ABSTRACT
Noninterference is the basic semantical condition used to account for confidentiality and integrity-related properties in programming languages. There appears to be an at least implicit belief in the programming languages community that partial approaches based on type systems or other static analysis techniques are necessary for noninterference analyses to be tractable. In this paper we show that this belief is not necessarily true. We focus on the notion of strong low bisimulation proposed by Sabelfeld and Sands. We show that, relative to a decidable expression theory, strong low bisimulation is decidable for a simple parallel while-language, and we give a sound and relatively complete proof system for deriving noninterference assertions. The completeness proof provides an effective proof search strategy. Moreover, we show that common alternative noninterference relations based on traces or input-output relations are undecidable. The first part of the paper is cast in terms of multi-level security. In the second part of the paper we generalize the setting to accommodate a form of intransitive interference. We discuss the model and show how the decidability and proof system results generalize to this richer setting.
- J. Agat. Transforming out timing leaks. In Proceedings of the 27th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), pages 40--53, Boston, MA, January 2000. ACM.]] Google Scholar
Digital Library
- T. Amtoft, S. Bandhakavi, and A. Banerjee. A logic for information flow analysis of pointer programs. In Proc. POPL'06. ACM, 2006.]] Google Scholar
Digital Library
- Gilles Barthe and Tamara Rezk. Non-interference for a jvm-like language. In Proc. ACM SIGPLAN International Workshop on Types in Languages Design and Implementation (TLDI), pages 103--112. ACM, 2005.]] Google Scholar
Digital Library
- D.E. Bell and L.J. LaPadula. Secure computer systems: Unified exposition and MULTICS interpretation. Technical Report MTR-2997, Mitre Corp., Bedford, Mass., USA, June 1976.]]Google Scholar
Cross Ref
- G. Boudol and I. Castellani. Noninterference for concurrent programs and thread systems. Theor. Comput. Sci., 281(1--2):109--130, 2002.]]Google Scholar
- G. Boudol and A. Matos. on declassification and the non-disclosure policy. In Proc. Computer Security Foundations Workshop, pages 226--240, 2005.]] Google Scholar
Digital Library
- S. Chong and A. C. Myers. Security policies for downgrading. In Proc. ACM Conference on Computer and Communications Security, pages 198--209, 2004.]] Google Scholar
Digital Library
- Søren Christensen, Yoram Hirshfeld, and Faron Moller. Bisimulation equivalence is decidable for basic parallel processes. In Proc. CONCUR'93, volume 715 of Lecture Notes in Computer Science, pages 143--157. Springer, 1993.]] Google Scholar
Digital Library
- M. Dam and P. Giambiagi. Confidentiality for mobile code: The case of a simple payment protocol. In Proc. Computer Security Foundations Workshop, pages 233--244, 2000.]] Google Scholar
Digital Library
- Á. Darvas, R. Hähnle, and D. Sands. A theorem proving approach to analysis of secure information flow. In Proc. Second International Conference on Security in Pervasive Computing, volume 3450 of Lecture Notes in Computer Science, pages 193--209. Springer, 2005.]] Google Scholar
Digital Library
- D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236--243, 1976.]] Google Scholar
Digital Library
- D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Communications of the ACM, 20(7):504--513, July 1977.]] Google Scholar
Digital Library
- R. Focardi and R. Gorrieri. A classification of security properties for process algebras. Journal of Computer Security, 3(1):5--33, 1995.]]Google Scholar
Digital Library
- R. Focardi and S. Rossi. Information flow security in dynamic contexts. In Proc. 15th Computer Security Foundations Workshop, pages 307--319, 2002.]] Google Scholar
Digital Library
- R. Focardi, S. Rossi, and A. Sabelfeld. Bridging language-based and process calculi security. In Proc. FoSSaCS, pages 299--315, 2005.]] Google Scholar
Digital Library
- Samir Genaim and Fausto Spoto. Information flow analysis for java bytecode. In Proc. VMCAI'05, volume 3385 of Lecture Notes in Computer Science, pages 346--362. Springer, 2005.]] Google Scholar
Digital Library
- P. Giambiagi and M. Dam. On the secure implementation of security protocols. Sci.Comput. Program., 50(1--3):73--99, 2004.]] Google Scholar
Digital Library
- J.A. Goguen and J. Meseguer. Security policies and security models. In Proceedings of the 1982 IEEE Symposium on Security and Privacy, pages 11--20, Oakland, CA, 1982.]]Google Scholar
Cross Ref
- N. Heintze and J. G. Riecke. The SLam Calculus: Programming with secrecy and integrity. In Proc. POPL'98, pages 365--377, 1998.]] Google Scholar
Digital Library
- P. Li and S. Zdancewic. Downgrading policies and relaxed noninterference. In Proc. POPL'05, pages 158--170, 2005.]] Google Scholar
Digital Library
- H. Mantel. Possibilistic definitions of security -- an assembly kit --. In Proc. Computer Security Foundations Workshop, pages 185--199, 2000.]] Google Scholar
Digital Library
- H. Mantel. Information flow control and applications -- bridging a gap. In Proc. FME, pages 153--172, 2001.]] Google Scholar
Digital Library
- H. Mantel and D. Sands. Controlled declassification based on intransitive noninterference. In Proc. APLAS, pages 129--145, 2004.]]Google Scholar
Cross Ref
- Ricardo Medel, Adriana~B. Compagnoni, and Eduardo Bonelli. A typed assembly language for non-interference. In Proc. Italian Conference on Theoretical Computer Science, volume 3701 of Lecture Notes in Computer Science, pages 360--374. Springer, 2005.]] Google Scholar
Digital Library
- Robin Milner. Communication and concurrency. Prentice-Hall, 1989.]] Google Scholar
Digital Library
- J. Rushby. Noninterference, transitivity, and channel-control security policies. Technical Report CSL-92-2, Stanford Research Institute, 1992.]]Google Scholar
- A. Sabelfeld. Confidentiality for multithreaded programs via bisimulation. In Proc. A. Ershov 5th International Conference on Perspectives of System Informatics, volume 2890 of Lecture Notes in Computer Science, pages 260--274. Springer, 2003.]]Google Scholar
- A. Sabelfeld and A. C. Myers. Language-Based Information-Flow Security. IEEE Journal on Selected Areas in Communications, 21(1):1--15, January 2003.]]Google Scholar
Digital Library
- A. Sabelfeld and A. C. Myers. A model for delimited information release. In Proc. International Symposium on Software Security, volume 3233 of Lecture Notes in Computer Science, pages 174--191. Springer, 2003.]]Google Scholar
- A. Sabelfeld and D. Sands. Probabilistic noninterference for multi-threaded programs. In Proc. Computer Security Foundations Workshop, pages 200--214, 2000.]] Google Scholar
Digital Library
- A. Sabelfeld and D. Sands. A PER model of secure information flow in sequential programs. Higher-Order and Symbolic Computation, 14(1):59--91, 2001.]] Google Scholar
Digital Library
- A. Sabelfeld and D. Sands. Dimensions and principles of declassification. In Proc. 18th Computer Security Foundations Workshop, pages 255--269, 2005.]] Google Scholar
Digital Library
- G. Smith and D. Volpano. Secure information flow in a multi-threaded imperative language. In Proc. POPL'98, pages 355--364, 1998.]] Google Scholar
Digital Library
- Tachio Terauchi and Alexander Aiken. Secure information flow as a safety problem. In Proc. SAS'05, volume 3672 of Lecture Notes in Computer Science, pages 352--367. Springer, 2005.]] Google Scholar
Digital Library
- D. Volpano and G. Smith. Probabilistic noninterference in a concurrent language. In Proceedings of 11th IEEE Computer Security Foundations Workshop, pages 34--43, Rockport, MA, June 1998.]] Google Scholar
Digital Library
- D. Volpano, G. Smith, and C. Irvine. A sound type system for secure flow analysis. Journal of Computer Security, 4(3):167--187, 1996.]] Google Scholar
Digital Library
- L. Zheng and A. C. Myers. Dynamic security labels and noninterference. In Proc. 2nd IFIP TC1 WG1.7 Workshop on Formal Aspects in Security and Trust (FAST), pages 27--40, 2004.]]Google Scholar
Index Terms
Decidability and proof systems for language-based noninterference relations
Recommendations
Decidability and proof systems for language-based noninterference relations
Proceedings of the 2006 POPL ConferenceNoninterference is the basic semantical condition used to account for confidentiality and integrity-related properties in programming languages. There appears to be an at least implicit belief in the programming languages community that partial ...
Downgrading policies and relaxed noninterference
POPL '05: Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languagesIn traditional information-flow type systems, the security policy is often formalized as noninterference properties. However, noninterference alone is too strong to express security properties useful in practice. If we allow downgrading in such systems, ...
Downgrading policies and relaxed noninterference
Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languagesIn traditional information-flow type systems, the security policy is often formalized as noninterference properties. However, noninterference alone is too strong to express security properties useful in practice. If we allow downgrading in such systems, ...







Comments