A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In Proceedings of the 1998.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....developed and implemented an inference algorithm and work is currently underway to incorporate level polymorphism and modular specification of libraries. Modularity issues are addressed in the Jif system [16] which also incorporates the selective declassification mechanism of Myers and Liskov [15]. This uses dynamically changing permissions; our approach may offer a way to formalize the security goals achieved by their mechanisms. Acknowledgement: We are grateful for helpful feedback from anonymous referees and from audiences at Microsoft Research and the Cornell IAI. Thanks especially to ....

A. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In IEEE Symposium on Security and Privacy, pages 186--197, 1998.

....noninterference result. This is hardly surprising, as the rules are quite complicated. Some of the complications are inherent in the complexity of the language; others are introduced with the aim of accomodating dynamic access control and sophisticated security policies including declassification [12, 21, 20, 35]. In the present paper, we confine attention to the problem of proving noninterference for a realistic sequential language (not far from JavaCard [7] using conventional annotations without declassification or dynamic access control. Our results are given in elementary terms. We eschew the ....

....for such constructs would probably go hand in hand with specification of pointer confinement and data abstraction properties. As a step towards more general pointer confinement and abstraction, we are already studying polymorphic classes as in GJ [6] Label polymorphism is also desirable [21, 20], e.g. for library classes. Label polymorphism might lessen the practical need for H subclasses of L classes, which in turn would allow simplification of the security typing rules. An important implementation issue is which security annotations can be left implicit, to be inferred by a type ....

A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In Proceedings, IEEE Symposium on Security and Privacy, pages 186--197, 1998.

....issue of key distribution is an important topic upon which we hope to have the opportunity to report in subsequent work. Other work on security in programming languages has focused on ensuring safety properties of untrusted code [34, 33, 31] and preventing unwanted security flows in programs [21, 32, 39, 35]. The applications of these currently appear to be to ensure safety properties of applets and DLLs. Our security concerns have largely been with access control, so it is not clear how relevant the work on information flow is to this. Pottier and Conchon [35] have developed an interesting approach ....

A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In IEEE Symposium on Security and Privacy, 1998.

.... of policies has been presented by Schneider [29] Other recent work has studied type systems that ensure security properties, e.g. the type systems of Volpano, Irvine and Smith [38, 39] the SLam calculus of Heintze and Riecke [15] the systems allowing declassification of Myers and Liskov [26, 25], the type systems of Riely and Hennessy [17, 16, 28] and work on proof carrying code [27] If the producers of components that one uses all adopt such systems then they may become very effective. Until then, however, and until type systems can provide the flexible policies required, partially ....

A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. InProceed- ings of the 1998 IEEE Symposium on Security and Privacy, Oakland, California, pages 186--197, 1998.

.... give a general overview, then we discuss several current research projects that fall within this framework: proof carrying code (PCC) 21 26] typed assembly language (TAL) 7, 13, 14, 16] security automata (SASI) 6, 28, 29] efficient code certification (ECC) 11] and information flow (JFlow) [17 19]. 2 Some Issues in Security 2.1 Safety Policies Suppose we wish to download and run a program from an unknown or untrusted source. Before running our downloaded program, it would be nice to have some assurance that the code is safe to run. Of course, safe is subject to interpretation and may ....

....in ECC is very efficient. It is linear time except for a sorting step to sort jump destinations, but since almost all jumps are forward and local, a simple insertion sort suffices. 4. 5 Information Flow Language based methods can be used to control information flow among mutually distrustful agents [17 19]. This is similar to other forms of safety described in the previous section, except that the security policies are based on a model of information flow. The policy is specified by the user by means of annotations in the high level language that limit how information can flow in a program and ....

Andrew C. Myers and Barbara Liskov. Complete, safe information flow with decentralized labels. In Proc. Symp. Security and Privacy, pages 186--197. IEEE, May 1998.

....many security policies as there are protection domains (e.g. applets) each of which may decide on its own labeling scheme. Furthermore, there is mutual distrust among the different components. The JFlow language is an attempt at addressing this issue with its decentralized information flow model [28, 29]. In JFlow, principals are centralized and modifications (e.g. revocation) are difficult to implement elegantly. JFlow restricts Java to its sequential subset to avoid facing the problems described above. Finally, JFlow s security annotations restrict reusability of classes. To summarize, ....

A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In Proceedings of the 1998 IEEE Symposium on Security and Privacy, Oakland, California, pages 186--197, 1998.

....depend on static analysis of the components. Other recent work has studied type systems that ensure security properties, e.g. the type systems of Volpano, Irvine and Smith [VIS96, VS98] the SLam calculus of Heintze and Riecke [HR98a] the systems allowing declassification of Myers and Liskov [ML98, Mye99] the type systems of Riely and Hennessy [HR98c, HR98b, RH98] and work on proof carrying code [NL98] If the producers of components that one uses all adopt such systems then they may become very effective. Until then, however, and until type systems can provide the flexible policies ....

Andrew C. Myers and Barbara Liskov. Complete, safe information flow with decentralized labels. In Proceedings of the 1998 IEEE Symposium on Security and Privacy, Oakland, California, pages 186--197, 1998.

No context found.

A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In Proc. IEEE Symp. on Security and Privacy, pages 186--197, May 1998.

....the question of whether an information channel is created. Many systems have incorporated a more limited form of declassification. Ferrari et. al [6] augment information flow controls in an object oriented system with a form of dynamically checked declassification called waivers. Myers and Liskov [15] define a form of selective declassification that can be checked at compile time, based on the authority of the declassifying process. However, these efforts provide only limited characterization of the safety of the declassification process. Intransitive noninterference policies [19, 17, 18] ....

A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In Proc. IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 1998.

....the question of whether an information channel is created. Many systems have incorporated a more limited form of declassification. Ferrari et. al [6] augment information flow controls in an object oriented system with a form of dynamically checked declassification called waivers. Myers and Liskov [15] define a form of selective declassification that can be checked at compile time, based on the authority of the declassifying process. However, these efforts provide only limited characterization of the safety of the declassification process. Intransitive noninterference policies [19, 17, 18] ....

A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In Proc. IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 1998.

....So far, the solutions have either been too restrictive or too permissive, and it has been di#cult to find a satisfying balance. Recently, Myers developed a technique based on information flow control that allows programmers to decide explicitly when and how to disseminate information [ML97, ML98, Mye99a, Mye99b, ML01] Combined with static checking, this technique can ensure a program will not leak information without permission. Returning to our example, consider a tax program that can be checked statically not to leak information provided to it by the user. Bob can download the ....

....can grant authority to declassify the policy, so replacing o with the more restrictive authority o # is safe. Each of these relabelings preserves the safety of each policy in a label. Myers defines a complete relabeling rule that specifies precisely when relabeling one label to another is safe [ML98] We denote the relation L 1 relabels to L 2 by L 1 # L 2 . By requiring that a program make only safe relablings, we can ensure that the program does not compromise the privacy requirements of any principal that owns the data. 2.1.5 Implicit Flows Myers label checking rules make it ....

Andrew C. Myers and Barbara Liskov. Complete, safe information flow with decentralized labels. In Proc. IEEE Symp. on Security and Privacy, Oakland, CA, USA, May 1998.

....by the executable program is labeled, as are inputs to and outputs from the system. The remainder of the paper describes the model and briefly describes the Jif language with an example. More details on the model, the Jif language, and the static checking of Jif code is available elsewhere [Myers and Liskov 1998; Myers 1999a; Myers 1999b] The organization of the paper is as follows. Section 2 briefly describes some systems that can benefit from decentralized information flow control, and which are not well supported by existing models. Section 3 introduces the fundamentals of the new information flow ....

....in terms of principals representing groups and roles. The rule for relabeling data also has been shown to be both sound and complete with respect to a simple formal semantics for labels: the rule only allows relabelings that are safe in this semantics, and it allows all safe relabelings [Myers and Liskov 1998]. The essentials of the decentralized label model are principals, which are the entities whose privacy is protected by the model; and labels, which are the way that principals express their privacy concerns. In addition, there are rules that must be followed as computation proceeds in order to ....

[Article contains additional citation context not shown here]

MYERS, A. C. AND LISKOV, B. 1998. Complete, safe information flow with decentralized labels. In Proc. IEEE Symposium on Security and Privacy (Oakland, CA, USA, May 1998).

....not providing a realistic programming model. This paper describes the new language JFlow, an extension to the Java language [GJS96] that permits static checking of flow annotations. JFlow seems to be the first practical programming language that allows this checking. Like other recent approaches [VSI96, ML97, SV98, HR98, ML98], JFlow treats static checking of flow annotations as an extended form of type checking. Programs written in JFlow can be statically checked by the JFlow compiler, which prevents information leaks through storage channels [Lam73] JFlow is intended to support the writing of secure servers and ....

....objects (which subsume function values) subclassing, dynamic type tests, and exceptions. JFlow also provides powerful new features that make information flow checking less restrictive and more convenient than in previous programming languages: ffl It supports the decentralized label model [ML97, ML98], which allows multiple principals to protect their privacy even in the presence of mutual distrust. It also supports safe, statically checked declassification, or downgrading, allowing a principal to relax its own privacy policies without weakening policies of other principals. ffl It provides a ....

[Article contains additional citation context not shown here]

Andrew C. Myers and Barbara Liskov. Complete, safe information flow with decentralized labels. In Proc. IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 1998.

....Chapter 5. Other security techniques and related work on privacy protection are discussed in Chapter 6. Chapter 7 concludes and offers some thoughts on extensions to this work. Chapter 2 The Label Model This chapter describes the decentralized label model. It has been presented earlier [ML97, ML98] but is developed further in this thesis. The key new feature of the decentralized label model is that it supports computation in an environment with mutual distrust. The ability to handle mutual distrust is achieved by attaching a notion of ownership to information flow policies. These policies ....

Andrew C. Myers and Barbara Liskov. Complete, safe information flow with decentralized labels. In Proc. IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 1998.

No context found.

A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In Proceedings of the 1998.

No context found.

A. C. Myers and B. Liskov. Complete, Safe Information Flow with Decentralized Labels. In Proceedings of the 1998.

No context found.

Andrew C. Myers and Barbara Liskov. Complete, safe information flow with decentralized labels. In Proceedings of the 1998.

No context found.

A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In Proc. IEEE Symp. on Security and Privacy, pages 186--197, May 1998.

No context found.

A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In IEEE Symposium on Security and Privacy, pages 186--197, May 1998.

No context found.

A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In IEEE Symposium on Security and Privacy, pages 186--197, May 1998.

No context found.

A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In Proceedings of the 1998.

No context found.

A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In Proc. IEEE Symposium on Security and Privacy, pages 186--197, Oakland, CA, USA, May 1998.

No context found.

A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In Proc. IEEE Symposium on Security and Privacy, pages 186--197, Oakland, CA, USA, May 1998.

No context found.

A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In IEEE Symposium on Security and Privacy, 1998.

No context found.

A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In Proc. IEEE Symposium on Security and Privacy, pages 186--197, Oakland, CA, USA, May 1998.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC