skip to main content
research-article

Verified enforcement of stateful information release policies

Published:28 February 2009Publication History
Skip Abstract Section

Abstract

Many organizations specify information release policies to describe the terms under which sensitive information may be released to other organizations. This paper presents a new approach for ensuring that security-critical software correctly enforces its information release policy. Our approach has two parts. First, an information release policy is specified as a security automaton written in a new language called AIR. Second, we enforce an AIR policy by translating it into an API for programs written in lAIR, a core formalism for a functional programming language. lAIR uses a novel combination of dependent, affine, and singleton types to ensure that the API is used correctly. As a consequence we can certify that programs written in lAIR meet the requirements of the original AIR policy specification.

References

  1. Brian Aydemir, Arthur Charguéraud, Benjamin C. Pierce, Randy Pollack, and Stephanie Weirich. Engineering formal metatheory. In POPL '08: Proceedings of the 35th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages. ACM, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Anindya Banerjee, David A. Naumann, and Stan Rosenberg. Expressive declassification policies and modular static enforcement. IEEE Symposium on Security and Privacy, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Moritz Y. Becker and Sebastian Nanz. A logic for state-modifying authorization policies. In Joachim Biskup and Javier Lopez, editors, ESORICS, volume 4734 of Lecture Notes in Computer Science. Springer, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Yves Bertot and Pierre Castéran. Interactive Theorem Proving and Program Development. Coq'Art: The Calculus of Inductive Constructions. Texts in Theoretical Computer Science. Springer Verlag, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Pau-Chen Cheng, Pankaj Rohatgi, Claudia Keser, Paul A. Karger, Grant M. Wagner, and Angela Schuett Reninger. Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In IEEE Symposium on Security and Privacy, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Stephen Chong and Andrew C. Myers. Security policies for downgrading. In CCS '04: Proceedings of the 11th ACM conference on Computer and communications security, pages 198--209. ACM, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Stephen Chong, Andrew C. Myers, Nathaniel Nystrom, Lantian Zheng, and Steve Zdancewic. Jif: Java + information flow. Software release, July 2006.Google ScholarGoogle Scholar
  8. Karl Crary, David Walker, and Greg Morrisett. Typed memory management in a calculus of capabilities. In POPL '99: Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 262--275. ACM, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Robert DeLine and Manuel Fähndrich. Enforcing high-level protocols in low-level software. In PLDI '01: Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation, pages 59--69. ACM, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Dorothy E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236--243, May 1976. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Ulfar Erlingsson. The inlined reference monitor approach to security policy enforcement. PhD thesis, 2004. Cornell University. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Michael W. Focke, James E. Knoke, Paul A. Barbieri, Robert D. Wherley, John G. Ata, and Dwight B. Engen. Trusted computing system. United States Patent No. 7,103,914, 2006. issued to BAE Systems Information Technology LLC.Google ScholarGoogle Scholar
  13. Boniface Hicks, Dave King, Patrick McDaniel, and Michael Hicks. Trusted declassification:: high-level policy for a security-typed language. In PLAS '06: Proceedings of the 2006 workshop on Programming languages and analysis for security, pages 65--74. ACM, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Boniface Hicks, Tim Misiak, and Patrick McDaniel. Channels: Runtime system infrastructure for security-typed languages. Computer Security Applications Conference, 2007. AC-SAC 2007. Twenty-Third Annual, 2007.Google ScholarGoogle ScholarCross RefCross Ref
  15. Trevor Jim. SD3: A trust management system with certified evaluation. In SP '01: Proceedings of the 2001 IEEE Symposium on Security and Privacy, page 106. IEEE Computer Society, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Trevor Jim, J. Greg Morrisett, Dan Grossman, Michael W. Hicks, James Cheney, and Yanling Wang. Cyclone: A safe dialect of c. In Proceedings of the General Track of the USENIX Annual Technical Conference. USENIX Association, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Jay Ligatti, Lujo Bauer, and David Walker. Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security, 2003.Google ScholarGoogle Scholar
  18. John C. Mitchell. Foundations of Programming Languages. MIT Press, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Polyvios Pratikakis, Jeffrey S. Foster, and Michael Hicks. Context-sensitive correlation analysis for detecting races. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), pages 320--331, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Andrei Sabelfeld and David Sands. Dimensions and principles of declassification. In IEEE Computer Security Foundations Workshop (CSFW), 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Fred B. Schneider. Enforceable security policies. ACM Trans. Inf. Syst. Secur., 3(1):30--50, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Robert E. Strom and Shaula Yemini. Typestate: A programming language concept for enhancing software reliability. IEEE Trans. Softw. Eng., 12(1), 1986. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Nikhil Swamy and Michael Hicks. Verified enforcement of automaton-based information release policies, 2008. CS-TR-4906, CS Dept., U. Maryland.Google ScholarGoogle Scholar
  24. Nikhil Swamy, Brian J. Corcoran, and Michael Hicks. Fable: A language for enforcing user-defined security policies. In IEEE Symposium on Security and Privacy, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. United States Department of Defense. Department of defense directive number 5230.11, 1992.Google ScholarGoogle Scholar
  26. Jeffrey A. Vaughan, Limin Jia, Karl Mazurak, and Steve Zdancewic. Evidence-based audit. In Proceedings of the 21st IEEE Computer Security Foundations Symposium, Pittsburgh, PA, USA, June 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. David Walker. A type system for expressive security policies. In ACM Symposium on Principles of Programming Languages, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Steve Zdancewic and Andrew C. Myers. Robust declassification. In IEEE Computer Security Foundations Workshop (CSFW), 2001. Lantian Zheng and Andrew C. Myers. Dynamic security labels and noninterference. In Proceedings of the Workshop on Formal Aspects in Security and Trust (FAST), 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Verified enforcement of stateful information release policies

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!