Hicks, S. Tse, B. Hicks, and S. Zdancewic. Dynamic updating of information-flow policies. In Workshop on Foundations of Comp. Security, pages 7--18, 2005.Google Scholar
- J. M. Lucassen and D. K. Gifford. Polymorphic effect systems. In POPL'88: 15th ACM symposium on Principles of programming languages, pages 47--57. ACM Press, 1988. Google ScholarDigital Library
- R. Milner, M. Tofte, R. Harper, and David MacQueen. The definition of Standard ML. MIT Press, revised edition, 1997. Google ScholarDigital Library
- A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In 19th IEEE Symposium on Security and Privacy, pages 186--197. IEEE Computer Society, 1998.Google ScholarCross Ref
- F. Pottier and V. Simonet. Information flow inference for ml. ACM Transactions on Programming Languages and Systems, 25(1):117--158, 2003. Google ScholarDigital Library
- B. Rocha, S. Bandhakavi, J. den Hartog, W. Winsborough, and S. Etalle. Towards static flow-based declassification for legacy untrusted programs. In SP'10: Proceedings of the 31st IEEE Symposium on Security and Privacy, pages 93--108. IEEE Computer Society, 2010. Google ScholarDigital Library
- A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1):5--19, 2003. Google ScholarDigital Library
- A. Sabelfeld and D. Sands. Declassification: Dimensions and principles. J. Comput. Secur., 17:517--548, October 2009. Google ScholarDigital Library
- J. Vaughan and S. Chong. Inference of expressive declassification policies. In Proc. of the 2011 IEEE Symposium on Security and Privacy, pages 180--195. IEEE Computer Society, 2011. Google ScholarDigital Library
- D. M. Volpano, G. Smith, and C. E. Irvine. A sound type system for secure flow analysis. Journal of Computer Security, 4(2--3):167--188, 1996. Google ScholarDigital Library
Index Terms
- Typing illegal information flows as program effects
Recommendations
Static Information Flow Analysis with Handling of Implicit Flows and a Study on Effects of Implicit Flows vs Explicit Flows
CSMR '10: Proceedings of the 2010 14th European Conference on Software Maintenance and ReengineeringReasoning about information flow can help software engineering. Static information flow inference analysis is a technique which automatically infers information flows based on data or control dependence. It can be utilized for the purposes of general ...
Reconciling noninterference and gradual typing
LICS '20: Proceedings of the 35th Annual ACM/IEEE Symposium on Logic in Computer ScienceOne of the standard correctness criteria for gradual typing is the dynamic gradual guarantee, which ensures that loosening type annotations in a program does not affect its behavior in arbitrary ways. Though natural, prior work has pointed out that the ...
HLIO: mixing static and dynamic typing for information-flow control in Haskell
ICFP 2015: Proceedings of the 20th ACM SIGPLAN International Conference on Functional ProgrammingInformation-Flow Control (IFC) is a well-established approach for allowing untrusted code to manipulate sensitive data without disclosing it. IFC is typically enforced via type systems and static analyses or via dynamic execution monitors. The LIO ...
Comments