Results 1 
5 of
5
Cryptographically sound implementations for typed informationflow security
 IN: PROCEEDINGS 35TH SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES
, 2008
"... In languagebased security, confidentiality and integrity policies conveniently specify the permitted flows of information between different parts of a program with diverse levels of trust. These policies enable a simple treatment of security, and they can often be verified by typing. However, their ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
In languagebased security, confidentiality and integrity policies conveniently specify the permitted flows of information between different parts of a program with diverse levels of trust. These policies enable a simple treatment of security, and they can often be verified by typing. However, their enforcement in concrete systems involves delicate compilation issues. We consider cryptographic enforcement mechanisms for imperative programs with untrusted components. Such programs may represent, for instance, distributed systems connected by some untrusted network. In source programs, security depends on an abstract accesscontrol policy for reading and writing the shared memory. In their implementations, shared memory is unprotected and security depends instead on encryption and signing. We build a translation from welltyped source programs and policies to cryptographic implementations. To establish its correctness, we develop a type system for the target language. Our typing rules enforce a correct usage of cryptographic primitives against active adversaries; from an informationflow viewpoint, they capture controlled forms of robust declassification and endorsement. We show type soundness for a variant of the noninterference property, then show that our translation preserves typability. We rely on concrete primitives and hypotheses for cryptography, stated in terms of probabilistic polynomialtime algorithms and games. We model these primitives as commands in our target language. Thus, we develop a uniform languagebased model of security, ranging from computational noninterference for probabilistic programs down to standard cryptographic hypotheses.
A semiringbased trace semantics for processes with applications to information leakage analysis
 In 6th IFIP TC 1/WG 2.2 Int. Conf. TCS 2010, Part of WCC2010 Proceedings
, 2010
"... Abstract. We propose a framework for reasoning about program security building on languagetheoretic and coalgebraic concepts. The behaviour of a system is viewed as a mapping from traces of high (unobservable) events to low (observable) events: the less the degree of dependency of low events on hig ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a framework for reasoning about program security building on languagetheoretic and coalgebraic concepts. The behaviour of a system is viewed as a mapping from traces of high (unobservable) events to low (observable) events: the less the degree of dependency of low events on high traces, the more secure the system. We take the abstract view that low events are drawn from a generic semiring, where they can be combined using product and sum operations; throughout the paper, we provide instances of this framework, obtained by concrete instantiations of the underlying semiring. We specify systems via a simple process calculus, whose semantics is given as the unique homomorphism from the calculus into the set of behaviours, i.e. formal power series, seen as a final coalgebra. We provide a compositional semantics for the calculus in terms of rational operators on formal power series and show that the final and the compositional semantics coincide. 1
QUANTIFICATION AND FORMALIZATION OF SECURITY
, 2010
"... Computer security policies often are stated informally in terms of confidentiality, integrity, and availability of information and resources; these policies can be qualitative or quantitative. To formally quantify confidentiality and integrity, a new model of quantitative information flow is propose ..."
Abstract
 Add to MetaCart
(Show Context)
Computer security policies often are stated informally in terms of confidentiality, integrity, and availability of information and resources; these policies can be qualitative or quantitative. To formally quantify confidentiality and integrity, a new model of quantitative information flow is proposed in which information flow is quantified as the change in the accuracy of an observer’s beliefs. This new model resolves anomalies present in previous quantitative informationflow models, which are based on change in uncertainty. And the new model is sufficiently general that it can be instantiated to measure either accuracy or uncertainty. To formalize security policies in general, a generalization of the theory of trace properties (originally developed for program verification) is proposed. Security policies are modeled as hyperproperties, which are sets of trace properties. Although important security policies, such as secure information flow, cannot be expressed as trace properties, they can be expressed as hyperproperties. Safety and liveness are generalized from trace properties to hyperproperties, and every hyperproperty is shown to be the intersection of a safety hyperproperty and a liveness hyperproperty. Verification, refinement, and topology of hyperproperties are also addressed. Hyperproperties for system representations beyond trace sets are investigated.
Under consideration for publication in Math. Struct. in Comp. Science Quantification of Integrity †
, 2011
"... Three integrity measures are introduced: contamination, channel suppression, and program suppression. Contamination is a measure of how much untrusted information reaches trusted outputs; it is the dual of leakage, which is a measure of informationflow confidentiality. Channel suppression is a meas ..."
Abstract
 Add to MetaCart
(Show Context)
Three integrity measures are introduced: contamination, channel suppression, and program suppression. Contamination is a measure of how much untrusted information reaches trusted outputs; it is the dual of leakage, which is a measure of informationflow confidentiality. Channel suppression is a measure of how much information about inputs to a noisy channel is missing from channel outputs. And program suppression is a measure of how much information about the correct output of a program is lost because of attacker influence and implementation errors. Program and channel suppression do not have confidentiality duals. As a case study, the relationship between quantitative integrity, confidentiality, and database privacy is examined. 1.
From Qualitative to Quantitative Information Erasure
"... Abstract. We define a quantitative measure of information erasure as a dual of the wellunderstood notion of quantitative information release. Our journey begins from a qualitative, equivalence relationsbased, definition of information erasure and release, which we show to be tightly linked to the ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We define a quantitative measure of information erasure as a dual of the wellunderstood notion of quantitative information release. Our journey begins from a qualitative, equivalence relationsbased, definition of information erasure and release, which we show to be tightly linked to the quantitative measures of these notions. In particular, given the necessary probability distribution over the inputs of a deterministic system, we show that the quantitative measures of erasure and release are directly derivable from the equivalence relationsbased definitions. However, we observe that the quantitative definitions, unlike the qualitative ones, are less expressive and may suffer from practical problems such as erasure and release occlusion – a problem, which at its core is attributable to the symmetry of the informationtheoretic entropy definition. 1 Information Erasure and Release There is often a need to erase information in real systems. In particular, a system that processes confidential data may be expected to remove pieces of sensitive information from the body of information that it propagates. For example, statistical databases may