Abstract:
This paper gives a language in which information flow is securely controlled by a dependent type system, yet the security classes of data can vary dynamically. Information flow policies provide the means to express strong security requirements for data confidentiality and integrity. Recent work on security-typed programming languages has shown that information flow can be analyzed statically, ensuring that programs will respect the restrictions placed on data. However, real computing systems have security policies that vary dynamically and that cannot be determined at the time of program analysis. For example, a file has associated access permissions that cannot be known with certainty until it is opened. Although one security-typed programming language has included support for dynamic security labels, there has been no demonstration that a general mechanism for dynamic labels can securely control information flow. In this paper, we present an expressive language-based mechanism for reasoning about dynamic security labels. The mechanism is formally presented in a core language based on the typed lambda calculus; any well-typed program in this language is provably secure because it satisfies noninterference. 1
Citations
|
432
|
Security policy and security models
– Goguen, Meseguer
- 1982
|
|
409
|
Cryptography and Data Security
– Denning
- 1984
|
|
250
|
Foundations for Programming Languages
– Mitchell
- 1996
|
|
245
|
Language-based information-flow security
– Sabelfeld, Myers
- 2003
|
|
241
|
A sound type system for secure flow analysis
– Volpano, Smith, et al.
- 1996
|
|
231
|
Certification of programs for secure information flow
– Denning, Denning
- 1977
|
|
230
|
JFlow: Practical Mostly-Static Information Flow Control
– Myers
- 1999
|
|
212
|
Dependent types in practical programming
– Xi, Pfenning
- 1999
|
|
179
|
The SLam calculus: programming with secrecy and integrity
– Heintze, Riecke
- 1998
|
|
113
|
A decentralized model for information flow control
– Myers, Liskov
- 1997
|
|
112
|
Information flow inference for ML
– Pottier, Simonet
- 2002
|
|
99
|
Protecting privacy using the decentralized label model
– Myers, Liskov
- 2000
|
|
96
|
Transforming out timing leaks
– Agat
- 2000
|
|
69
|
Secure information flow and pointer confinement in a java-like language
– Banerjee, Naumann
- 2002
|
|
47
|
Jif: Java Information Flow. Software release. Located at http://www.cs.cornell.edu/jif
– Myers, Zheng, et al.
|
|
40
|
The algebra of security
– McLean
- 1988
|
|
36
|
Subtyping with singleton types
– Aspinall
- 1994
|
|
30
|
Trust in the λ-calculus
– Palsberg, Ørbæk
- 1995
|
|
28
|
Secure information flow via linear continuations
– Zdancewic, Myers
- 2002
|
|
27
|
Imperative programming with dependent types
– Xi
- 2000
|
|
26
|
Using access control for secure information flow in a java-like language
– Banerjee, Naumann
- 2003
|
|
26
|
Run-time Principals in Information-flow Type Systems
– Tse, Zdancewic, et al.
|
|
24
|
Security controls in the ADEPT-50 timesharing system
– Weissman
- 1969
|
|
22
|
Static confidentiality enforcement for distributed programs
– Sabelfeld, Mantel
- 2002
|
|
17
|
Observational determinism for concurrent program security
– Zdancewic, Myers
- 2003
|
|
17
|
Dynamic security labels and noninterference
– Zheng, Myers
- 2004
|
|
14
|
A security model of dynamic labeling providing a tiered approach to verification
– Foley, Gong, et al.
- 1996
|
|
13
|
Honest databases that can keep secrets
– Sandhu, Jajodia
- 1991
|
|
13
|
Exploiting the dual nature of sensitivity labels
– Woodward
- 1987
|
|
7
|
Policies for Dynamic Upgrading
– Meadows
- 1991
|
|
5
|
Deducibility security with dynamic level assignments
– Sutherland, Perlo, et al.
- 1989
|
