From Exponential to Polynomial-Time Security Typing via Principal Types

Hunt, Sebastian; Sands, David

doi:10.1007/978-3-642-19718-5_16

Cited by 13 publications

(24 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We extended the flow-sensitive type system from [HS06] to provide for each output channel individual dependency sets per point in the program and demonstrated that this is sufficient to support dynamic information flow policies. We proved the type system sound with respect to a straightforward two-run property which we showed sufficient to imply knowledge-based security conditions.…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

Very Static Enforcement of Dynamic Policies

Delft

Hunt

Sands

2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Security policies are naturally dynamic. Reflecting this, there has been a growing interest in studying information-flow properties which change during program execution, including concepts such as declassification, revocation, and role-change. A static verification of a dynamic information flow policy, from a semantic perspective, should only need to concern itself with two things: 1) the dependencies between data in a program, and 2) whether those dependencies are consistent with the intended flow policies as they change over time. In this paper we provide a formal ground for this intuition. We present a straightforward extension to the principal flow-sensitive type system introduced by Hunt and Sands (POPL '06, ESOP '11) to infer both end-to-end dependencies and dependencies at intermediate points in a program. This allows typings to be applied to verification of both static and dynamic policies. Our extension preserves the principal type system's distinguishing feature, that type inference is independent of the policy to be enforced: a single, generic dependency analysis (typing) can be used to verify many different dynamic policies of a given program, thus achieving a clean separation between (1) and (2). We also make contributions to the foundations of dynamic information flow. Arguably, the most compelling semantic definitions for dynamic security conditions in the literature are phrased in the so-called knowledge-based style. We contribute a new definition of knowledge-based termination insensitive security for dynamic policies. We show that the new definition avoids anomalies of previous definitions and enjoys a simple and useful characterisation as a two-run style property.

show abstract

Section: Discussionmentioning

confidence: 99%

“…The original work of [HS06] defines a family of type systems, parameterised by choice of a multi-level security lattice, and establishes the existence of principal typings within this family. The later work of [HS11] defines a single system which produces only principal types.…”

Section: [Ab04] [Ar80] and [Bbl94]mentioning

confidence: 99%

Very Static Enforcement of Dynamic Policies

Delft

Hunt

Sands

2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…The flow-sensitive types system was defined by a family of inference systems which is forced to satisfy a simple non-interference property. Their recent work [9] showed how flow-sensitive multi-level security typing can be achieved in polynomial time. In addition to type-based treatments of secure information flow analysis for programs, Clark et.…”

Section: Related Workmentioning

confidence: 99%

On Information Flow Control in Event-B and Refinement

2013

2013 International Symposium on Theoretical Aspects of Software Engineering

View full text Add to dashboard Cite

This paper investigates the problem of preserving information flow security in Event-B specification models and during the process of refining an abstract specification to be more concrete. A typed Event-B model is presented to enforce information flow security. We then present an approach to the problem of preserving information flow properties under abstraction refinement. The novelty of the approach is that we formalise refinement transformation in terms of the mathematical concept of Galois connection for the purpose of information-flow analysis and control. That is, the stateinvariant and state-transition predicates of the models are used to generate the Galois connection. We show how the refinement transformation ensures to preserve the security properties during the development steps from the beginning abstract-level specification to a concrete implementation.

show abstract

“…We rely on abstract interpretation to derive a static analysis similar to existing ones inferring dependences (Amtoft and Banerjee 2004;Hunt and Sands 2006;Amtoft et al 2006;Hunt and Sands 2011). Recall that our analyses are parametrised on a security lattice L and program P. We denote by l ; x an atomic dependence constraint, with l ∈ L and x ∈ VarP, read as "agreement up to security level l leads to agreement on x".…”

Section: Dependencesmentioning

confidence: 99%

Hypercollecting semantics and its application to static analysis of information flow

Assaf

Naumann

Signoles

et al. 2017

Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages

View full text Add to dashboard Cite

We show how static analysis for secure information flow can be expressed and proved correct entirely within the framework of abstract interpretation. The key idea is to define a Galois connection that directly approximates the hyperproperty of interest. To enable use of such Galois connections, we introduce a fixpoint characterisation of hypercollecting semantics, i.e. a "set of sets" transformer. This makes it possible to systematically derive static analyses for hyperproperties entirely within the calculational framework of abstract interpretation. We evaluate this technique by deriving example static analyses. For qualitative information flow, we derive a dependence analysis similar to the logic of Amtoft and Banerjee (SAS'04) and the type system of Hunt and Sands (POPL'06). For quantitative information flow, we derive a novel cardinality analysis that bounds the leakage conveyed by a program instead of simply deciding whether it exists. This encompasses problems that are hypersafety but not k-safety. We put the framework to use and introduce variations that achieve precision rivalling the most recent and precise static analyses for information flow.

show abstract

From Exponential to Polynomial-Time Security Typing via Principal Types

Cited by 13 publications

References 33 publications

Very Static Enforcement of Dynamic Policies

Very Static Enforcement of Dynamic Policies

On Information Flow Control in Event-B and Refinement

Hypercollecting semantics and its application to static analysis of information flow

Contact Info

Product

Resources

About