Tractable Enforcement of Declassification Policies

Barthe, Gilles; Cavadini, Salvador V.; Rezk, Tamara

doi:10.1109/csf.2008.11

Cited by 17 publications

(15 citation statements)

References 33 publications

(39 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our work, and in particular the notions of program equivalence we use, lay the foundations for designing flexible type systems for the full JVM. In the future, it would be interesting to extend the type system to exceptions (which are treated in [11]), declassification (in the style of [2]), and locks.…”

Section: Resultsmentioning

confidence: 99%

Static Enforcement of Information Flow Policies for a Concurrent JVM-like Language

Barthe

Rivas

2012

Trustworthy Global Computing

Self Cite

View full text Add to dashboard Cite

Abstract. An essential security goal of mobile code platforms is to protect confidential data against untrusted third-party applications; yet, prevailing mechanisms for ensuring confidentiality of mobile code are limited to sequential programs, whereas existing applications are generally concurrent. To bridge this gap, we develop a sound information-flow type system for a JVM-like, low-level concurrent object-oriented language. The type system builds upon existing solutions for object-oriented languages and concurrency, solving a number of intricate issues in their combination. Moreover, we connect the type system for bytecode programs to a type system for Java programs, extending the results of type-preserving compilation developed in earlier works.

show abstract

Section: Resultsmentioning

confidence: 99%

Static Enforcement of Information Flow Policies for a Concurrent JVM-like Language

Barthe

Rivas

2012

Trustworthy Global Computing

Self Cite

View full text Add to dashboard Cite

show abstract

“…In the semantics of e.g. [BCR08] this would be deemed insecure because of the insecure subprogram ℓ := h -even though in all runs this subprogram will behave equivalently to the obviously secure program ℓ := ℓ. Similar examples can be constructed for all of the approaches cited above.…”

Section: The Flow Sensitivity Problemmentioning

confidence: 89%

“…As a simple example let us take a more recent declassification mechanism, delimited non-disclosure [BCR08]. In its simplest form we have variables of either High or Low security levels, and a local block-structured declassification command declassify h in c which allows a local weakening of the policy so that h is treated as low for the computation of command c. This is a variable-centric variant of Almeida Matos and Boudol's nondisclosure construct [AB05].…”

Section: Delimited Non-disclosurementioning

confidence: 98%

Flow-sensitive semantics for dynamic information flow policies

Broberg

Sands

2009

Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security

View full text Add to dashboard Cite

Dynamic information flow policies, such as declassification, are essential for practically useful information flow control systems. However, most systems proposed to date that handle dynamic information flow policies suffer from a common drawback. They build on semantic models of security which are inherently flow insensitive, which means that many simple intuitively secure programs will be considered insecure.In this paper we address this problem in the context of a particular system, flow locks. We provide a new flow sensitive semantics for flow locks based on a knowledge-style definition (following Askarov and Sabelfeld), in which the knowledge gained by an actor observing a program run is constrained according to the flow locks which are open at the time each observation is made. We demonstrate the applicability of the definition in a soundness proof for a simple flow lock type system. We also show how other systems can be encoded using flow locks, as an easy means to provide these systems with flow sensitive semantics.

show abstract

“…Type systems that are designed to prevent information laundering [44,2,7,33] reject the program above, because of the update to variable h on Line 3, and thus these type systems appear unsuitable for straightforward adaptation to progress sensitivity.…”

Section: Discussion and Related Workmentioning

confidence: 99%

Precise enforcement of progress-sensitive security

Moore

Askarov

Chong

2012

Proceedings of the 2012 ACM Conference on Computer and Communications Security

View full text Add to dashboard Cite

Program progress (or termination) is a covert channel that may leak sensitive information. To control information leakage on this channel, semantic definitions of security should be progress sensitive and enforcement mechanisms should restrict the channel's capacity. However, most state-of-the-art language-based informationflow mechanisms are progress insensitive-allowing arbitrary information leakage through this channel-and current progress-sensitive enforcement techniques are overly restrictive.We propose a type system and instrumented semantics that together enforce progress-sensitive security more precisely than existing approaches. Our system is permissive in that it is able to accept programs in which the termination behavior depends only on low-security (e.g., public or trusted) information. Our system is parameterized on a termination oracle, and controls the progress channel precisely, modulo the ability of the oracle to determine the termination behavior of a program based on low-security information. We have instantiated the oracle for a simple imperative language with a logical abstract interpretation that uses an SMT solver to synthesize linear rank functions.In addition, we extend the system to permit controlled leakage through the progress channel, with the leakage bound by an explicit budget. We empirically analyze progress channels in existing Jif code. Our evaluation suggests that security-critical programs appear to satisfy progress-sensitive security.

show abstract

Tractable Enforcement of Declassification Policies

Cited by 17 publications

References 33 publications

Static Enforcement of Information Flow Policies for a Concurrent JVM-like Language

Static Enforcement of Information Flow Policies for a Concurrent JVM-like Language

Flow-sensitive semantics for dynamic information flow policies

Precise enforcement of progress-sensitive security

Contact Info

Product

Resources

About