Results 1 - 10
of
39
Language-Based Information-Flow Security
- IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS
, 2003
"... Current standard security practices do not provide substantial assurance that the end-to-end behavior of a computing system satisfies important security policies such as confidentiality. An end-to-end confidentiality policy might assert that secret input data cannot be inferred by an attacker throug ..."
Abstract
-
Cited by 827 (57 self)
- Add to MetaCart
Current standard security practices do not provide substantial assurance that the end-to-end behavior of a computing system satisfies important security policies such as confidentiality. An end-to-end confidentiality policy might assert that secret input data cannot be inferred by an attacker through the attacker's observations of system output; this policy regulates information flow.
Observational determinism for concurrent program security
- In Proceedings of 16th IEEE Computer Security Foundations Workshop, CSFW’03
, 2000
"... endorsement of any of the University of Pennsylvania's products or services. Internal or personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution m ..."
Abstract
-
Cited by 79 (9 self)
- Add to MetaCart
(Show Context)
endorsement of any of the University of Pennsylvania's products or services. Internal or personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution must be obtained from the IEEE by writing to pubs-permissions@ieee.org. By choosing to view this document, you agree to all provisions of the copyright laws protecting it.
Run-time Principals in Information-flow Type Systems
- In IEEE Symposium on Security and Privacy
, 2004
"... for enforcing strong end-to-end confidentiality and integrity policies. Such policies, however, are usually specified in term of static information---data is labeled high or low security at compile time. In practice, the confidentiality of data may depend on information available only while the sys ..."
Abstract
-
Cited by 66 (12 self)
- Add to MetaCart
(Show Context)
for enforcing strong end-to-end confidentiality and integrity policies. Such policies, however, are usually specified in term of static information---data is labeled high or low security at compile time. In practice, the confidentiality of data may depend on information available only while the system is running This paper studies language support for run-time principals, a mechanism for specifying information-flow security policies that depend on which principals interact with the system. We establish the basic property of noninterference for programs written in such language, and use run-time principals for specifying run-time authority in downgrading mechanisms such as declassification.
Type-Based Information Flow Analysis for the Pi-Calculus
- Acta Informatica
, 2003
"... We propose a new type system for information flow analysis for the ..."
Abstract
-
Cited by 52 (10 self)
- Add to MetaCart
We propose a new type system for information flow analysis for the
Dynamic security labels and noninterference
- In Proc
"... This paper presents a language in which information flow is securely controlled by a type system, yet the security class of data can vary dynamically. Information flow policies provide the means to express strong security requirements for data confidentiality and integrity. Recent work on securityty ..."
Abstract
-
Cited by 42 (3 self)
- Add to MetaCart
(Show Context)
This paper presents a language in which information flow is securely controlled by a type system, yet the security class of data can vary dynamically. Information flow policies provide the means to express strong security requirements for data confidentiality and integrity. Recent work on securitytyped programming languages has shown that information flow can be analyzed statically, ensuring that programs will respect the restrictions placed on data. However, real computing systems have security policies that vary dynamically and that cannot be determined at the time of program analysis. For example, a file has associated access permissions that cannot be known with certainty until it is opened. Although one security-typed programming language has included support for dynamic security labels, there has been no demonstration that a general mechanism for dynamic labels can securely control information flow. In this paper, we present an expressive language-based mechanism for reasoning about dynamic security labels. The mechanism is formally presented in a core language based on the typed lambda calculus; any well-typed program in this language is provably secure because it satisfies noninterference. 1
Dynamic Security Labels and Static Information Flow
"... This paper presents a language in which information flow is securely controlled by a type system, yet the se-curity class of data can vary dynamically. Information flow policies provide the means to express strong secu-rity requirements for data confidentiality and integrity. Recent work on security ..."
Abstract
-
Cited by 31 (3 self)
- Add to MetaCart
(Show Context)
This paper presents a language in which information flow is securely controlled by a type system, yet the se-curity class of data can vary dynamically. Information flow policies provide the means to express strong secu-rity requirements for data confidentiality and integrity. Recent work on security-typed programming languages has shown that information flow can be analyzed stat-ically, ensuring that programs will respect the restric-tions placed on data. However, real computing systems have security policies that cannot be determined at the time of program analysis. For example, a file has as-sociated access permissions that cannot be known with certainty until it is opened. Although one security-typed programming language has included support for dy-namic security labels, there has been no demonstration that a general mechanism for dynamic labels can se-curely control information flow. In this paper, we present an expressive language-based mechanism for reasoning about dynamic security labels. The mechanism is for-mally presented in a core language based on the typed lambda calculus; any well-typed program in this lan-guage is secure because it satisfies noninterference. 1.
All Your IFCException Are Belong To Us
"... Abstract—Existing designs for fine-grained, dynamic information-flow control assume that it is acceptable to terminate the entire system when an incorrect flow is detected—i.e, they give up availability for the sake of confidentiality and integrity. This is an unrealistic limitation for systems such ..."
Abstract
-
Cited by 25 (6 self)
- Add to MetaCart
(Show Context)
Abstract—Existing designs for fine-grained, dynamic information-flow control assume that it is acceptable to terminate the entire system when an incorrect flow is detected—i.e, they give up availability for the sake of confidentiality and integrity. This is an unrealistic limitation for systems such as long-running servers. We identify public labels and delayed exceptions as crucial ingredients for making information-flow errors recoverable in a sound and usable language, and we propose two new errorhandling mechanisms that make all errors recoverable. The first mechanism builds directly on these basic ingredients, using not-a-values (NaVs) and data flow to propagate errors. The second mechanism adapts the standard exception model to satisfy the extra constraints arising from information flow control, converting thrown exceptions to delayed ones at certain points. We prove that both mechanisms enjoy the fundamental soundness property of non-interference. Finally, we describe a prototype implementation of a full-scale language with NaVs and report on our experience building robust software components in this setting. Keywords-dynamic information flow control, fine-grained labeling, availability, reliability, error recovery, exception handling, programming-language design, public labels, delayed
End-to-end availability policies and noninterference
- Store = Identifier ↦→ (Num ∪ {unbound}) Expression Transition Relations: =⇒A : Exp × Store −→ Num Rule NumR Rule IdentR Rule AOpR Rule BitNotR 〈n, σ〉 =⇒A n =⇒B : BoolExp × Store −→ {0,1} Rule BOpR Rule ROpR Rule LNotR 〈I, σ〉 =⇒A σ(I) 〈E, σ〉 =⇒A n 〈E ′ , σ
, 2005
"... This paper introduces the use of static information flow analysis for the specification and enforcement of end-toend availability policies in programs. We generalize the decentralized label model, which is about confidentiality and integrity, to also include security policies for availability. These ..."
Abstract
-
Cited by 18 (3 self)
- Add to MetaCart
(Show Context)
This paper introduces the use of static information flow analysis for the specification and enforcement of end-toend availability policies in programs. We generalize the decentralized label model, which is about confidentiality and integrity, to also include security policies for availability. These policies characterize acceptable risks by representing them as principals. We show that in this setting, a suitable extension of noninterference corresponds to a strong, endto-end availability guarantee. This approach provides a natural way to specify availability policies and enables existing static dependency analysis techniques to be adapted for availability. The paper presents a simple language in which fine-grained information security policies can be specified as type annotations. These annotations can include requirements for all three major security properties: confidentiality, integrity, and availability. The type system for the language provably guarantees that any well-typed program has the desired noninterference properties, ensuring confidentiality, integrity, and availability. 1.
Caisson: A Hardware Description Language for Secure Information Flow
- IN PROCEEDINGS OF PROGRAMMING LANGUAGE DESIGN AND IMPLEMENTATION (PLDI 2011
, 2011
"... Information flow is an important security property that must be incorporated from the ground up, including at hardware design time, to provide a formal basis for a system’s root of trust. We incorporate insights and techniques from designing information-flow secure programming languages to provide a ..."
Abstract
-
Cited by 16 (6 self)
- Add to MetaCart
(Show Context)
Information flow is an important security property that must be incorporated from the ground up, including at hardware design time, to provide a formal basis for a system’s root of trust. We incorporate insights and techniques from designing information-flow secure programming languages to provide a new perspective on designing secure hardware. We describe a new hardware description language, Caisson, that combines domain-specific abstractions common to hardware design with insights from type-based techniques used in secure programming languages. The proper combination of these elements allows for an expressive, provably-secure HDL that operates at a familiar level of abstraction to the target audience of the language, hardware architects. We have implemented a compiler for Caisson that translates designs into Verilog and then synthesizes the designs using existing tools. As an example of Caisson’s usefulness we have addressed an open problem in secure hardware by creating the first-ever provably information-flow secure processor with micro-architectural features including pipelining and cache. We synthesize the secure processor and empirically compare it in terms of chip area, power consumption, and clock frequency with both a standard (insecure) commercial processor and also a processor augmented at the gate level to dynamically track information flow. Our processor is competitive with the insecure processor and significantly better than dynamic tracking.
Type-Based Information Flow Analysis for Low-Level Languages
- In Proceedings of the 3rd Asian Workshop on Programming Languages and Systems (APLAS’02
, 2002
"... A static program analysis called information flow analysis has been studied for high-level programming languages, to check that programs do not leak information about secret data such as passwords. ..."
Abstract
-
Cited by 13 (1 self)
- Add to MetaCart
(Show Context)
A static program analysis called information flow analysis has been studied for high-level programming languages, to check that programs do not leak information about secret data such as passwords.
