Denning, D. and Denning, P., Certi cation of programs for secure information ow. Communication of ACM, ACM, 20:504-513, 1997.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....a subject may only read objects with classi cation level no higher than its clearance, but may only write to objects with classi cation level no lower than its clearance. Information is always unidirectionally owing from low classi cation source to high classi cation destination. Denning [18, 16, 17] rst applied this idea to the control of information ow in high level programming languages through static analysis. Subsequent developments have been constantly reported [50] among which the work of Volpano and Smith [68, 64, 63, 55, 65, 56, 66, 67, 62, 53, 54] has recently attracted ....

Dorothy E. Denning and Peter J. Denning. Certi cation of programs for secure information ow. Communications of the ACM, 20(7):504-513, July 1977.

....[20] Suppose data, manipulated by a program, is partitioned into high (private) and low (public) According to noninterference, the program is secure i high inputs do not interfere with low observable behavior of the system (low outputs, timing, etc. Originating from early work of Denning [15, 17] and Cohen [13, 14] a large body of work has followed the noninterference based approach to con dentiality for various programming languages including [2, 22, 47, 49, 29, 6, 44, 45, 43, 12, 32, 46] We follow this line of work in our de nition of security for a language enriched with ....

D. E. Denning and P. J. Denning. Certi cation of programs for secure information ow. Communications of the ACM, 20(7):504-513, July 1977.

....ensure the safety of information ow in a given program, i.e. a high level (secure) data never ows down to low level (public) channels. Information ow analysis needs precise understanding of observable behaviour of program phrases and their interplay, because of the existence of covert channels [14]. In the calculus representation, computational dynamics is decomposed into interaction, where the notion of observables is made explicit. This makes the calculus a potentially e ective tool for analysing subtle information ow among program phrases. Further, in many type based information ow ....

Denning, D. and Denning, P., Certi cation of programs for secure information ow. Communication of ACM, ACM, 20:504-513, 1997.

....features (like real time clocks) that are problematic. This situation is relevant to the case of mobile code, which runs under the control of a host machine that can limit what the code can observe. When only internal observations are possible, we can formulate the con nement problem as follows [1,2]: if each program variable is classi ed as L (low, public) or H (high, private) then we wish to ensure that information cannot ow from H variables to L variables. For example, Figure 1 suggests the behavior of a tax return applet which could be downloaded from a site called TrustMe. The applet ....

Dorothy Denning and Peter Denning, Certi cation of programs for secure information ow, Communications of the ACM 20 (1977), pp. 504-513.

....type schemes that convey how code can be used without violating privacy [36] Notice that type checking here is not merely an optimization in that it replaces run time checks, as in traditional type checking. Denning s early work on program certi cation and the lattice model over 20 years ago [4 6] showed that one cannot rely only on run time mechanisms to enforce secure information ow, a direction that had been pursued by Fenton [9] Static analysis is needed to reveal implicit channels like the one in Figure 3. There is still some question about how the type system should be deployed in ....

Dorothy Denning and Peter Denning. Certi cation of programs for secure information ow. Communications of the ACM, 20(7):504-513, 1977.

....( x) P 2 jQ) u: 3 . The example in the proof above suggests that, for regaining compositionality in s , we need to restrict the set of processes to those which do not transfer information at some high level to lower levels. In other words, we require information ow in processes to be secure [8]. Below we say l A is receiving at s if l A is a linear branching and moreover sec(A(sbj(l) s. De nition 8. behavioural secrecy) A set of typed processes S is a secrecy witness if the following holds: whenever P A 2 S and P A l Q B , we have (1) Q B 2 S and (2) if l A is ....

Denning, D. and Denning, P., Certication of programs for secure information ow. Communication of ACM, ACM, 20:504-513, 1997.

....Security Model (e.g. policy les) in a security property language would demonstrate that the language is capable of representing protection mechanisms. Con dentiality A con dentiality property is a conservative approximation of an information ow policy (as a security property) such properties [DD77, ML97] partition the agent s memory into distinct security classes. Shared variables and communication channels are classi ed by the highest security class to which their contents may belong. The enforcement mecha10 nism prevents information in higher security classes from owing to lower ....

....(JFlow) to the Java programming language. Information ow constraints are statically veri ed, so JFlow requires little run time overhead, and can enforce security policies that cannot be enforced by run time checks. Volpano, Smith, and Irvine [VSI96] formalized the lattice model of Denning [Den76, DD77] as a type system for an imperative language; Smith and Volpano [SV98] generalized this type system to concurrent systems. The SLam calculus [HR98] is an extension of the lambda calculus that tracks security information as well as type information; the security information allows information ow ....

Dorothy E. Denning and Peter J. Denning. Certication of programs for secure information ow. Communications of the ACM, 20(7):504-513, July 1977.

....here, although it is rarely considered by protocols developers. The problem of secure information ow within systems having di erent sensitivity levels has been recognized widely and studied extensively. The early work was by Bell and LaPadula [2] and it was extended by Denning s lattice model [5, 6]. Denning used a program certi cation, an ecient form of static analysis that could be incorporated into a compiler to verify secure information ow in programs. Liskov et. al [9] proposed a method of using labeled types to control information ows. The labeled type consisted of a regular type ....

....is a security violation. 5 Conclusion and Future Work From the analysis in the previous section, we show that the secure type system is powerful, although there are some unsolved problems. It has been shown that the secure ow problem for a typical programming language is undecidable [6]. Therefore any sound and recursive logic for proving that programs have no secure ow violations is incomplete. This partly explains the previous problems mentioned in Section 4 such as randomness and proper classi cations of information. Further research is needed to address this issue. There ....

D. E. Denning and P. Denning. Certication of programs for secure information ow. Communications of the ACM, 20(7):504-513, 1977.

....We prove that low level behavior can not be in uenced by changes to high level behavior. This is formalized as a Non Interference Theorem with respect to may testing. 1 Introduction The problem of protecting information and resources in systems with multiple sensitivity or security levels, [6], has been studied extensively. Flow analysis techniques have been used in [2, 3] axiomatic logic in [12] while in [27, 14] type systems have been developed for a number of prototypical programming languages. In this paper, we explore the extent to which type systems for ensuring various forms of ....

....implicit information ow. To obtain such results for the calculus we need, as the above example shows, a stricter security policy, which we refer to as the I security policy. This allows a high level principal to read from low level resources but not to write to them. Using the terminology of [6]: write up: a process at level may only write to channels at level or above read down: a process at level may only read from channels at level or below. In fact the type inference system remains the same and we only need constrain the notion of type. In this restricted type system ....

[Article contains additional citation context not shown here]

D. Denning. Certication of programs for secure information ow. Communications of the ACM, 20:504-513, 1977.

....not leak sensitive data to the third party, either maliciously or inadvertently. This is one of the key aspects of the security concerns, which is often called secrecy. Since it is dicult to dynamically check secrecy at run time, it may as well be veri ed statically, i.e. from a program text alone [12]. The information ow analysis [12, 17, 37] addresses this concern by clarifying conditions when ow of information in a program is safe (i.e. high level information never ows into low level channels) Recent studies [2, 42, 50, 51, 53] have shown how we can integrate the techniques of type ....

....party, either maliciously or inadvertently. This is one of the key aspects of the security concerns, which is often called secrecy. Since it is dicult to dynamically check secrecy at run time, it may as well be veri ed statically, i.e. from a program text alone [12] The information ow analysis [12, 17, 37] addresses this concern by clarifying conditions when ow of information in a program is safe (i.e. high level information never ows into low level channels) Recent studies [2, 42, 50, 51, 53] have shown how we can integrate the techniques of type inference in programming languages with the ....

Denning, D. and Denning, P., Certication of programs for secure information ow. Communication of ACM, ACM, 20:504-513, 1997.

....not leak sensitive data to the third party, either maliciously or inadvertently. This is one of the key aspects of the security concerns, which is often called secrecy. Since it is dicult to dynamically check secrecy at run time, it may as well be veri ed statically, i.e. from a program text alone [11]. The information ow analysis [11, 15, 31] addresses this concern by clarifying conditions when ow of information in a program is safe (i.e. high level information never ows into low level channels) Recent studies [2, 18, 35, 45, 43] have shown how we can integrate the techniques of type ....

....party, either maliciously or inadvertently. This is one of the key aspects of the security concerns, which is often called secrecy. Since it is dicult to dynamically check secrecy at run time, it may as well be veri ed statically, i.e. from a program text alone [11] The information ow analysis [11, 15, 31] addresses this concern by clarifying conditions when ow of information in a program is safe (i.e. high level information never ows into low level channels) Recent studies [2, 18, 35, 45, 43] have shown how we can integrate the techniques of type inference in programming languages with the ....

Denning, D. and Denning, P., Certication of programs for secure information ow. Communication of ACM, ACM, 20:504-513, 1997.

....an applet to read local les or open network connections, but not both) are de nitely beyond the scope of our framework, however. 27 8 Related work 8. 1 Type systems for security The work most closely related to ours is the recent formulations of Denning s information ow approach to security [13, 14] as non standard type systems by Palsberg and rbaek [31] Volpano and Smith [41, 40] and Heintze and Riecke [20] Abadi et al. 2] reformulate some of those type systems in terms of a more basic calculus of dependency. The main points of comparison with our work are listed below. Information ....

D. E. Denning and P. J. Denning. Certication of programs for secure information ow. Commun. ACM, 20(7):504-513, 1977.

No context found.

Denning, D. and Denning, P., Certi cation of programs for secure information ow. Communication of ACM, ACM, 20:504-513, 1997.

No context found.

D. Denning. Certi cation of programs for secure information ow. Communications of the ACM, 20:504-513, 1977.

No context found.

Dorothy E. Denning and Peter J. Denning. Certi cation of programs for secure information ow. Communications of the ACM, 20(7):504-513, July 1977.

No context found.

D. E. Denning and P. J. Denning. Certi cation of programs for secure information ow. Communications of the ACM, 20(7):504-513, July 1977.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC