A metadata calculus for securing information flows (original) (raw)

A language for information flow

ACM SIGPLAN Notices, 2009

This paper presents λ I , a language for dynamic tracking of information flow across multiple, interdependent dimensions of information. Typical dimensions of interest are integrity and confidentiality. λ I supports arbitrary domain-specific policies that can be developed independently. λ I treats information-flow metadata as a first-class entity and tracks information flow on the metadata itself (integrity on integrity, integrity on confidentiality, etc.). This paper also defines IMPOLITE, a novel class of information-flow policies for λ I . Unlike many systems, which only allow for absolute-security relations, IM-POLITE can model more realistic security policies based on relative-security relations. IMPOLITE demonstrates how policies on interdependent dimensions of information can be simultaneously enforced within λ I 's unified framework.

Achieving information flow security through monadic control of effects

Journal of Computer Security, 2009

We present a new technique for verifying correspondences in security protocols. In particular, correspondences can be used to formalize authentication. Our technique is fully automatic, it can handle an unbounded number of sessions of the protocol, and it is efficient in practice. It significantly extends a previous technique for the verification of secrecy. The protocol is represented in an extension of the pi calculus with fairly arbitrary cryptographic primitives. This protocol representation includes the specification of the correspondence to be verified, but no other annotation. This representation is then translated into an abstract representation by Horn clauses, which is used to prove the desired correspondence. Our technique has been proved correct and implemented. We have tested it on various protocols from the literature. The experimental results show that these protocols can be verified by our technique in less than 1 s. * This paper is an updated and extended version of [13] and [14]. † This research has been done within the INRIA ABSTRACTION project-team (common with the CNRS and theÉNS). Tuples: Constructor: tuple ntuple(x 1 ,. .. , x n) Destructors: projections ith n (ntuple(x 1 ,. .. , x n)) → x i Shared-key encryption: Constructor: encryption of x under the key y, sencrypt (x, y) Destructor: decryption sdecrypt (sencrypt (x, y), y) → x Probabilistic shared-key encryption: Constructor: encryption of x under the key y with random coins r, sencrypt p (x, y, r) Destructor: decryption sdecrypt p (sencrypt p (x, y, r), y) → x Probabilistic public-key encryption: Constructors: encryption of x under the key y with random coins r, pencrypt p (x, y, r) public key generation from a secret key y, pk (y) Destructor: decryption pdecrypt p (pencrypt p (x, pk (y), r), y) → x Signatures: Constructors: signature of x with the secret key y, sign(x, y) public key generation from a secret key y, pk (y) Destructors: signature verification checksignature(sign(x, y), pk (y)) → x message without signature getmessage(sign(x, y)) → x Non-message-revealing signatures: Constructors: signature of x with the secret key y, nmrsign(x, y) public key generation from a secret key y, pk (y) constant true Destructor: verification nmrchecksign(nmrsign(x, y), pk (y), x) → true One-way hash functions: Constructor: hash function h(x) Table of host names and keys Constructor: host name from key host (x) Private destructor: key from host name getkey(host (x)) → x

A semantic approach to secure information flow

Science of Computer Programming, 2000

A classic problem in security is the problem of determining whether a given program has secure information flow. Informally, this problem may be described as follows: Given a program operating on public and private variables, check whether observations of the public variables before and after execution reveal any information about the initial values of the private variables. Although the problem has been studied for several decades, most of the previous approaches have been syntactic in nature, often using type systems and compiler data flow analysis techniques to analyze program texts. This paper presents a considerably different approach to checking secure information flow, based on a semantic characterization of security. A semantic approach has several desirable features. Firstly, it gives a more precise characterization of security than that possible by conservative methods based on type systems. Secondly, it applies to any programming constructs whose semantics are definable; for instance, nondeterminism and exceptions pose no additional problems. Thirdly, it can be applied to reasoning about indirect leaking of information through variations in program behavior (e.g., whether or not the program terminates). The method is also useful in the context of automated verification, since it can be used to develop a mechanically-assisted technique for checking whether the flow of a given program is secure.

Beyond Labels: Permissiveness for Dynamic Information Flow Enforcement

2019 IEEE 32nd Computer Security Foundations Symposium (CSF), 2019

Flow-sensitive labels used by dynamic enforcement mechanisms might themselves encode sensitive information, which can leak. Metalabels, employed to represent the sensitivity of labels, exhibit the same problem. This paper derives a new family of enforcers-k-Enf , for 2 ≤ k ≤ ∞-that uses label chains, where each label defines the sensitivity of its predecessor. These enforcers satisfy Block-safe Noninterference (BNI), which proscribes leaks from observing variables, label chains, and blocked executions. Theorems in this paper characterize where longer label chains can improve the permissiveness of dynamic enforcement mechanisms that satisfy BNI. These theorems depend on semantic attributes-k-precise, k-varying, and k-dependent-of such mechanisms, as well as on initialization, threat model, and lattice size.

Flexible Manipulation of Labeled Values for Information-Flow Control Libraries

Lecture Notes in Computer Science, 2016

The programming language Haskell plays a unique, privileged role in Information-Flow Control (IFC) research: it is able to enforce information security via libraries. Many state-of-the-art libraries (e.g., LIO, HLIO, and MAC) allow computations to manipulate data with different security labels by introducing the notion of labeled values, which protect values with explicit labels by means of an abstract data type. While computations have an underlying algebraic structure in such libraries (i.e. monads), there is no research on structures for labeled values and their impact on the programming model. In this paper, we add the functor structure to labeled values, which allows programmers to conveniently and securely perform computations without side-effects on such values, and an applicative operator, which extends this feature to work on multiple labeled values combined by a multi-parameter function. This functionality simplifies code, as it does not force programmers to spawn threads to manipulate sensitive data with side-effect free operations. Additionally, we present a relabel primitive which securely modifies the label of labeled values. This operation also helps to simplify code when aggregating data with heterogeneous labels, as it does not require spawning threads to do so. We provide mechanized proofs of the soundness our contributions for the security library MAC, although we remark that our ideas apply to LIO and HLIO as well.

Information Flow Control for Distributed Usage Control

The vision of a landscape of heterogeneous web services deployed as encapsulated business software assets in the Internet is currently becoming a reality as part of the Semantic Web. When pro-active agents handle the context-aware discovery, acquisition, composition, and management of application services and data, ensuring the security of customers' data becomes a principle task. To dynamically compose its offered service, an agent has to process and spread confidential data to other web services demanding the required degree of security. In this paper we propose a methodology based on type-based information flow to control the security of dynamically computed data and their proliferation to other web services.

A generic data flow security model

2011

Network security policy enforcement consists in configuring heterogeneous security mechanisms (IPsec gateways, ACLs on routers, stateful firewalls, proxies, etc) that are available in a given network environment. The complexity of this task resides in the number, the nature, and the interdependence of the mechanisms. We propose in this paper a formal data flow model focused on detecting multi-layer inconsistencies between security mechanisms. This model is independent from specific security mechanisms to admit the security technology diversity and evolution.

Encoding secure information flow with restricted delegation and revocation in Haskell

Proceedings of the 1st annual workshop on Functional programming concepts in domain-specific languages - FPCDSL '13, 2013

Distributed applications typically involve many components, each with unique security and privacy requirements. Such applications require fine-grained access control mechanisms that allow dynamic delegation and revocation of access rights. Embedding such domain-specific requirements in a functional language like Haskell puts all the expressiveness of the host language at the disposal of the domain user. Using a custom monad, we design and implement an embedded Haskell library that embraces the decentralized label model, allowing mutually-distrusting principals to express individual confidentiality and integrity policies. Our language includes first-class references, higher-order functions, declassification and endorsement of policies, and user authority in the presence of global unrestricted delegation. Then, building on previous work by the first author, we extend the language to enable fine-grained dynamic delegation and revocation of access rights. The resulting language generalizes, extends, and simplifies various libraries for expressing and reasoning about information flow.

Information Flow Control with Minimal Tag Disclosure

Proceedings of the International Conference on Internet of things and Cloud Computing, 2016

Information Flow Control (IFC) extends conventional access control beyond application boundaries, and allows control of data flows after a point of authorised data disclosure. In a deployment of IFC within a cloud operating system (OS), the IFC implementation can be trusted by applications running over the same OS instance. In an IFC deployment within a widely distributed system, such as in the Internet of Things, the potential for trustworthy enforcement of IFC must be ascertained during connection establishment. IFC is based on tagging data in line with data management requirements. When audit is included as part of IFC, it can be shown that a system complies with these requirements. In this paper, we consider the possibility that some tags may be sensitive and discuss the use of Private Set Intersection (PSI) to prevent unnecessary disclosure of IFC tags during the establishment of communication channels. The proposed approach guarantees that on authorised flows, only the tags necessary for that interaction are disclosed and that no tags are disclosed for prevented flows. This functionality is particularly important in contexts such as healthcare, where privacy and confidentiality are paramount. CCS Concepts •Security and privacy → Information flow control; Distributed systems security; Public key (asymmetric) techniques;

Secure Data Flow in a Calculus for Context Awareness

Lecture Notes in Computer Science, 2008

We present a Mobile-Ambients-based process calculus to describe context-aware computing in an infrastructure-based Ubiquitous Computing setting. In our calculus, computing agents can provide and discover contextual information and are owners of security policies. Simple access control to contextual information is not sufficient to insure confidentiality in Global Computing, therefore our security policies regulate agents' rights to the provision and discovery of contextual information over distributed flows of actions. A type system enforcing security policies by a combination of static and dynamic checking of mobile agents is provided, together with its type soundness.