skip to main content
article
Free Access

Run-time principals in information-flow type systems

Published:01 November 2007Publication History
Skip Abstract Section

Abstract

Information-flow type systems are a promising approach for enforcing strong end-to-end confidentiality and integrity policies. Such policies, however, are usually specified in terms of static information—data is labeled high or low security at compile time. In practice, the confidentiality of data may depend on information available only while the system is running.

This article studies language support for run-time principals, a mechanism for specifying security policies that depend on which principals interact with the system. We establish the basic property of noninterference for programs written in such language, and use run-time principals for specifying run-time authority in downgrading mechanisms such as declassification.

In addition to allowing more expressive security policies, run-time principals enable the integration of language-based security mechanisms with other existing approaches such as Java stack inspection and public key infrastructures. We sketch an implementation of run-time principals via public keys such that principal delegation is verified by certificate chains.

References

  1. Abadi, M. 1998. On SDSI's linked local name spaces. J. Comput. Secur. 6, 1-2, 3--21. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Abadi, M., Banerjee, A., Heintze, N., and Riecke, J. 1999. A core calculus of dependency. In Proceedings of the 26th ACM Symposium on Principles of Programming Languages (POPL) (San Antonio, TX), ACM, New York, 147--160. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Abadi, M., Burrows, M., Lampson, B. W., and Plotkin, G. D. 1993. A calculus for access control in distributed systems. ACM Trans. Prog. Lang. Syst. 15, 4 (Sept.), 706--734. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Agat, J. 2000. Transforming out timing leaks. In Proceedings of the 27th Annual ACM Symposium on Principles of Programming Languages (POPL) (Boston, MA). ACM, New York, 40--53. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Aspinall, D. 1994. Subtyping with singleton types. Comput. Sci. Logic. 1--15. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Banerjee, A. and Naumann, D. A. 2002. Secure information flow and pointer confinement in a java-like language. In Proceedings of the 15th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos, CA. 253--267. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Banerjee, A. and Naumann, D. A. 2003. Using access control for secure information flow in a Java-like language. In Proceedings of the 16th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos, CA. 155--169.Google ScholarGoogle Scholar
  8. Chothia, T., Duggan, D., and Vitek, J. 2003. Type-based distributed access control. In Proceedings of the IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos, CA. 170.Google ScholarGoogle Scholar
  9. Crary, K., Kliger, A., and Pfenning, F. 2004. A monadic analysis of information flow security with mutable sate. J. Funct. Prog. 15, 2 (Mar.), 249--291. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Crary, K., Walker, D., and Morrisett, G. 1999. Typed memory management in a calculus of capabilities. In Proceedings of the 26th ACM Symposium on Principles of Programming Languages (POPL) (San Antonio, TX). ACM, New York, 262--275. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Crary, K., Weirich, S., and Morrisett, G. 2002. Intensional polymorphism in type erasure semantics. J. Funct. Prog. 12, 6 (Nov.), 567--600. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Fournet, C. and Gordon, A. 2002. Stack inspection: Theory and variants. In Proceedings of the 29th ACM Symposium on Principles of Programming Languages (POPL). ACM, New York, 307--318. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Gasser, M. and McDermott, E. 1990. An architecture for practical delegation in a distributed system. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA, 20--30.Google ScholarGoogle ScholarCross RefCross Ref
  14. Goguen, J. A. and Meseguer, J. 1982. Security policies and security models. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA, 11--20.Google ScholarGoogle Scholar
  15. Gunter, C. A. and Jim, T. 2000. Generalized certificate revocation. In Procedings of the 27th ACM Symposium on Principles of Programming Languages (POPL) (Boston, MA). ACM, New York, 316--329. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Heintze, N. and Riecke, J. G. 1998. The SLam calculus: Programming with secrecy and integrity. In Proceedings of the 25th ACM Symposium on Principles of Programming Languages (POPL). (San Diego, CA). ACM, New York, 365--377. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Howell, J. and Kotz, D. 2000. End-to-end authorization. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). 151--164. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Jim, T. 2001. SD3: A trust management system with certificate revocation. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA, 106--115. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Jouvelot, P., and Gifford, D. K. 1991. Algebraic reconstruction of types and effects. In Proceedings of the ACM Symposium on Principles of Programming Languages. ACM, New York, 303--310. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Li, P., Mao, Y., and Zdancewic, S. 2003. Information integrity policies. In Proceedings of the Workshop on Formal Aspects in Security & Trust (FAST). 53--70.Google ScholarGoogle Scholar
  21. Mitchell, J. C. 1996. Foundations for Programming Languages. Foundations of Computing Series. The MIT Press, Cambridge, MA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Myers, A. C., Chong, S., Nystrom, N., Zheng, L., and Zdancewic, S. 1999. Jif: Java information flow. http://www.cs.cothell.edu/sit.Google ScholarGoogle Scholar
  23. Myers, A. C. and Liskov, B. 1998. Complete, safe information flow with decentralized labels. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA). 186--197.Google ScholarGoogle Scholar
  24. Myers, A. C. and Liskov, B. 2000. Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Meth. 9, 4, 410--442. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Myers, A. C., Sabelfeld, A., and, Zdancewic, S. 2004. Enforcing robust declassification. In Proceedings of the IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos, CA, 172--186. Google ScholarGoogle ScholarCross RefCross Ref
  26. Myers, A. C., Sabelfeld, A., and Zdancewic, S. 2006. Enforcing robust declassification and qualified robustness. J. Comput. Secur. 14, 2, 157--196. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Pierce, B. C. 2002. Types and Programming Languages. MIT Press, Cambridge, MA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Pitts, A. 1998. Existential types: Logical relations and operational equivalence. In Proceedings of the International Colloquium on Automata, Languages and Programming. 309--326. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Pottier, F. and Conchon, S. 2000. Information flow inference for free. In Proceedings of the 5th ACM SIGPLAN International Conference on Functional Programming (ICFP). ACM, New York, 46--57. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Pottier, F. and Simonet, V. 2002. Information flow inference for ML. In Proceedings of the 29th ACM Symposium on Principles of Programming Languages (POPL) (Portland, Oregon). ACM, New York, 319--330. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Pottier, F., Skalka, C., and Smith, S. F. 2001. A systematic approach to static access control. In Proceedings of the European Symposium on Programming. 344--382. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Sabelfeld, A. and Myers, A. C. 2003. Language-based information-flow security. IEEE J. Sel. Areas Commun. 21, 1 (Jan.), 5--19.Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Sabelfeld, A. and Sands, D. 2001. A PER model of secure information flow in sequential programs. Higher-Order Symb. Comput. 14, 1 (Mar.), 59--91. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Simonet, V. 2003. Flow caml in a nutshell. In Proceedings of the 1st APPSEM-II Workshop, G. Hutton, Ed. 152--165.Google ScholarGoogle Scholar
  35. Simonet, V. and Pottier, F. 2007. Constraint-based type inference with guarded algebraic data types. ACM Trans. Prog. Lang. Syst. 29,1. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Tse, S. and Zdancewic, S. 2004. Run-time principals in information-flow type systems. In Proceedings of the IEEE Symposium on Security and Privacy.Google ScholarGoogle Scholar
  37. Tse, S. and Zdancewic, S. 2005. Designing a security-typed language with certificate-based declassification. In Proceedings of the European Symposium on Programming. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Volpano, D., Smith, G., and Irvine, C. 1996. A sound type system for secure flow analysis. J. Comput. Sec. 4, 3, 167--187. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Wadler, P. 1989. Theorems for free! In Proceedings of the ACM Symposium on Functional Programming Languages and Computer Architecture. ACM, New York, 347--359. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Wallach, D. S., Appel, A. W., and Felten, E. W. 2000. The security architecture formerly known as stack inspection: A security mechanism for language-based systems. ACM Trans. Softw. Eng. Method. 9, 4 (Oct.), 341--378. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Wallach, D. S. and Felten, E. W. 1998. Understanding Java stack inspection. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA). ACM, New York, 52--63.Google ScholarGoogle Scholar
  42. Zdancewic, S. 2003. A type system for robust declassification. In Proceedings of the 19th Conference on the Mathematical Foundations of Programming Semantics. Electronic Notes in Theoretical Computer Science.Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Zdancewic, S. and Myers, A. C. 2001. Secure information flow and CPS. In Proceedings of the 10th European Symposium on Programming. Lecture Notes in Computer Science, vol. 2028. Springer Verlag, New York, 46--61. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Zdancewic, S. and Myers, A. C. 2002. Secure information flow via linear continuations. High. Order Symb. Comput. 15, 2/3, 209--234. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Zheng, L. and Myers, A. C. 2004. Dynamic security labels and noninterference. In Formal Aspects in Security and Trust.Google ScholarGoogle Scholar

Index Terms

  1. Run-time principals in information-flow type systems

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!