Abstract
Many organizations specify information release policies to describe the terms under which sensitive information may be released to other organizations. This paper presents a new approach for ensuring that security-critical software correctly enforces its information release policy. Our approach has two parts. First, an information release policy is specified as a security automaton written in a new language called AIR. Second, we enforce an AIR policy by translating it into an API for programs written in lAIR, a core formalism for a functional programming language. lAIR uses a novel combination of dependent, affine, and singleton types to ensure that the API is used correctly. As a consequence we can certify that programs written in lAIR meet the requirements of the original AIR policy specification.
- Brian Aydemir, Arthur Charguéraud, Benjamin C. Pierce, Randy Pollack, and Stephanie Weirich. Engineering formal metatheory. In POPL '08: Proceedings of the 35th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages. ACM, 2008. Google Scholar
Digital Library
- Anindya Banerjee, David A. Naumann, and Stan Rosenberg. Expressive declassification policies and modular static enforcement. IEEE Symposium on Security and Privacy, 2008. Google Scholar
Digital Library
- Moritz Y. Becker and Sebastian Nanz. A logic for state-modifying authorization policies. In Joachim Biskup and Javier Lopez, editors, ESORICS, volume 4734 of Lecture Notes in Computer Science. Springer, 2007. Google Scholar
Digital Library
- Yves Bertot and Pierre Castéran. Interactive Theorem Proving and Program Development. Coq'Art: The Calculus of Inductive Constructions. Texts in Theoretical Computer Science. Springer Verlag, 2004. Google Scholar
Digital Library
- Pau-Chen Cheng, Pankaj Rohatgi, Claudia Keser, Paul A. Karger, Grant M. Wagner, and Angela Schuett Reninger. Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In IEEE Symposium on Security and Privacy, 2007. Google Scholar
Digital Library
- Stephen Chong and Andrew C. Myers. Security policies for downgrading. In CCS '04: Proceedings of the 11th ACM conference on Computer and communications security, pages 198--209. ACM, 2004. Google Scholar
Digital Library
- Stephen Chong, Andrew C. Myers, Nathaniel Nystrom, Lantian Zheng, and Steve Zdancewic. Jif: Java + information flow. Software release, July 2006.Google Scholar
- Karl Crary, David Walker, and Greg Morrisett. Typed memory management in a calculus of capabilities. In POPL '99: Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 262--275. ACM, 1999. Google Scholar
Digital Library
- Robert DeLine and Manuel Fähndrich. Enforcing high-level protocols in low-level software. In PLDI '01: Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation, pages 59--69. ACM, 2001. Google Scholar
Digital Library
- Dorothy E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236--243, May 1976. Google Scholar
Digital Library
- Ulfar Erlingsson. The inlined reference monitor approach to security policy enforcement. PhD thesis, 2004. Cornell University. Google Scholar
Digital Library
- Michael W. Focke, James E. Knoke, Paul A. Barbieri, Robert D. Wherley, John G. Ata, and Dwight B. Engen. Trusted computing system. United States Patent No. 7,103,914, 2006. issued to BAE Systems Information Technology LLC.Google Scholar
- Boniface Hicks, Dave King, Patrick McDaniel, and Michael Hicks. Trusted declassification:: high-level policy for a security-typed language. In PLAS '06: Proceedings of the 2006 workshop on Programming languages and analysis for security, pages 65--74. ACM, 2006. Google Scholar
Digital Library
- Boniface Hicks, Tim Misiak, and Patrick McDaniel. Channels: Runtime system infrastructure for security-typed languages. Computer Security Applications Conference, 2007. AC-SAC 2007. Twenty-Third Annual, 2007.Google Scholar
Cross Ref
- Trevor Jim. SD3: A trust management system with certified evaluation. In SP '01: Proceedings of the 2001 IEEE Symposium on Security and Privacy, page 106. IEEE Computer Society, 2001. Google Scholar
Digital Library
- Trevor Jim, J. Greg Morrisett, Dan Grossman, Michael W. Hicks, James Cheney, and Yanling Wang. Cyclone: A safe dialect of c. In Proceedings of the General Track of the USENIX Annual Technical Conference. USENIX Association, 2002. Google Scholar
Digital Library
- Jay Ligatti, Lujo Bauer, and David Walker. Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security, 2003.Google Scholar
- John C. Mitchell. Foundations of Programming Languages. MIT Press, 1996. Google Scholar
Digital Library
- Polyvios Pratikakis, Jeffrey S. Foster, and Michael Hicks. Context-sensitive correlation analysis for detecting races. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), pages 320--331, 2006. Google Scholar
Digital Library
- Andrei Sabelfeld and David Sands. Dimensions and principles of declassification. In IEEE Computer Security Foundations Workshop (CSFW), 2005. Google Scholar
Digital Library
- Fred B. Schneider. Enforceable security policies. ACM Trans. Inf. Syst. Secur., 3(1):30--50, 2000. Google Scholar
Digital Library
- Robert E. Strom and Shaula Yemini. Typestate: A programming language concept for enhancing software reliability. IEEE Trans. Softw. Eng., 12(1), 1986. Google Scholar
Digital Library
- Nikhil Swamy and Michael Hicks. Verified enforcement of automaton-based information release policies, 2008. CS-TR-4906, CS Dept., U. Maryland.Google Scholar
- Nikhil Swamy, Brian J. Corcoran, and Michael Hicks. Fable: A language for enforcing user-defined security policies. In IEEE Symposium on Security and Privacy, 2008. Google Scholar
Digital Library
- United States Department of Defense. Department of defense directive number 5230.11, 1992.Google Scholar
- Jeffrey A. Vaughan, Limin Jia, Karl Mazurak, and Steve Zdancewic. Evidence-based audit. In Proceedings of the 21st IEEE Computer Security Foundations Symposium, Pittsburgh, PA, USA, June 2008. Google Scholar
Digital Library
- David Walker. A type system for expressive security policies. In ACM Symposium on Principles of Programming Languages, 2000. Google Scholar
Digital Library
- Steve Zdancewic and Andrew C. Myers. Robust declassification. In IEEE Computer Security Foundations Workshop (CSFW), 2001. Lantian Zheng and Andrew C. Myers. Dynamic security labels and noninterference. In Proceedings of the Workshop on Formal Aspects in Security and Trust (FAST), 2004. Google Scholar
Digital Library
Index Terms
Verified enforcement of stateful information release policies
Recommendations
Verified enforcement of stateful information release policies
PLAS '08: Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for securityMany organizations specify information release policies to describe the terms under which sensitive information may be released to other organizations. This paper presents a new approach for ensuring that security-critical software correctly enforces ...
Tractable Enforcement of Declassification Policies
CSF '08: Proceedings of the 2008 21st IEEE Computer Security Foundations SymposiumFormalizing appropriate information policies that authorize some controlled form of information release, and providing sound analyses for these policies is a necessary step towards practical applications of language-based security. We propose a modular ...
Required Information Release
CSF '10: Proceedings of the 2010 23rd IEEE Computer Security Foundations SymposiumMany computer systems have a functional requirement to release information. Such requirements are an important part of a system’s information security requirements. Current information-flow control techniques are able to reason about permitted ...






Comments