Language-based approaches to information security have led to the development of security type systems that permit the programmer to describe condentiality policies on data. Security type systems are usually intended to enforce noninterference, a property that requires that high-security information not aect low-security computation. However, in practice, noninterference is often too restrictive|the desired policy does permit some information leakage. To compensate for the strictness of noninterference, practical approaches include some mechanism for declassifying high-security information. But such declassication is potentially dangerous, and its use should be restricted to prevent unintended information leaks. Zdancewic and Myers previously introduced the notion of robust declassi cation in an attempt to capture the desired restrictions on declassication, but that work did not propose a method for determining when a program satises the robust declassication condition. This paper motivates robust declassication and shows that a simple change to a security type system can enforce it. The idea is to extend the lattice of security labels to include integrity constraints as well as condentiality constraints and then require that the decision to perform a declassication have high integrity. 1
|
432
|
Security policy and security models
– Goguen, Meseguer
- 1982
|
|
245
|
Language-based information-flow security
– Sabelfeld, Myers
- 2003
|
|
241
|
A sound type system for secure flow analysis
– Volpano, Smith, et al.
- 1996
|
|
230
|
JFlow: Practical Mostly-Static Information Flow Control
– Myers
- 1999
|
|
179
|
The SLam calculus: programming with secrecy and integrity
– Heintze, Riecke
- 1998
|
|
148
|
A core calculus of dependency
– Abadi, Banerjee, et al.
- 1999
|
|
114
|
Syntactic control of interference
– Reynolds
- 1978
|
|
112
|
Detecting format string vulnerabilities with type qualifiers
– Shankar, Talwar, et al.
- 2001
|
|
112
|
Information flow inference for ML
– Pottier, Simonet
- 2002
|
|
100
|
Algebraic reconstruction of types and effects
– Jouvelot, Gifford
- 1991
|
|
99
|
Protecting privacy using the decentralized label model
– Myers, Liskov
- 2000
|
|
94
|
Understanding java stack inspection
– Wallach, Felten
- 1998
|
|
86
|
Robust Declassification
– Zdancewic, Myers
- 2001
|
|
80
|
Probabilistic noninterference for multithreaded programs
– Sabelfeld, Sands
- 2000
|
|
69
|
Secure information flow and pointer confinement in a java-like language
– Banerjee, Naumann
- 2002
|
|
68
|
Noninterference, transitivity, and channel-control security policies
– Rushby
- 1992
|
|
65
|
Stack inspection: Theory and variants
– Fournet, Gordon
- 2003
|
|
58
|
Information flow inference for free
– Pottier, Conchon
- 2000
|
|
50
|
A uniform type structure for secure information flow
– Honda, Yoshida
- 2002
|
|
47
|
Jif: Java Information Flow. Software release. Located at http://www.cs.cornell.edu/jif
– Myers, Zheng, et al.
|
|
41
|
Verifying secrets and relative secrecy
– Volpano, Smith
- 2000
|
|
39
|
What is intransitive noninterference
– Roscoe, Goldsmith
- 1999
|
|
39
|
A new type system for secure information flow
– Smith
- 2001
|
|
35
|
Mostly-Static Decentralized Information Flow Control
– Myers
- 1999
|
|
34
|
Providing flexibility in information flow control for object-oriented systems
– FERRARI, SAMARATI, et al.
- 1997
|
|
32
|
Secure program partitioning
– Zdancewic, Zheng, et al.
- 2002
|
|
31
|
Absorbing covers and intransitive noninterference
– Pinsky
|
|
28
|
Secure information flow via linear continuations
– Zdancewic, Myers
- 2002
|
|
24
|
Algebraic reconstruction of types and eects
– Jouvelot, Giord
- 1991
|
|
19
|
A sound type system for secure analysis
– Volpano, Smith, et al.
- 1996
|
|
18
|
The security architecture formerly known as stack inspection: A security mechanism for language-based systems
– Wallach, Felten, et al.
- 2000
|
|
18
|
Programming Languages for Information Security
– Zdancewic
- 2002
|
|
10
|
JFlow: Practical mostly-static information control
– Myers
- 1999
|
|
9
|
Building secure distributed systems using replication and partitioning
– Zheng, Chong, et al.
- 2003
|
|
8
|
Connection policies and controlled interference
– Bevier, Cohen, et al.
- 1995
|
|
8
|
Information inference for free
– Pottier, Conchon
- 2000
|
|
6
|
Language-based information- security
– Sabelfeld, Myers
- 2003
|
|
5
|
Information inference for ML
– Pottier, Simonet
- 2002
|
|
3
|
A new type system for secure information
– Smith
- 2001
|
|
3
|
Robust declassi
– Zdancewic, Myers
- 2001
|
|
2
|
Secure information and pointer con in a java-like language
– Banerjee, Naumann
- 2002
|
|
2
|
Providing in information control for object-oriented systems
– Ferrari, Samarati, et al.
- 1997
|
|
2
|
Mostly-static decentralized information control
– Pottier, Myers, et al.
- 1999
|
|
2
|
Jif: Java information Software release. Located at http://www.cs.cornell.edu/jif
– Myers, Nystrom, et al.
- 2001
|
|
1
|
Secure information via linear continuations
– Zdancewic, Myers
- 2000
|
|
