skip to main content
research-article
Public Access

Using Architecture to Reason about Information Security

Published:09 December 2015Publication History
Skip Abstract Section

Abstract

We demonstrate, by a number of examples, that information flow security properties can be proved from abstract architectural descriptions, which describe only the causal structure of a system and local properties of trusted components. We specify these architectural descriptions of systems by generalizing intransitive noninterference policies to admit the ability to filter information passed between communicating domains. A notion of refinement of such system architectures is developed that supports top-down development of architectural specifications and proofs by abstraction of information security properties. We also show that, in a concrete setting where the causal structure is enforced by access control, a static check of the access control setting plus local verification of the trusted components is sufficient to prove that a generalized intransitive noninterference policy is satisfied.

Skip Supplemental Material Section

Supplemental Material

References

  1. AADL 2009. Architecture Analysis and Design Language (AADL). SAE Standard AS5506/A.Google ScholarGoogle Scholar
  2. Jim Alves-Foss, W. Scott Harrison, Paul Oman, and Carol Taylor. 2006. The MILS architecture for high-assurance embedded systems. International Journal of Embedded Systems 2, 3/4, 239--247.Google ScholarGoogle Scholar
  3. Torben Amtoft, Josiah Dodds, Zhi Zhang, Andrew W. Appel, Lennart Beringer, John Hatcliff, Xinming Ou, and Andrew Cousino. 2012. A certificate infrastructure for machine-checked proofs of conditional information flow. In Proceedings of the Conference on Principles of Security and Trust. 369--389. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Torben Amtoft, John Hatcliff, Edwin Rodríguez, Robby, Jonathan Hoag, and David Greve. 2008. Specification and checking of software contracts for conditional information flow. In Proceedings of the 15th International Symposium on Formal Methods. 229--245. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Mark Anderson, Chris North, John Griffin, Robert Milner, John Yesberg, and Kenneth Yiu. 1996. Starlight: Interactive link. In Proceedings of the Annual Computer Security Applications Conference. 55--63. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Aslan Askarov and Stephen Chong. 2012. Learning is change in knowledge: Knowledge-based security for dynamic policies. In Proceedings of the 25th IEEE Computer Security Foundations Symposium. IEEE, Los Alamitos, CA, 308--322. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Aslan Askarov and Andrew Myers. 2010. A semantic framework for declassification and endorsement. In Proceedings of the 19th European Symposium on Programming. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Aslan Askarov and Andrei Sabelfeld. 2007a. Gradual release: Unifying declassification, encryption and key release policies. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 207--221. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Aslan Askarov and Andrei Sabelfeld. 2007b. Localized delimited release: Combining the what and where dimensions of information release. In Proceedings of the 2007 Workshop on Programming Languages and Analysis for Security. ACM, New York, NY, 53--60. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Anindya Banerjee, David A. Naumann, and Stan Rosenberg. 2008. Expressive declassification policies and modular static enforcement. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Gilles Barthe, Salvador Cavadini, and Tamara Rezk. 2008. Tractable enforcement of declassification policies. In Proceedings of the 21st IEEE Computer Security Foundations Symposium. IEEE, Los Alamitos, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. David Basin, Jürgen Doser, and Torsten Lodderstedt. 2006. Model driven security: From UML models to access control infrastructures. ACM Transactions on Software Engineering and Methodology 15, 1, 39--91. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. David Elliott Bell and Leonard J. LaPadula. 1976. Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report ESD-TR-75-306. Mitre Corporation, Bedford, MA.Google ScholarGoogle Scholar
  14. David Bibighaus. 2006. Applying the Doubly Labeled Transition System to the Refinement Paradox. Ph.D. Dissertation. Naval Postgraduate School, Monterey, CA.Google ScholarGoogle Scholar
  15. Holger Blasum, Sergey Tverdyshev, Bruno Langenstein, Jonas Maebe, Bjorn De Sutter, Bertrand Leconte, Benoit Triquet, Kevin Mller, Michael Paulitsch, Axel Sding-Freiherr von Blomberg, and Axel Tillequin. 2014. EUROMILS: MILS Architecture White Paper. Available at http://www.euromils.eu.Google ScholarGoogle Scholar
  16. Carolyn Boettcher, Raytheon DeLong, John Rushby, and Wilmar Sifre. 2008. The MILS component integration approach to secure information sharing. In Proceedings of the 27th IEEE/AIAA Digital Avionics Systems Conference. 1.C.2-1--1.C.2-14.Google ScholarGoogle ScholarCross RefCross Ref
  17. Annalisa Bossi, Ricardo Focardi, Carlo Piazza, and Sabina Rossi. 2003. Refinement operators and information flow security. In Proceedings of the International Conference on Software Engineering and Formal Methods. 44--53.Google ScholarGoogle ScholarCross RefCross Ref
  18. Denis Bytschkow, Jean Quilbeuf, Georgeta Igna, and Harald Ruess. 2014. Distributed MILS architectural approach for secure smart grids. In Proceedings of the 2nd International Workshop on Smart Grid Security. 16--29.Google ScholarGoogle ScholarCross RefCross Ref
  19. Alexander G. Camek, Christian Buckl, and Alois Knoll. 2013. Future cars: Necessity for an adaptive and distributed multiple independent levels of security architecture. In Proceedings of the 2nd ACM International Conference on High Confidence Networked Systems. 17--24. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Stephen Chong and Ron van der Meyden. 2009. Deriving epistemic conclusions from agent architecture. In Proceedings of the Conference on Theoretical Aspects of Rationality and Knowledge (TARK'09). 61--70. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Ronald Fagin, Joseph Y. Halpern, Yoram Moses, and Moshe Y. Vardi. 1995. Reasoning about Knowledge. MIT Press, Cambridge, MA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Riccardo Focardi and Roberto Gorrieri. 1994. A classification of security properties for process algebras. Journal of Computer Security 3, 1, 5--33. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. David Garlan, Robert T. Monroe, and David Wile. 2000. Acme: Architectural description of component-based systems. In Foundations of Component-Based Systems, G. T. Leavens and M. Sitaraman (Eds.). Cambridge University Press, 47--68. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Joseph A. Goguen and Jose Meseguer. 1982. Security policies and security models. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 11--20.Google ScholarGoogle Scholar
  25. Joseph A. Goguen and Jose Meseguer. 1984. Unwinding and inference control. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 75--86.Google ScholarGoogle Scholar
  26. John Graham-Cumming and Jeff Sanders. 1991. On the refinement of noninterference. In Proceedings of the IEEE Computer Security Foundations Workshop. 35--42.Google ScholarGoogle ScholarCross RefCross Ref
  27. David Greve, Matthew Wilding, and W. Mark Vanfleet. 2003. A separation kernel formal security policy. In Proceedings of the 4th International Workshop on the ACL2 Prover and Its Applications.Google ScholarGoogle Scholar
  28. Joshua D. Guttman and Paul D. Rowe. 2014. A cut principle for information flow. arXiv:1410.4617.Google ScholarGoogle Scholar
  29. J. Thomas Haigh and William D. Young. 1987. Extending the noninterference version of MLS for SAT. IEEE Transactions on Software Engineering 13, 2, 141--150. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Jorgen Hansson, Peter H. Feiler, and John Morley. 2008. Building secure systems using model-based engineering and architectural models. CrossTalk: The Journal of Defense Software Engineering 21, 9, 12.Google ScholarGoogle Scholar
  31. Constance L. Heitmeyer, Myla Archer, Elizabeth I. Leonard, and John McLean. 2006. Formal specification and verification of data separation in a separation kernel for an embedded system. In Proceedings of the 13th ACM Conference on Computer and Communications Security. ACM, New York, NY, 346--355. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Thomas H. Hinke and Marvin Schaefer. 1975. Secure Data Management System. Technical Report RADC-TR-75-266. System Development Corporation.Google ScholarGoogle Scholar
  33. Galen C. Hunt and James R. Larus. 2007. Singularity: Rethinking the software stack. Operating Systems Review 41, 2, 37--49. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Jeremy Jacob. 1989. On the derivation of secure components. In Proceedings of the IEEE Symposium on Security and Privacy. 242--247.Google ScholarGoogle ScholarCross RefCross Ref
  35. Jan Jürjens. 2005. Secure Systems Development with UML. Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Wolfgang Kampichler and Dieter Eier. 2014. A D-MILS console subsystem for advanced ATM communication services. In Proceedings of the IEEE/AIAA 33rd Digital Avionics Systems Conference (DASC'14). 6D2:1--8.Google ScholarGoogle Scholar
  37. Gregor Kiczales. 1996. Aspect-oriented programming. ACM Computing Surveys 28, 4es, Article No. 154. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Alexander Lux and Heiko Mantel. 2009. Who can declassify? In Formal Aspects in Security and Trust. Lecture Notes in Computer Science, Vol. 5491. Springer, 35--49. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Heiko Mantel. 2001. Preserving information flow properties under refinement. In Proceedings of the IEEE Symposium on Security and Privacy. 78--91. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Heiko Mantel and Alexander Reinhard. 2007. Controlling the what and where of declassification in language-based security. In Programming Languages and Systems. Lecture Notes in Computer Science, Vol. 4421. Springer, 141--156. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Daryl McCullough. 1990. A hookup theorem for multilevel security. IEEE Transactions on Software Engineering 16, 6, 563--568. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. John McLean. 1996. A general theory of composition for a class of “possibilistic” properties. IEEE Transactions on Software Engineering 22, 1, 53--67. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Carroll Morgan. 2006. The shadow knows: Refinement of ignorance in sequential programs. In Mathematics of Program Construction. Lecture Notes in Computer Science, Vol. 4014. Springer, 359--378. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Mark Moriconi and Xialei Qian. 1994. Correctness and composition of software architectures. In Proceedings of the 2nd ACM SIGSOFT Symposium on Foundations of Software Engineering. 164--174. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Mark Moriconi, Xialei Qian, and Robert A. Riemenschneider. 1995. Correct architecture refinement. IEEE Transactions on Software Engineering 21, 4, 356--372. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Mark Moriconi, Xialei Qian, Robert A. Riemenschneider, and Li Gong. 1997. Secure software architectures. In Proceedings of the IEEE Symposium on Security and Privacy. 84--893. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Kevin Mueller, Michael Paulitsch, Sergey Tverdyshev, and Holger Blasum. 2012. MILS-related information flow control in the avionic domain: A view on security-enhancing software architectures. In Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks Workshops. 1--6.Google ScholarGoogle ScholarCross RefCross Ref
  48. Toby C. Murray, Daniel Matichuk, Matthew Brassil, Peter Gammie, Timothy Bourke, Sean Seefried, Corey Lewis, Xin Gao, and Gerwin Klein. 2013. seL4: From general purpose to a proof of information flow enforcement. In Proceedings of the IEEE Symposium on Security and Privacy. 415--429. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Colin O'Halloran. 1992. Refinement and confidentiality. In Proceedings of the 5th Refinement Workshop. 119--139.Google ScholarGoogle ScholarCross RefCross Ref
  50. Kevin R. O'Neill. 2006. Security and Anonymity in Interactive Systems. Ph.D. Dissertation. Cornell University, Ithaca, NY. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Andrew W. Roscoe. 1995. CSP and determinism in security modelling. In Proceedings of the IEEE Symposium on Security and Privacy. 114--221. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Andrew W. Roscoe and Michael H. Goldsmith. 1999. What is intransitive noninterference? In Proceedings of the 12th IEEE Computer Security Foundations Workshop. IEEE, Los Alamitos, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. John Rushby. 1992. Noninterference, Transitivity, and Channel-Control Security Policies. Technical Report CSL-92-02. SRI International.Google ScholarGoogle Scholar
  54. Andrei Sabelfeld and Andrew Myers. 2003. Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21, 1, 5--19. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. Andrei Sabelfeld and David Sands. 2005. Dimensions and principles of declassification. In Proceedings of the 18th IEEE Computer Security Foundations Workshop. IEEE, Los Alamitos, CA, 255--269. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Thomas Santen. 2008. Preservation of probabilistic information flow under refinement. Information and Computation 206, 2--4, 213--249. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Fredrik Seehusen and Ketil Stolen. 2006. Information flow property preserving transformation of UML interaction diagrams. In Proceedings of the ACM Symposium on Access Control Models and Technologies. 150--159. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Bhavani M. Thuraisingham. 2005. Database and Applications Security: Integrating Information Security and Data Management. CRC Press.Google ScholarGoogle Scholar
  59. Ron van der Meyden. 2007. What, indeed, is intransitive noninterference? In Computer Security—ESORICS 2007. Lecture Notes in Computer Science, Vol. 4734. Springer, 235--250. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. Ron van der Meyden. 2012. Architectural refinement and notions of intransitive noninterference. Formal Aspects of Computing 24, 4--6, 769--792. Google ScholarGoogle ScholarCross RefCross Ref
  61. W. Mark Vanfleet, R. William Beckworth, Ben Calloni, Jahn A. Luke, Carol Taylor, and Gordon Uchenick. 2005. MILS: Architecture for high assurance embedded computing. CrossTalk: The Journal of Defense Software Engineering 18, 12--16.Google ScholarGoogle Scholar
  62. Armin Wasicek and Thomas Mair. 2013. Secure information sharing in mixed criticality systems. In Proceedings of the IAENG World Conference on Engineering and Science.Google ScholarGoogle Scholar
  63. Jie Zhou and Jim Alves-Foss. 2006. Architecture-based refinements for secure computer system design. In Proceedings of the International Conference on Privacy, Security, and Trust: Bridge the Gap between PST Technologies and Business Services. Article No. 15. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Using Architecture to Reason about Information Security

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!