Abstract
We demonstrate, by a number of examples, that information flow security properties can be proved from abstract architectural descriptions, which describe only the causal structure of a system and local properties of trusted components. We specify these architectural descriptions of systems by generalizing intransitive noninterference policies to admit the ability to filter information passed between communicating domains. A notion of refinement of such system architectures is developed that supports top-down development of architectural specifications and proofs by abstraction of information security properties. We also show that, in a concrete setting where the causal structure is enforced by access control, a static check of the access control setting plus local verification of the trusted components is sufficient to prove that a generalized intransitive noninterference policy is satisfied.
Supplemental Material
Available for Download
Supplemental movie, appendix, image and software files for, Using Architecture to Reason about Information Security
- AADL 2009. Architecture Analysis and Design Language (AADL). SAE Standard AS5506/A.Google Scholar
- Jim Alves-Foss, W. Scott Harrison, Paul Oman, and Carol Taylor. 2006. The MILS architecture for high-assurance embedded systems. International Journal of Embedded Systems 2, 3/4, 239--247.Google Scholar
- Torben Amtoft, Josiah Dodds, Zhi Zhang, Andrew W. Appel, Lennart Beringer, John Hatcliff, Xinming Ou, and Andrew Cousino. 2012. A certificate infrastructure for machine-checked proofs of conditional information flow. In Proceedings of the Conference on Principles of Security and Trust. 369--389. Google Scholar
Digital Library
- Torben Amtoft, John Hatcliff, Edwin Rodríguez, Robby, Jonathan Hoag, and David Greve. 2008. Specification and checking of software contracts for conditional information flow. In Proceedings of the 15th International Symposium on Formal Methods. 229--245. Google Scholar
Digital Library
- Mark Anderson, Chris North, John Griffin, Robert Milner, John Yesberg, and Kenneth Yiu. 1996. Starlight: Interactive link. In Proceedings of the Annual Computer Security Applications Conference. 55--63. Google Scholar
Digital Library
- Aslan Askarov and Stephen Chong. 2012. Learning is change in knowledge: Knowledge-based security for dynamic policies. In Proceedings of the 25th IEEE Computer Security Foundations Symposium. IEEE, Los Alamitos, CA, 308--322. Google Scholar
Digital Library
- Aslan Askarov and Andrew Myers. 2010. A semantic framework for declassification and endorsement. In Proceedings of the 19th European Symposium on Programming. Google Scholar
Digital Library
- Aslan Askarov and Andrei Sabelfeld. 2007a. Gradual release: Unifying declassification, encryption and key release policies. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 207--221. Google Scholar
Digital Library
- Aslan Askarov and Andrei Sabelfeld. 2007b. Localized delimited release: Combining the what and where dimensions of information release. In Proceedings of the 2007 Workshop on Programming Languages and Analysis for Security. ACM, New York, NY, 53--60. Google Scholar
Digital Library
- Anindya Banerjee, David A. Naumann, and Stan Rosenberg. 2008. Expressive declassification policies and modular static enforcement. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- Gilles Barthe, Salvador Cavadini, and Tamara Rezk. 2008. Tractable enforcement of declassification policies. In Proceedings of the 21st IEEE Computer Security Foundations Symposium. IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- David Basin, Jürgen Doser, and Torsten Lodderstedt. 2006. Model driven security: From UML models to access control infrastructures. ACM Transactions on Software Engineering and Methodology 15, 1, 39--91. Google Scholar
Digital Library
- David Elliott Bell and Leonard J. LaPadula. 1976. Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report ESD-TR-75-306. Mitre Corporation, Bedford, MA.Google Scholar
- David Bibighaus. 2006. Applying the Doubly Labeled Transition System to the Refinement Paradox. Ph.D. Dissertation. Naval Postgraduate School, Monterey, CA.Google Scholar
- Holger Blasum, Sergey Tverdyshev, Bruno Langenstein, Jonas Maebe, Bjorn De Sutter, Bertrand Leconte, Benoit Triquet, Kevin Mller, Michael Paulitsch, Axel Sding-Freiherr von Blomberg, and Axel Tillequin. 2014. EUROMILS: MILS Architecture White Paper. Available at http://www.euromils.eu.Google Scholar
- Carolyn Boettcher, Raytheon DeLong, John Rushby, and Wilmar Sifre. 2008. The MILS component integration approach to secure information sharing. In Proceedings of the 27th IEEE/AIAA Digital Avionics Systems Conference. 1.C.2-1--1.C.2-14.Google Scholar
Cross Ref
- Annalisa Bossi, Ricardo Focardi, Carlo Piazza, and Sabina Rossi. 2003. Refinement operators and information flow security. In Proceedings of the International Conference on Software Engineering and Formal Methods. 44--53.Google Scholar
Cross Ref
- Denis Bytschkow, Jean Quilbeuf, Georgeta Igna, and Harald Ruess. 2014. Distributed MILS architectural approach for secure smart grids. In Proceedings of the 2nd International Workshop on Smart Grid Security. 16--29.Google Scholar
Cross Ref
- Alexander G. Camek, Christian Buckl, and Alois Knoll. 2013. Future cars: Necessity for an adaptive and distributed multiple independent levels of security architecture. In Proceedings of the 2nd ACM International Conference on High Confidence Networked Systems. 17--24. Google Scholar
Digital Library
- Stephen Chong and Ron van der Meyden. 2009. Deriving epistemic conclusions from agent architecture. In Proceedings of the Conference on Theoretical Aspects of Rationality and Knowledge (TARK'09). 61--70. Google Scholar
Digital Library
- Ronald Fagin, Joseph Y. Halpern, Yoram Moses, and Moshe Y. Vardi. 1995. Reasoning about Knowledge. MIT Press, Cambridge, MA. Google Scholar
Digital Library
- Riccardo Focardi and Roberto Gorrieri. 1994. A classification of security properties for process algebras. Journal of Computer Security 3, 1, 5--33. Google Scholar
Digital Library
- David Garlan, Robert T. Monroe, and David Wile. 2000. Acme: Architectural description of component-based systems. In Foundations of Component-Based Systems, G. T. Leavens and M. Sitaraman (Eds.). Cambridge University Press, 47--68. Google Scholar
Digital Library
- Joseph A. Goguen and Jose Meseguer. 1982. Security policies and security models. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 11--20.Google Scholar
- Joseph A. Goguen and Jose Meseguer. 1984. Unwinding and inference control. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 75--86.Google Scholar
- John Graham-Cumming and Jeff Sanders. 1991. On the refinement of noninterference. In Proceedings of the IEEE Computer Security Foundations Workshop. 35--42.Google Scholar
Cross Ref
- David Greve, Matthew Wilding, and W. Mark Vanfleet. 2003. A separation kernel formal security policy. In Proceedings of the 4th International Workshop on the ACL2 Prover and Its Applications.Google Scholar
- Joshua D. Guttman and Paul D. Rowe. 2014. A cut principle for information flow. arXiv:1410.4617.Google Scholar
- J. Thomas Haigh and William D. Young. 1987. Extending the noninterference version of MLS for SAT. IEEE Transactions on Software Engineering 13, 2, 141--150. Google Scholar
Digital Library
- Jorgen Hansson, Peter H. Feiler, and John Morley. 2008. Building secure systems using model-based engineering and architectural models. CrossTalk: The Journal of Defense Software Engineering 21, 9, 12.Google Scholar
- Constance L. Heitmeyer, Myla Archer, Elizabeth I. Leonard, and John McLean. 2006. Formal specification and verification of data separation in a separation kernel for an embedded system. In Proceedings of the 13th ACM Conference on Computer and Communications Security. ACM, New York, NY, 346--355. Google Scholar
Digital Library
- Thomas H. Hinke and Marvin Schaefer. 1975. Secure Data Management System. Technical Report RADC-TR-75-266. System Development Corporation.Google Scholar
- Galen C. Hunt and James R. Larus. 2007. Singularity: Rethinking the software stack. Operating Systems Review 41, 2, 37--49. Google Scholar
Digital Library
- Jeremy Jacob. 1989. On the derivation of secure components. In Proceedings of the IEEE Symposium on Security and Privacy. 242--247.Google Scholar
Cross Ref
- Jan Jürjens. 2005. Secure Systems Development with UML. Springer. Google Scholar
Digital Library
- Wolfgang Kampichler and Dieter Eier. 2014. A D-MILS console subsystem for advanced ATM communication services. In Proceedings of the IEEE/AIAA 33rd Digital Avionics Systems Conference (DASC'14). 6D2:1--8.Google Scholar
- Gregor Kiczales. 1996. Aspect-oriented programming. ACM Computing Surveys 28, 4es, Article No. 154. Google Scholar
Digital Library
- Alexander Lux and Heiko Mantel. 2009. Who can declassify? In Formal Aspects in Security and Trust. Lecture Notes in Computer Science, Vol. 5491. Springer, 35--49. Google Scholar
Digital Library
- Heiko Mantel. 2001. Preserving information flow properties under refinement. In Proceedings of the IEEE Symposium on Security and Privacy. 78--91. Google Scholar
Digital Library
- Heiko Mantel and Alexander Reinhard. 2007. Controlling the what and where of declassification in language-based security. In Programming Languages and Systems. Lecture Notes in Computer Science, Vol. 4421. Springer, 141--156. Google Scholar
Digital Library
- Daryl McCullough. 1990. A hookup theorem for multilevel security. IEEE Transactions on Software Engineering 16, 6, 563--568. Google Scholar
Digital Library
- John McLean. 1996. A general theory of composition for a class of “possibilistic” properties. IEEE Transactions on Software Engineering 22, 1, 53--67. Google Scholar
Digital Library
- Carroll Morgan. 2006. The shadow knows: Refinement of ignorance in sequential programs. In Mathematics of Program Construction. Lecture Notes in Computer Science, Vol. 4014. Springer, 359--378. Google Scholar
Digital Library
- Mark Moriconi and Xialei Qian. 1994. Correctness and composition of software architectures. In Proceedings of the 2nd ACM SIGSOFT Symposium on Foundations of Software Engineering. 164--174. Google Scholar
Digital Library
- Mark Moriconi, Xialei Qian, and Robert A. Riemenschneider. 1995. Correct architecture refinement. IEEE Transactions on Software Engineering 21, 4, 356--372. Google Scholar
Digital Library
- Mark Moriconi, Xialei Qian, Robert A. Riemenschneider, and Li Gong. 1997. Secure software architectures. In Proceedings of the IEEE Symposium on Security and Privacy. 84--893. Google Scholar
Digital Library
- Kevin Mueller, Michael Paulitsch, Sergey Tverdyshev, and Holger Blasum. 2012. MILS-related information flow control in the avionic domain: A view on security-enhancing software architectures. In Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks Workshops. 1--6.Google Scholar
Cross Ref
- Toby C. Murray, Daniel Matichuk, Matthew Brassil, Peter Gammie, Timothy Bourke, Sean Seefried, Corey Lewis, Xin Gao, and Gerwin Klein. 2013. seL4: From general purpose to a proof of information flow enforcement. In Proceedings of the IEEE Symposium on Security and Privacy. 415--429. Google Scholar
Digital Library
- Colin O'Halloran. 1992. Refinement and confidentiality. In Proceedings of the 5th Refinement Workshop. 119--139.Google Scholar
Cross Ref
- Kevin R. O'Neill. 2006. Security and Anonymity in Interactive Systems. Ph.D. Dissertation. Cornell University, Ithaca, NY. Google Scholar
Digital Library
- Andrew W. Roscoe. 1995. CSP and determinism in security modelling. In Proceedings of the IEEE Symposium on Security and Privacy. 114--221. Google Scholar
Digital Library
- Andrew W. Roscoe and Michael H. Goldsmith. 1999. What is intransitive noninterference? In Proceedings of the 12th IEEE Computer Security Foundations Workshop. IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- John Rushby. 1992. Noninterference, Transitivity, and Channel-Control Security Policies. Technical Report CSL-92-02. SRI International.Google Scholar
- Andrei Sabelfeld and Andrew Myers. 2003. Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21, 1, 5--19. Google Scholar
Digital Library
- Andrei Sabelfeld and David Sands. 2005. Dimensions and principles of declassification. In Proceedings of the 18th IEEE Computer Security Foundations Workshop. IEEE, Los Alamitos, CA, 255--269. Google Scholar
Digital Library
- Thomas Santen. 2008. Preservation of probabilistic information flow under refinement. Information and Computation 206, 2--4, 213--249. Google Scholar
Digital Library
- Fredrik Seehusen and Ketil Stolen. 2006. Information flow property preserving transformation of UML interaction diagrams. In Proceedings of the ACM Symposium on Access Control Models and Technologies. 150--159. Google Scholar
Digital Library
- Bhavani M. Thuraisingham. 2005. Database and Applications Security: Integrating Information Security and Data Management. CRC Press.Google Scholar
- Ron van der Meyden. 2007. What, indeed, is intransitive noninterference? In Computer Security—ESORICS 2007. Lecture Notes in Computer Science, Vol. 4734. Springer, 235--250. Google Scholar
Digital Library
- Ron van der Meyden. 2012. Architectural refinement and notions of intransitive noninterference. Formal Aspects of Computing 24, 4--6, 769--792. Google Scholar
Cross Ref
- W. Mark Vanfleet, R. William Beckworth, Ben Calloni, Jahn A. Luke, Carol Taylor, and Gordon Uchenick. 2005. MILS: Architecture for high assurance embedded computing. CrossTalk: The Journal of Defense Software Engineering 18, 12--16.Google Scholar
- Armin Wasicek and Thomas Mair. 2013. Secure information sharing in mixed criticality systems. In Proceedings of the IAENG World Conference on Engineering and Science.Google Scholar
- Jie Zhou and Jim Alves-Foss. 2006. Architecture-based refinements for secure computer system design. In Proceedings of the International Conference on Privacy, Security, and Trust: Bridge the Gap between PST Technologies and Business Services. Article No. 15. Google Scholar
Digital Library
Index Terms
Using Architecture to Reason about Information Security
Recommendations
ENCoVer: Symbolic Exploration for Information Flow Security
CSF '12: Proceedings of the 2012 IEEE 25th Computer Security Foundations SymposiumWe address the problem of program verification for information flow policies by means of symbolic execution and model checking. Noninterference-like security policies are formalized using epistemic logic. We show how the policies can be accurately ...
Improving usability of information flow security in java
PLAS '07: Proceedings of the 2007 workshop on Programming languages and analysis for securityThis paper focuses on improving the usability of information flow type systems. We present a static information flow type inference system for Middleweight Java (MJ) which automatically infers information flow labels, thus avoiding the need for a ...
Enforcing Relaxed Declassifications with Reference Points
ICIS '11: Proceedings of the 2011 10th IEEE/ACIS International Conference on Computer and Information ScienceLanguage-based information flow security provides a way to enforce either the baseline noninterference property or more relaxed properties specifying intended information release. This paper presents a new approach for enforcing information release ...






Comments