skip to main content
research-article
Open Access

Compositional Security Definitions for Higher-Order Where Declassification

Published:06 April 2023Publication History
Skip Abstract Section

Abstract

To ensure programs do not leak private data, we often want to be able to provide formal guarantees ensuring such data is handled correctly. Often, we cannot keep such data secret entirely; instead programmers specify how private data may be declassified. While security definitions for declassification exist, they mostly do not handle higher-order programs. In fact, in the higher-order setting no compositional security definition exists for intensional information-flow properties such as where declassification, which allows declassification in specific parts of a program. We use logical relations to build a model (and thus security definition) of where declassification. The key insight required for our model is that we must stop enforcing indistinguishability once a relevant declassification has occurred. We show that the resulting security definition provides more security than the most related previous definition, which is for the lower-order setting.

References

  1. Amal Ahmed. 2004. Semantics of Types for Mutable State. Ph. D. Dissertation. Princeton University. https://www.ccs.neu.edu/home/amal/ahmedthesis.pdf Google ScholarGoogle Scholar
  2. Amal Ahmed, Derek Dreyer, and Andreas Rossberg. 2009. State-dependent representation independence. In Proceedings of the 36th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2009, Savannah, GA, USA, January 21-23, 2009, Zhong Shao and Benjamin C. Pierce (Eds.). ACM, 340–353. https://doi.org/10.1145/1480881.1480925 Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Andrew W. Appel and David A. McAllester. 2001. An indexed model of recursive types for foundational proof-carrying code. ACM Trans. Program. Lang. Syst., 23, 5 (2001), 657–683. https://doi.org/10.1145/504709.504712 Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Aslan Askarov and Andrei Sabelfeld. 2007. Gradual Release: Unifying Declassification, Encryption and Key Release Policies. In 2007 IEEE Symposium on Security and Privacy (S&P 2007), 20-23 May 2007, Oakland, California, USA. IEEE Computer Society, 207–221. https://doi.org/10.1109/SP.2007.22 Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Aslan Askarov and Andrei Sabelfeld. 2007. Localized delimited release: combining the what and where dimensions of information release. In Proceedings of the 2007 Workshop on Programming Languages and Analysis for Security, PLAS 2007, San Diego, California, USA, June 14, 2007, Michael W. Hicks (Ed.). ACM, 53–60. https://doi.org/10.1145/1255329.1255339 Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Anindya Banerjee, David A. Naumann, and Stan Rosenberg. 2008. Expressive Declassification Policies and Modular Static Enforcement. In 2008 IEEE Symposium on Security and Privacy (S&P 2008), 18-21 May 2008, Oakland, California, USA. IEEE Computer Society, 339–353. https://doi.org/10.1109/SP.2008.20 Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Niklas Broberg and David Sands. 2006. Flow Locks: Towards a Core Calculus for Dynamic Flow Policies. In Programming Languages and Systems, 15th European Symposium on Programming, ESOP 2006, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2006, Vienna, Austria, March 27-28, 2006, Proceedings, Peter Sestoft (Ed.) (Lecture Notes in Computer Science, Vol. 3924). Springer, 180–196. https://doi.org/10.1007/11693024_13 Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Niklas Broberg and David Sands. 2009. Flow-sensitive semantics for dynamic information flow policies. In Proceedings of the 2009 Workshop on Programming Languages and Analysis for Security, PLAS 2009, Dublin, Ireland, 15-21 June, 2009, Stephen Chong and David A. Naumann (Eds.). ACM, 101–112. https://doi.org/10.1145/1554339.1554352 Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Niklas Broberg and David Sands. 2010. Paralocks: role-based information flow control and beyond. In Proceedings of the 37th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2010, Madrid, Spain, January 17-23, 2010, Manuel V. Hermenegildo and Jens Palsberg (Eds.). ACM, 431–444. https://doi.org/10.1145/1706299.1706349 Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Raimil Cruz, Tamara Rezk, Bernard P. Serpette, and Éric Tanter. 2017. Type Abstraction for Relaxed Noninterference. In 31st European Conference on Object-Oriented Programming, ECOOP 2017, June 19-23, 2017, Barcelona, Spain, Peter Müller (Ed.) (LIPIcs, Vol. 74). Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 7:1–7:27. https://doi.org/10.4230/LIPIcs.ECOOP.2017.7 Google ScholarGoogle ScholarCross RefCross Ref
  11. Dan Frumin, Robbert Krebbers, and Lars Birkedal. 2021. Compositional Non-Interference for Fine-Grained Concurrent Programs. In 42nd IEEE Symposium on Security and Privacy, SP 2021, San Francisco, CA, USA, 24-27 May 2021. IEEE, 1416–1433. https://doi.org/10.1109/SP40001.2021.00003 Google ScholarGoogle ScholarCross RefCross Ref
  12. Lennard Gäher, Michael Sammler, Simon Spies, Ralf Jung, Hoang-Hai Dang, Robbert Krebbers, Jeehoon Kang, and Derek Dreyer. 2022. Simuliris: a separation logic framework for verifying concurrent program optimizations. Proc. ACM Program. Lang., 6, POPL (2022), 1–31. https://doi.org/10.1145/3498689 Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Simon Oddershede Gregersen, Johan Bay, Amin Timany, and Lars Birkedal. 2021. Mechanized logical relations for termination-insensitive noninterference. Proc. ACM Program. Lang., 5, POPL (2021), 1–29. https://doi.org/10.1145/3434291 Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Chung-Kil Hur, Derek Dreyer, Georg Neis, and Viktor Vafeiadis. 2012. The marriage of bisimulations and Kripke logical relations. In Proceedings of the 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2012, Philadelphia, Pennsylvania, USA, January 22-28, 2012, John Field and Michael Hicks (Eds.). ACM, 59–72. https://doi.org/10.1145/2103656.2103666 Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Ales Bizjak, Lars Birkedal, and Derek Dreyer. 2018. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. J. Funct. Program., 28 (2018), e20. https://doi.org/10.1017/S0956796818000151 Google ScholarGoogle ScholarCross RefCross Ref
  16. Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and Invariants as an Orthogonal Basis for Concurrent Reasoning. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2015, Mumbai, India, January 15-17, 2015, Sriram K. Rajamani and David Walker (Eds.). ACM, 637–650. https://doi.org/10.1145/2676726.2676980 Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Elisavet Kozyri and Fred B. Schneider. 2020. RIF: Reactive information flow labels. J. Comput. Secur., 28, 2 (2020), 191–228. https://doi.org/10.3233/JCS-191316 Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Peng Li and Steve Zdancewic. 2005. Downgrading policies and relaxed noninterference. In Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2005, Long Beach, California, USA, January 12-14, 2005, Jens Palsberg and Martín Abadi (Eds.). ACM, 158–170. https://doi.org/10.1145/1040305.1040319 Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Heiko Mantel and David Sands. 2004. Controlled Declassification Based on Intransitive Noninterference. In Programming Languages and Systems: Second Asian Symposium, APLAS 2004, Taipei, Taiwan, November 4-6, 2004. Proceedings, Wei-Ngan Chin (Ed.) (Lecture Notes in Computer Science, Vol. 3302). Springer, 129–145. https://doi.org/10.1007/978-3-540-30477-7_9 Google ScholarGoogle ScholarCross RefCross Ref
  20. Ana Almeida Matos and Gérard Boudol. 2005. On Declassification and the Non-Disclosure Policy. In 18th IEEE Computer Security Foundations Workshop, (CSFW-18 2005), 20-22 June 2005, Aix-en-Provence, France. IEEE Computer Society, 226–240. https://doi.org/10.1109/CSFW.2005.21 Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Jan Menz, Andrew Hirsch, Peixuan Li, and Deepak Garg. 2023. Compositional Security Definitions for Higher-Order Where Declassification - Technical Appendix. https://gitlab.mpi-sws.org/Quarkbeast/lambda-where-fullproofs/-/raw/main/Technical_Appendix.pdf Google ScholarGoogle Scholar
  22. Minh Ngo, David A. Naumann, and Tamara Rezk. 2020. Type-Based Declassification for Free. In Formal Methods and Software Engineering - 22nd International Conference on Formal Engineering Methods, ICFEM 2020, Singapore, Singapore, March 1-3, 2021, Proceedings, Shang-Wei Lin, Zhe Hou, and Brendan P. Mahony (Eds.) (Lecture Notes in Computer Science, Vol. 12531). Springer, 181–197. https://doi.org/10.1007/978-3-030-63406-3_11 Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Vineet Rajani and Deepak Garg. 2018. Types for Information Flow Control: Labeling Granularity and Semantic Models. In 31st IEEE Computer Security Foundations Symposium, CSF 2018, Oxford, United Kingdom, July 9-12, 2018. IEEE Computer Society, 233–246. https://doi.org/10.1109/CSF.2018.00024 Google ScholarGoogle ScholarCross RefCross Ref
  24. Andrei Sabelfeld and Andrew C. Myers. 2003. A Model for Delimited Information Release. In Software Security - Theories and Systems, Second Mext-NSF-JSPS International Symposium, ISSS 2003, Tokyo, Japan, November 4-6, 2003, Revised Papers, Kokichi Futatsugi, Fumio Mizoguchi, and Naoki Yonezaki (Eds.) (Lecture Notes in Computer Science, Vol. 3233). Springer, 174–191. https://doi.org/10.1007/978-3-540-37621-7_9 Google ScholarGoogle ScholarCross RefCross Ref
  25. The Coq Development Team. 2022. The Coq Proof Assistant. https://doi.org/10.5281/zenodo.5846982 Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. Compositional Security Definitions for Higher-Order Where Declassification

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Article Metrics

          • Downloads (Last 12 months)87
          • Downloads (Last 6 weeks)24

          Other Metrics

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!