It’s My Privilege: Controlling Downgrading in DC-Labels

Waye, Lucas; Buiras, Pablo; King, Dan; Chong, Stephen; Russo, Alejandro

doi:10.1007/978-3-319-24858-5_13

Cited by 9 publications

(5 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As in Zeldovich et al (2006), this addresses attacks in which malicious code duplicates sensitive data, e.g., by copying a file, only to read it later, when the system policy changes (e.g., in λChair, promoting a member to a co-chair and granting them the corresponding privileges). While, within a single run, LIO programs can use robust declassification as in , Waye et al (2015) to reason about policy changes, without clearance, reasoning about the consequence of a system policy change across multiple program runs is more difficult. We refer the interested reader to Zeldovich et al (2006) for a more detailed consideration of this use case.…”

Section: Restricting Data-access With Clearancementioning

confidence: 99%

Flexible dynamic information flow control in the presence of exceptions

et al. 2017

Self Cite

View full text Add to dashboard Cite

We describe a new, dynamic, floating-label approach to language-based information flow control. A labeled IO monad, LIO, keeps track of a current label and permits restricted access to IO functionality. The current label floats to exceed the labels of all data observed and restricts what can be modified. Unlike other language-based work, LIO also bounds the current label with a current clearance that provides a form of discretionary access control. Computations may encapsulate and pass around the results of computations with different labels. In addition, the LIO monad offers a simple form of labeled mutable references and exception handling. We give precise semantics and prove confidentiality and integrity properties of a call-by-name λ -calculus and provide an implementation in Haskell. be set in advance to impose an upper bound on the floating current label within that region. This restricts data access, limits the amount of code that could manipulate sensitive data, and reduces opportunities to exploit covert channels. Additionally, we introduce an operator, toLabeled, that allows the result of a computation that would have raised the current label to be encapsulated within the Labeled type. Finally, we present combinators for working with labeled references, and exceptions. Thanks to the flexibility of dynamic checking, LIO implements an IFC mechanism that is more permissive than previous static approaches (Pottier & Simonet, 2002;Li & Zdancewic, 2010;Russo et al., 2008) but provides similar security guarantees ). Though purely language-based, LIO explores a new design point centered on floating labels that draw on past OS work (Zeldovich et al., 2006).The main features of our system can be understood using the example of an online conference review system, called λ Chair. In this system, which we describe more fully later in the paper, authenticated users can read any paper and can normally read any review. This reflects the normal practice in conference reviewing, for example, where every member of the program committee can see submissions and their reviews, and participate in related discussion. Users can be added dynamically and assigned to review specific papers. As an illustration of the power of the labeling system, integrity labels are used to make sure that only assigned reviewers can write reviews for any given paper. Conversely, confidentiality labels are used to manage conflicts of interest. Users with a conflict of interest on a specific paper lack the privileges, represented by confidentiality labels, to read a review. As conflicts of interest are identified, confidentiality labels on the papers may change dynamically and become more restrictive.This paper extends an earlier conference version (Stefan et al., 2011b) by including formal proofs and extending the calculus and library implementation with exception handling. The main contributions of this work are:◮ We propose a new design point for IFC systems in which most values in lexical scope are protected by a single, mutable, current label, ...

show abstract

Section: Restricting Data-access With Clearancementioning

confidence: 99%

Flexible dynamic information flow control in the presence of exceptions

et al. 2017

Self Cite

View full text Add to dashboard Cite

show abstract

“…These examples use the notation of the flow-limited authorization model (FLAM) [4], which offers an expressive way to state both information flow restrictions and authorization policies. However, the problems observed in these examples are not specific to FLAM; they arise in all previous information-flow models that support downgrading (e.g., [8,15,21,25,32,42,47]). The approach in this paper can be applied straightforwardly to the decentralized label model (DLM) [25], and with more effort, to DIFC models that are less similar to FLAM.…”

Section: Motivationmentioning

confidence: 96%

Nonmalleable Information Flow Control

Cecchetti

Myers

Arden

2017

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Noninterference is a popular semantic security condition because it offers strong end-to-end guarantees, it is inherently compositional, and it can be enforced using a simple security type system. Unfortunately, it is too restrictive for real systems. Mechanisms for downgrading information are needed to capture real-world security requirements, but downgrading eliminates the strong compositional security guarantees of noninterference.We introduce nonmalleable information flow, a new formal security condition that generalizes noninterference to permit controlled downgrading of both confidentiality and integrity. While previous work on robust declassification prevents adversaries from exploiting the downgrading of confidentiality, our key insight is transparent endorsement, a mechanism for downgrading integrity while defending against adversarial exploitation. Robust declassification appeared to break the duality of confidentiality and integrity by making confidentiality depend on integrity, but transparent endorsement makes integrity depend on confidentiality, restoring this duality. We show how to extend a security-typed programming language with transparent endorsement and prove that this static type system enforces nonmalleable information flow, a new security property that subsumes robust declassification and transparent endorsement. Finally, we describe an implementation of this type system in the context of Flame, a flow-limited authorization plugin for the Glasgow Haskell Compiler. * Work done while at Harvard University arXiv:1708.08596v2 [cs.CR] 31 Aug 2017Proof. This follows by induction on the typing derivation for values.Lemma 2 (Substitution). If Γ, x : τ 1 ; pc $ e : τ and Γ; pc $ v : τ 1 , then Γ; pc $ erx Þ Ñ vs : τ .Proof. By induction on the derivation of Γ, x : τ 1 ; pc $ e : τ using Lemma 1.Lemma 3 (pc reduction). If Γ; pc $ e : τ and pc 1 Ď pc, then Γ; pc 1 $ e : τ .Proof. By induction on the derivation of Γ; pc $ e : τ .Theorem 8 (Subject reduction). If Γ; pc $ e : τ and xe, ty ÝÑ Ñ xe 1 , t 1 y then Γ; pc $ e 1 : τ .Proof. This proof follows by an inductive case analysis on the operational semantics in Figures 18 and 22. There are a few interesting cases.Case B-EXPAND: This case handles a context (B), we will do a sub-case analysis on each such expression type.

show abstract

“…One candidate approach is the work by Dimoulas et al [17] that uses access control and integrity policies to restrict capability use. Another is the mechanism of bounded privileges for LIO proposed by Waye et al [33].…”

Section: Timing Sensitivitymentioning

confidence: 99%

Reconciling progress-insensitive noninterference and declassification

Bay¹,

Askarov²

2020

Preprint

View full text Add to dashboard Cite

Practitioners of secure information flow often face a design challenge: what is the right semantic treatment of leaks via termination? On the one hand, the potential harm of untrusted code calls for strong progress-sensitive security. On the other hand, when the code is trusted to not aggressively exploit termination channels, practical concerns, such as permissiveness of the enforcement, make a case for settling for weaker, progressinsensitive security. This binary situation, however, provides no suitable middle point for systems that mix trusted and untrusted code. This paper connects the two extremes by reframing progressinsensitivity as a particular form of declassification. Our novel semantic condition reconciles progress-insensitive security as a declassification bound on the so-called progress knowledge in an otherwise progress or timing sensitive setting. We show how the new condition can be soundly enforced using a mostly standard information-flow monitor. We believe that the connection established in this work will enable other applications of ideas from the literature on declassification to progress-insensitivity.

show abstract

It’s My Privilege: Controlling Downgrading in DC-Labels

Cited by 9 publications

References 25 publications

Flexible dynamic information flow control in the presence of exceptions

Flexible dynamic information flow control in the presence of exceptions

Nonmalleable Information Flow Control

Reconciling progress-insensitive noninterference and declassification

Contact Info

Product

Resources

About