G. Smith and D.M. Volpano. Secure information ow in a multi-threaded imperative language. In Proceedings of POPL, 1998.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....of the semantics of the SPI calculus. In [9] our present development is extended to show that CFA also helps in checking that a protocol has no indirect ows that violate con dentiality. A more widely used alternative approach for calculi of computation and security is based on Type Systems [1,27,28,18,25,26,13,12]. Here security requirements are seen as static information about the objects of a system [1,27,13,12] Our approach builds on the more classical approaches to static analysis and thus links up with the pioneering approach taken in the very early studies by Denning [14,15] it also features a ....

D. Volpano and G. Smith, Secure information ow in a multi-threaded imperative language, in: Proc. POPL'98 (ACM Press, 1998) 355-364. 15

....classi cation source to high classi cation destination. Denning [18, 16, 17] rst applied this idea to the control of information ow in high level programming languages through static analysis. Subsequent developments have been constantly reported [50] among which the work of Volpano and Smith [68, 64, 63, 55, 65, 56, 66, 67, 62, 53, 54] has recently attracted considerable attention from the mobile code community. They de ned an augmenting type system on a prototypical high level imperative programming language, so that programmers may decorate a variable by a discrete sensitivity level. They have proven a form of ....

Georey Smith and Dennis Volpano. Secure information ow in a multithreaded imperative language. In Proceedings of the 25th ACM SIGPLANSIGACT Symposium on Principles of Programming Languages (POPL'98), pages 355-364, San Diego, California, January 1998. Also available at http://www.cs.nps.navy.mil/research/languages/papers/atsc/popl98.ps.Z.

.... properties of a system in a more realistic way: in real systems high level input interferes with low level output all the time [16] Our approach is therefore not to aim for a methodology to develop secure systems e.g. a type system which guarantees the con dentiality of information [20, 22, 21] rather our approach is to develop a framework for understanding and analysing systems as they are and not as they should be. Chris Hankin is partly funded by the EU FET open project SecSafe. The security of a system may be measured by its robustness to certain kinds of attack. We ....

G. Smith and D. Volpano. Secure information ow in a multi-threaded imperative language. In Symposium on Principles of Programming Languages (POPL'98), pages 355-364, San Diego, California, 1998. ACM.

....inputs do not interfere with low observable behavior of the system (low outputs, timing, etc. Originating from early work of Denning [15, 17] and Cohen [13, 14] a large body of work has followed the noninterference based approach to con dentiality for various programming languages including [2, 22, 47, 49, 29, 6, 44, 45, 43, 12, 32, 46]. We follow this line of work in our de nition of security for a language enriched with message passing. Information ow in distributed languages. As computing systems become increasingly connected, multi threaded and distributed programming languages become increasingly important [8] ....

....this undesirable ow. As con dentiality, in general, is not a safety property [36, 48] the use of dynamic information control mechanisms is rendered impractical as all potential execution paths must be monitored. On the other hand, static analysis appears promising for enforcing security (e.g. [50, 22, 47, 6, 44, 28, 51, 11, 40]) Such an analysis is often formulated as a security type system where security types correspond to the con dentiality level of data (such as high and low) A key contribution of this article is a security type system that statically enforces con dentiality in a distributed system. Overview. ....

[Article contains additional citation context not shown here]

G. Smith and D. Volpano. Secure information ow in a multi-threaded imperative language. In Proc. of Symposium on Principles of Programming Languages, 1998.

.... pred(e) j x:e j (e 1 )e 2 j c return e j seq x = e in e (value) v : 1; 2; j x j x:e (command) c : skip j x : v j c 1 ; c 2 j if v then c 1 else c 2 j while y do c j let x = e in c j let x = y in c j new x 7 v in c (threads) o : i c i The syntax of commands is from [58], extended with general references, local variable declaration and higher order procedures. We use two let commands for simpler presentation of typing rules, though we shall be sometimes informal about them, writing e.g. x : y instead of let z = y in x : z. For brevity of presentation we do ....

....true when there are subtle interplays between language constructs, as in languages we have studied in Sections 7 and x8.1 above) Smith and Volpano (cf. 57; 58; 62] studied various aspects of secrecy in imperative languages. Sequential procedures are studied in [62] Multi threading is studied in [58], whose typability was enlarged by our work with Vasconcelos [27] using the calculus, based on which a further enhancement was done in [57] As we have seen in Proposition 7.6, our calculus is a conservative extension of the possibilistic part of the calculus in [57] integrating it with ....

Smith, G. and Volpano, D., Secure information ow in a multi-threaded imperative language, 355-364, POPL'98, ACM, 1998.

.... for the detection of Work in Progress the con dential information, e.g. by running the program a sucient number of times [10] In the context of imperative programming languages, con nement properties with respect to the value of high and low level variables, have been recently discussed in [22, 25, 23] where a type system based security analysis is developed. Another recent contribution to this problem is the work in [17, 18] where the use of probabilistic power domains is proposed, which allows for a compositional speci cation of the non interference property underlying a type based security ....

Georey Smith and Dennis Volpano. Secure information ow in a multi-threaded imperative language. In Symposium on Principles of Programming Languages (POPL'98), pages 355-364, San Diego, California, 1998. ACM.

....and channel passing. Precise comparisons with related type systems are dicult as the languages involved di er widely. One can, however, embed fragments of these languages into box (noting that this only exploits the fullytyped part of our calculus) For example, in the work of Smith and Volpano [31] an assignment to a low security variable can follow an assignment to a high variable the program h: 3;l: 1 is well typed. The natural translation of this program in box would be h 0 j h y: h y:l 1) with an initial store assigning 0 to h and l. This would not be well typed in ....

Georey Smith and Dennis Volpano. Secure information ow in a multi-threaded imperative language. In Conference Record of POPL '98: The 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 355-364, San Diego, California, 19-21 January 1998.

....such as conditional expressions and loops, as well as the more exotic timing and probabilistic channels) To date these techniques are still not used in practice. Part of the problem stems from inherent restrictions; to achieve non interference in a multi threaded language Volpano and Smith [18] had to forbid the guards of loops from depending on high security variables. Forbidding loops in sensitive code is quite stringent, yet not sucient since some probabilistic channels remain. A more fundamental problem with information ow control is that it assumes a homogeneous software system in ....

Smith G, Volpano D. Secure information ow in a multi-threaded imperative language. Conference Record of POPL '98: The 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 1998; 355-364.

....This is particularly true for security properties such as con dentiality and integrity. These problems can be tackled by enforcing the desired properties through strict local security checks, as is done e.g. in bytecode veri cation, see e.g. 12] or in type systems for information ow, see e.g. [16]. However, this requires focusing on a very restricted set of properties, that excludes many useful global properties. Open platforms for smartcards New generation smartcards such as JavaCards are open platforms that support multiple applications on a single card and postissuance loading of ....

G. Smith and D. Volpano. Secure information ow in a multi-threaded imperative language. In Proceedings of POPL'98, pages 355-364. ACM Press, 1998.

....which uses a secrecy sensitive bisimilarity built on the top of linear bisimilarity. The theory ensures secrecy through semantic means for a strictly larger set of processes than the syntactic theory in [23] which itself is powerful enough to embed representative secrecy calculi such as [3, 32]. As a simple example, the theory can justify the safety of the following term via encoding ( and are high and low secrecy levels, respectively) case y of fin i ( in 1 ( g i2f1;2g : bool which is untypable in standard secrecy typing systems, cf. 3, 32] One of the technical ....

.... secrecy calculi such as [3, 32] As a simple example, the theory can justify the safety of the following term via encoding ( and are high and low secrecy levels, respectively) case y of fin i ( in 1 ( g i2f1;2g : bool which is untypable in standard secrecy typing systems, cf. [3, 32]. One of the technical contributions of the present work is a proof technique for establishing congruency of linear bisimilarity which, among others, uses liveness at linear channels. The proof method is applicable when we extend linear bisimilarity to other type structures involving ....

Smith, G. and Volpano, D., Secure information ow in a multi-threaded imperative language, 355-364, POPL'98, ACM, 1998.

....are statically veri ed, so JFlow requires little run time overhead, and can enforce security policies that cannot be enforced by run time checks. Volpano, Smith, and Irvine [VSI96] formalized the lattice model of Denning [Den76, DD77] as a type system for an imperative language; Smith and Volpano [SV98] generalized this type system to concurrent systems. The SLam calculus [HR98] is an extension of the lambda calculus that tracks security information as well as type information; the security information allows information ow and access control security properties to be checked by the type ....

Georey Smith and Dennis Volpano. Secure information ow in a multi-threaded imperative language. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 355-364, San Diego, CA, January 1998.

....Formally, we want programs to satisfy a property called noninterference [10] which says that the nal values of L variables don t depend on the initial values of H variables. In the case when programs are multi threaded, and hence nondeterministic, we need a possibilistic noninterference property [8], set of possible nal values of L variables. Here s a non example, similar to one in [8] Suppose x is H, with value 0 or 1, and y is L. Also, assume that t is initially 0. Consider the following program, which consists of two threads: Thread : if x = 1 then Thread : if x = 0 then Note ....

....the nal values of L variables don t depend on the initial values of H variables. In the case when programs are multi threaded, and hence nondeterministic, we need a possibilistic noninterference property [8] set of possible nal values of L variables. Here s a non example, similar to one in [8]. Suppose x is H, with value 0 or 1, and y is L. Also, assume that t is initially 0. Consider the following program, which consists of two threads: Thread : if x = 1 then Thread : if x = 0 then Note that thread always assigns 1 to y, and thread always assigns 0 to y, but the order in ....

Georey Smith and Dennis Volpano, Secure information ow in a multithreaded imperative language, In: Proceedings 25th Symposium on Principles of Programming Languages, San Diego, CA, January 1998, pp. 355-364.

.... Language Dennis Volpano Computer Science Department Naval Postgraduate School Monterey, CA 93943, USA volpano cs.nps.navy.mil Geo rey Smith School of Computer Science Florida International University Miami, FL 33199, USA smithg cs.fiu.edu September 22, 1999 Abstract In previous work [16], we give a type system that guarantees that well typed multithreaded programs are possibilistically noninterfering. If thread scheduling is probabilistic, however, then well typed programs may have probabilistic timing channels. We describe how they can be eliminated without making the type ....

....case, we must be sure the code does not leak it. Speci cally, this paper is concerned with identifying conditions under which concurrent programs, involving high (private) and low (public) variables, can be proved free of information ows from high variables to low variables. In previous work [16], we developed a type system that ensures that well typed multi threaded programs have a possibilistic noninterference property. Possibilistic noninterference asserts that the set of possible nal values of low variables is independent of the initial values of high variables. Hence, if we run such ....

[Article contains additional citation context not shown here]

Georey Smith and Dennis Volpano. Secure information ow in a multi-threaded imperative language. In Proceedings 25th Symposium on Principles of Programming Languages, pages 355-364, San Diego, CA, January 1998.

....an execution that leaves Y equal to b a v a, say for v a. Now we ask whether this outcome is possible when v is changed to a di erent value, say w. No matter how we interleave, Y ends up being b a or b a w a. The outcome is no longer possible. We have then the following property [31]: We ignore a third thread for low level writing to the system. 11 De nition. Possibilistic NI) Suppose and are memories that agree on all public variables and that (O; fg; Then there is a such that (O; fg; and agree on all public variables. ....

....property that closely resembles Sutherland s notion of Nondeducibility on inputs [39] Also notice the similarity between this property and O ine Security. The program in Figure 6 does not satisfy Possibilistic NI. Another interesting example that does not satisfy Possibilistic NI is given in [31]. It uses a main thread and two triggered threads, each with a busy wait loop implementing a semaphore, to copy every bit of a private PIN to a public variable. In fact, the program always produces a copy of the PIN in a public variable whenever thread scheduling is fair (every thread is scheduled ....

[Article contains additional citation context not shown here]

Georey Smith and Dennis Volpano. Secure information ow in a multi-threaded imperative language. In Proceedings 25th Symposium on Principles of Programming Languages, pages 355-364, San Diego, CA, January 1998.

....suppose h is a constant (read only variable) whose value is a k bit integer secret. If we represent a query as match(e) which is true i h = e, then a brute force attack on h can be represented by a simple loop: while :match(l) do l : l 1 An information ow property like Noninterference [5, 15, 12, 14] rejects the program. Given that h has security class H (high) and l has security class L (low) Noninterference Computer Science Department, Naval Postgraduate School, Monterey, California 93943. Email: volpano cs.nps.navy.mil. School of Computer Science, Florida International University, ....

....testing is safe in general, and that we could simply give e1 = e2 type L, regard less of the types of e1 and e2 . However, this is not so; it then becomes possible to leak a secret in linear time. Finally, we consider the e ect of adding concurrency to the language. Unlike our previous work [12, 14], we consider a synchronous form of concurrency, so that programs remain deterministic. We show that synchronous concurrency, even without match queries, allows well typed programs to leak secrets in linear time. 2 The deterministic language In this paper, we consider a deterministic imperative ....

G. Smith and D. Volpano. Secure information ow in a multi-threaded imperative language. In Proceedings 25th Symposium on Principles of Programming Languages, pages 355-364, San Diego, CA, January 1998.

No context found.

G. Smith and D.M. Volpano. Secure information ow in a multi-threaded imperative language. In Proceedings of POPL, 1998.

No context found.

Smith, G. and Volpano, D., Secure information ow in a multi-threaded imperative language, 355-364, POPL'98, ACM, 1998.

No context found.

Smith, G. and Volpano, D., Secure information ow in a multi-threaded imperative language, pp.355-364, POPL'98, ACM, 1998.

No context found.

G. Smith and D. Volpano. Secure information ow in a multi-threaded imperative language. In ACM, editor, Proceedings POPL '98, pages 355-364. ACM Press, 1998.

No context found.

G. Smith and D. Volpano, Secure information ow in a multi-threaded imperative language, Proc. ACM POPL, 1998.

No context found.

Georey Smith and Dennis Volpano. Secure information ow in a multi-threaded imperative language. In Conference Record of the ACM Symposium on Principles of Programming Languages, San Diego, January 1998.

No context found.

G. Smith and D.M. Volpano. Secure information ow in a multi-threaded imperative language. In Proceedings of POPL, 1998.

No context found.

Smith, G. and Volpano, D., Secure information ow in a multi-threaded imperative language, pp.355-364, POPL'98, ACM, 1998.

No context found.

Georey Smith and Dennis Volpano. Secure information ow in a multi-threaded imperative language. In Conference Record of the ACM Symposium on Principles of Programming Languages, San Diego, January 1998.

No context found.

G. Smith and D. Volpano. Secure information ow in a multi-threaded imperative language. In Conference Record of POPL '98: The 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 355-364, San Diego, California, 19-21 Jan. 1998.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC