Information-Flow Security for Interactive Programs

O’Neill, Kevin; Clarkson, Michael R.; Chong, Stephen

doi:10.1109/csfw.2006.16

Cited by 66 publications

(116 citation statements)

References 35 publications

Supporting

Mentioning

116

Contrasting

Order By: Relevance

“…Combining this with a particular input strategy (sometimes referred to as a policy, or adversary in the context of Markov decision processes) induces a discrete-time Markov chain equivalent to the one defined by our semantics above. Our use of input strategies is similar to that of O'Neill et al [18], who define a language with non-probabilistic user strategies and adapt Volpano et al's [4] information leakage type system to support these user strategies.…”

Section: External Inputs To a Programmentioning

confidence: 99%

“…Alvim et al [17] propose the use of channels with memory and feedback to model an attacker with the ability to influence the distribution on secret values in terminating interactive programs; the attacker in our model does not have this ability, and studies the information leakage from non-terminating programs. Theoretical models of information leakage in non-terminating programs have been proposed before: O'Neill et al [18] propose one such model, but it focuses on protecting the strategies of high-level users of the system rather than the values stored in particular highsecurity variables at specific moments.…”

Section: A Related Workmentioning

confidence: 99%

“…We leave the investigation of this as future work. O'Neill et al [18] allow for user input strategies that must be kept secret from the attacker; another extension of this work would be to adapt their methods to add secret strategies to our framework.…”

Section: External Inputs To a Programmentioning

confidence: 99%

See 2 more Smart Citations

Probabilistic Point-to-Point Information Leakage

Chothia

Kawamoto

Novakovic

et al. 2013

2013 IEEE 26th Computer Security Foundations Symposium

View full text Add to dashboard Cite

Abstract-The outputs of a program that processes secret data may reveal information about the values of these secrets. This paper develops an information leakage model that can measure the leakage between arbitrary points in a probabilistic program. Our aim is to create a model of information leakage that makes it convenient to measure specific leaks, and provide a tool that may be used to investigate a program's information security. To make our leakage model precise, we base our work on a simple probabilistic, imperative language in which secret values may be specified at any point in the program; other points in the program may then be marked as potential sites of information leakage. We extend our leakage model to address both nonterminating programs (with potentially infinite numbers of secret and observable values) and user input. Finally, we show how statistical approximation techniques can be used to estimate our leakage measure in real-world Java programs.

show abstract

Section: External Inputs To a Programmentioning

confidence: 99%

Section: A Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Probabilistic Point-to-Point Information Leakage

Chothia

Kawamoto

Novakovic

et al. 2013

2013 IEEE 26th Computer Security Foundations Symposium

View full text Add to dashboard Cite

show abstract

“…Volpano et al [14] introduces an atomic construct with effects similar to our concurrency-control mechanism. O'Neill et al [7] introduces IO channels which can be used to emulate shared memory. Although the above works achieve similar results, they all check confidentiality with a flow-insensitive security type system.…”

Section: Related Workmentioning

confidence: 99%

Statically Checking Confidentiality of Shared Memory Programs with Dynamic Labels

Völp

2008

2008 Third International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

At WITS 2005, Warnier et al. published an algorithm to statically check confidentiality of programs with dynamic labels. Unlike prior approaches, their method allows for temporary breaches of confidentiality. However, they share the commonly made assumption that programs run entirely in private memory. Thus, interaction with and observation of the checked program is restricted to program start and termination respectively. This paper extends Warnier's approach in two fundamental aspects: shared memory and synchronisation. Through shared memory other programs may observe and interact with the checked program at memory-access granularity. Synchronisation renders parts of the shared memory inaccessible to those programs which adhere to the locking policy. We provide a mechanically-checked soundness proof and show the effectiveness of a countermeasure to the AES cache side-channel attack.

show abstract

“…For simplicity, we will identify security levels with channels, thus for each a ∈ L, we assume exactly one channel, also named a, which carries data at level a (c.f. [OCC06]). …”

Section: Erasure In the Presence Of Input-outputmentioning

confidence: 99%

Just Forget It – The Semantics and Enforcement of Information Erasure

Hunt

Sands

Programming Languages and Systems

View full text Add to dashboard Cite

Abstract. There are many settings in which sensitive information is made available to a system or organisation for a specific purpose, on the understanding that it will be erased once that purpose has been fulfilled. A familiar example is that of online credit card transactions: a customer typically provides credit card details to a payment system on the understanding that the following promises are kept: (i) Noninterference (NI): the card details may flow to the bank (in order that the payment can be authorised) but not to other users of the system; (ii) Erasure: the payment system will not retain any record of the card details once the transaction is complete. This example shows that we need to reason about NI and erasure in combination, and that we need to consider interactive systems: the card details are used in the interaction between the principals, and then erased; without the interaction, the card details could be dispensed with altogether and erasure would be unnecessary. The contributions of this paper are as follows. (i) We show that an end-to-end erasure property can be encoded as a "flow sensitive" noninterference property. (ii) By a judicious choice of language construct to support erasure policies, we successfully adapt this result to an interactive setting. (iii) We use this result to design a type system which guarantees that well typed programs are properly erasing. Although erasure policies have been discussed in earlier papers, this appears to be the first static analysis to enforce erasure. Information ErasureThere are many settings in which sensitive information is made available to a system or organisation for a specific purpose, on the understanding that it will be erased once that purpose has been fulfilled. Common examples involve erasure of some authentication token, such as voter identity in e-voting, or biometric data in fingerprint-activated left-luggage lockers. A more everyday example is an online credit card transaction. A customer typically provides credit card details to a payment system on the understanding that the following promises are kept:Noninterference (NI): the card details may flow to the bank (in order that the payement can be authorised) but not to other users of the system; Erasure: the payment system will not retain any record of the card details once the transaction is complete.In this case, erasure ensures that the transaction does not make the customer or bank vulnerable to breaches of security in the payment system which occur after the transaction is complete. Two aspects of erasure are illustrated by this example: 1. We need to be able to reason about NI and erasure in combination: we show that flow sensitive NI combined with erasure is equivalent to a re-classification of the erased input. 2. To give a satisfactory account of erasure, we need to consider interactive systems: the card details are used in the interaction between the customer, the payment system and the bank, and then erased; without the interaction, the card details could be dispensed with a...

show abstract

Information-Flow Security for Interactive Programs

Cited by 66 publications

References 35 publications

Probabilistic Point-to-Point Information Leakage

Probabilistic Point-to-Point Information Leakage

Statically Checking Confidentiality of Shared Memory Programs with Dynamic Labels

Just Forget It – The Semantics and Enforcement of Information Erasure

Contact Info

Product

Resources

About