Abstract
Information-flow type systems are a promising approach for enforcing strong end-to-end confidentiality and integrity policies. Such policies, however, are usually specified in terms of static information—data is labeled high or low security at compile time. In practice, the confidentiality of data may depend on information available only while the system is running.
This article studies language support for run-time principals, a mechanism for specifying security policies that depend on which principals interact with the system. We establish the basic property of noninterference for programs written in such language, and use run-time principals for specifying run-time authority in downgrading mechanisms such as declassification.
In addition to allowing more expressive security policies, run-time principals enable the integration of language-based security mechanisms with other existing approaches such as Java stack inspection and public key infrastructures. We sketch an implementation of run-time principals via public keys such that principal delegation is verified by certificate chains.
- Abadi, M. 1998. On SDSI's linked local name spaces. J. Comput. Secur. 6, 1-2, 3--21. Google Scholar
Digital Library
- Abadi, M., Banerjee, A., Heintze, N., and Riecke, J. 1999. A core calculus of dependency. In Proceedings of the 26th ACM Symposium on Principles of Programming Languages (POPL) (San Antonio, TX), ACM, New York, 147--160. Google Scholar
Digital Library
- Abadi, M., Burrows, M., Lampson, B. W., and Plotkin, G. D. 1993. A calculus for access control in distributed systems. ACM Trans. Prog. Lang. Syst. 15, 4 (Sept.), 706--734. Google Scholar
Digital Library
- Agat, J. 2000. Transforming out timing leaks. In Proceedings of the 27th Annual ACM Symposium on Principles of Programming Languages (POPL) (Boston, MA). ACM, New York, 40--53. Google Scholar
Digital Library
- Aspinall, D. 1994. Subtyping with singleton types. Comput. Sci. Logic. 1--15. Google Scholar
Digital Library
- Banerjee, A. and Naumann, D. A. 2002. Secure information flow and pointer confinement in a java-like language. In Proceedings of the 15th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos, CA. 253--267. Google Scholar
Digital Library
- Banerjee, A. and Naumann, D. A. 2003. Using access control for secure information flow in a Java-like language. In Proceedings of the 16th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos, CA. 155--169.Google Scholar
- Chothia, T., Duggan, D., and Vitek, J. 2003. Type-based distributed access control. In Proceedings of the IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos, CA. 170.Google Scholar
- Crary, K., Kliger, A., and Pfenning, F. 2004. A monadic analysis of information flow security with mutable sate. J. Funct. Prog. 15, 2 (Mar.), 249--291. Google Scholar
Digital Library
- Crary, K., Walker, D., and Morrisett, G. 1999. Typed memory management in a calculus of capabilities. In Proceedings of the 26th ACM Symposium on Principles of Programming Languages (POPL) (San Antonio, TX). ACM, New York, 262--275. Google Scholar
Digital Library
- Crary, K., Weirich, S., and Morrisett, G. 2002. Intensional polymorphism in type erasure semantics. J. Funct. Prog. 12, 6 (Nov.), 567--600. Google Scholar
Digital Library
- Fournet, C. and Gordon, A. 2002. Stack inspection: Theory and variants. In Proceedings of the 29th ACM Symposium on Principles of Programming Languages (POPL). ACM, New York, 307--318. Google Scholar
Digital Library
- Gasser, M. and McDermott, E. 1990. An architecture for practical delegation in a distributed system. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA, 20--30.Google Scholar
Cross Ref
- Goguen, J. A. and Meseguer, J. 1982. Security policies and security models. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA, 11--20.Google Scholar
- Gunter, C. A. and Jim, T. 2000. Generalized certificate revocation. In Procedings of the 27th ACM Symposium on Principles of Programming Languages (POPL) (Boston, MA). ACM, New York, 316--329. Google Scholar
Digital Library
- Heintze, N. and Riecke, J. G. 1998. The SLam calculus: Programming with secrecy and integrity. In Proceedings of the 25th ACM Symposium on Principles of Programming Languages (POPL). (San Diego, CA). ACM, New York, 365--377. Google Scholar
Digital Library
- Howell, J. and Kotz, D. 2000. End-to-end authorization. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). 151--164. Google Scholar
Digital Library
- Jim, T. 2001. SD3: A trust management system with certificate revocation. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA, 106--115. Google Scholar
Digital Library
- Jouvelot, P., and Gifford, D. K. 1991. Algebraic reconstruction of types and effects. In Proceedings of the ACM Symposium on Principles of Programming Languages. ACM, New York, 303--310. Google Scholar
Digital Library
- Li, P., Mao, Y., and Zdancewic, S. 2003. Information integrity policies. In Proceedings of the Workshop on Formal Aspects in Security & Trust (FAST). 53--70.Google Scholar
- Mitchell, J. C. 1996. Foundations for Programming Languages. Foundations of Computing Series. The MIT Press, Cambridge, MA. Google Scholar
Digital Library
- Myers, A. C., Chong, S., Nystrom, N., Zheng, L., and Zdancewic, S. 1999. Jif: Java information flow. http://www.cs.cothell.edu/sit.Google Scholar
- Myers, A. C. and Liskov, B. 1998. Complete, safe information flow with decentralized labels. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA). 186--197.Google Scholar
- Myers, A. C. and Liskov, B. 2000. Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Meth. 9, 4, 410--442. Google Scholar
Digital Library
- Myers, A. C., Sabelfeld, A., and, Zdancewic, S. 2004. Enforcing robust declassification. In Proceedings of the IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos, CA, 172--186. Google Scholar
Cross Ref
- Myers, A. C., Sabelfeld, A., and Zdancewic, S. 2006. Enforcing robust declassification and qualified robustness. J. Comput. Secur. 14, 2, 157--196. Google Scholar
Digital Library
- Pierce, B. C. 2002. Types and Programming Languages. MIT Press, Cambridge, MA. Google Scholar
Digital Library
- Pitts, A. 1998. Existential types: Logical relations and operational equivalence. In Proceedings of the International Colloquium on Automata, Languages and Programming. 309--326. Google Scholar
Digital Library
- Pottier, F. and Conchon, S. 2000. Information flow inference for free. In Proceedings of the 5th ACM SIGPLAN International Conference on Functional Programming (ICFP). ACM, New York, 46--57. Google Scholar
Digital Library
- Pottier, F. and Simonet, V. 2002. Information flow inference for ML. In Proceedings of the 29th ACM Symposium on Principles of Programming Languages (POPL) (Portland, Oregon). ACM, New York, 319--330. Google Scholar
Digital Library
- Pottier, F., Skalka, C., and Smith, S. F. 2001. A systematic approach to static access control. In Proceedings of the European Symposium on Programming. 344--382. Google Scholar
Digital Library
- Sabelfeld, A. and Myers, A. C. 2003. Language-based information-flow security. IEEE J. Sel. Areas Commun. 21, 1 (Jan.), 5--19.Google Scholar
Digital Library
- Sabelfeld, A. and Sands, D. 2001. A PER model of secure information flow in sequential programs. Higher-Order Symb. Comput. 14, 1 (Mar.), 59--91. Google Scholar
Digital Library
- Simonet, V. 2003. Flow caml in a nutshell. In Proceedings of the 1st APPSEM-II Workshop, G. Hutton, Ed. 152--165.Google Scholar
- Simonet, V. and Pottier, F. 2007. Constraint-based type inference with guarded algebraic data types. ACM Trans. Prog. Lang. Syst. 29,1. Google Scholar
Digital Library
- Tse, S. and Zdancewic, S. 2004. Run-time principals in information-flow type systems. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
- Tse, S. and Zdancewic, S. 2005. Designing a security-typed language with certificate-based declassification. In Proceedings of the European Symposium on Programming. Google Scholar
Digital Library
- Volpano, D., Smith, G., and Irvine, C. 1996. A sound type system for secure flow analysis. J. Comput. Sec. 4, 3, 167--187. Google Scholar
Digital Library
- Wadler, P. 1989. Theorems for free! In Proceedings of the ACM Symposium on Functional Programming Languages and Computer Architecture. ACM, New York, 347--359. Google Scholar
Digital Library
- Wallach, D. S., Appel, A. W., and Felten, E. W. 2000. The security architecture formerly known as stack inspection: A security mechanism for language-based systems. ACM Trans. Softw. Eng. Method. 9, 4 (Oct.), 341--378. Google Scholar
Digital Library
- Wallach, D. S. and Felten, E. W. 1998. Understanding Java stack inspection. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA). ACM, New York, 52--63.Google Scholar
- Zdancewic, S. 2003. A type system for robust declassification. In Proceedings of the 19th Conference on the Mathematical Foundations of Programming Semantics. Electronic Notes in Theoretical Computer Science.Google Scholar
Digital Library
- Zdancewic, S. and Myers, A. C. 2001. Secure information flow and CPS. In Proceedings of the 10th European Symposium on Programming. Lecture Notes in Computer Science, vol. 2028. Springer Verlag, New York, 46--61. Google Scholar
Digital Library
- Zdancewic, S. and Myers, A. C. 2002. Secure information flow via linear continuations. High. Order Symb. Comput. 15, 2/3, 209--234. Google Scholar
Digital Library
- Zheng, L. and Myers, A. C. 2004. Dynamic security labels and noninterference. In Formal Aspects in Security and Trust.Google Scholar
Index Terms
Run-time principals in information-flow type systems
Recommendations
Quantum Information-Flow Security: Noninterference and Access Control
CSF '13: Proceedings of the 2013 IEEE 26th Computer Security Foundations SymposiumQuantum cryptography has been extensively studied in the last twenty years, but information-flow security of quantum computing and communication systems has been almost untouched in the previous research. Due to the essential difference between ...
A library for light-weight information-flow security in haskell
HASKELL '08Protecting confidentiality of data has become increasingly important for computing systems. Information-flow techniques have been developed over the years to achieve that purpose, leading to special-purpose languages that guarantee information-flow ...
Information flow control of component-based distributed systems
Noninterference is a strong security policy that enforces confidentiality and integrity. Many solutions are proposed in the state of the art for verifying this policy in programs, but few tools are proposed to implement it. In this paper, we define a ...






Comments