Abstract
To ensure programs do not leak private data, we often want to be able to provide formal guarantees ensuring such data is handled correctly. Often, we cannot keep such data secret entirely; instead programmers specify how private data may be declassified. While security definitions for declassification exist, they mostly do not handle higher-order programs. In fact, in the higher-order setting no compositional security definition exists for intensional information-flow properties such as where declassification, which allows declassification in specific parts of a program. We use logical relations to build a model (and thus security definition) of where declassification. The key insight required for our model is that we must stop enforcing indistinguishability once a relevant declassification has occurred. We show that the resulting security definition provides more security than the most related previous definition, which is for the lower-order setting.
- Amal Ahmed. 2004. Semantics of Types for Mutable State. Ph. D. Dissertation. Princeton University. https://www.ccs.neu.edu/home/amal/ahmedthesis.pdf
Google Scholar
- Amal Ahmed, Derek Dreyer, and Andreas Rossberg. 2009. State-dependent representation independence. In Proceedings of the 36th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2009, Savannah, GA, USA, January 21-23, 2009, Zhong Shao and Benjamin C. Pierce (Eds.). ACM, 340–353. https://doi.org/10.1145/1480881.1480925
Google Scholar
Digital Library
- Andrew W. Appel and David A. McAllester. 2001. An indexed model of recursive types for foundational proof-carrying code. ACM Trans. Program. Lang. Syst., 23, 5 (2001), 657–683. https://doi.org/10.1145/504709.504712
Google Scholar
Digital Library
- Aslan Askarov and Andrei Sabelfeld. 2007. Gradual Release: Unifying Declassification, Encryption and Key Release Policies. In 2007 IEEE Symposium on Security and Privacy (S&P 2007), 20-23 May 2007, Oakland, California, USA. IEEE Computer Society, 207–221. https://doi.org/10.1109/SP.2007.22
Google Scholar
Digital Library
- Aslan Askarov and Andrei Sabelfeld. 2007. Localized delimited release: combining the what and where dimensions of information release. In Proceedings of the 2007 Workshop on Programming Languages and Analysis for Security, PLAS 2007, San Diego, California, USA, June 14, 2007, Michael W. Hicks (Ed.). ACM, 53–60. https://doi.org/10.1145/1255329.1255339
Google Scholar
Digital Library
- Anindya Banerjee, David A. Naumann, and Stan Rosenberg. 2008. Expressive Declassification Policies and Modular Static Enforcement. In 2008 IEEE Symposium on Security and Privacy (S&P 2008), 18-21 May 2008, Oakland, California, USA. IEEE Computer Society, 339–353. https://doi.org/10.1109/SP.2008.20
Google Scholar
Digital Library
- Niklas Broberg and David Sands. 2006. Flow Locks: Towards a Core Calculus for Dynamic Flow Policies. In Programming Languages and Systems, 15th European Symposium on Programming, ESOP 2006, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2006, Vienna, Austria, March 27-28, 2006, Proceedings, Peter Sestoft (Ed.) (Lecture Notes in Computer Science, Vol. 3924). Springer, 180–196. https://doi.org/10.1007/11693024_13
Google Scholar
Digital Library
- Niklas Broberg and David Sands. 2009. Flow-sensitive semantics for dynamic information flow policies. In Proceedings of the 2009 Workshop on Programming Languages and Analysis for Security, PLAS 2009, Dublin, Ireland, 15-21 June, 2009, Stephen Chong and David A. Naumann (Eds.). ACM, 101–112. https://doi.org/10.1145/1554339.1554352
Google Scholar
Digital Library
- Niklas Broberg and David Sands. 2010. Paralocks: role-based information flow control and beyond. In Proceedings of the 37th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2010, Madrid, Spain, January 17-23, 2010, Manuel V. Hermenegildo and Jens Palsberg (Eds.). ACM, 431–444. https://doi.org/10.1145/1706299.1706349
Google Scholar
Digital Library
- Raimil Cruz, Tamara Rezk, Bernard P. Serpette, and Éric Tanter. 2017. Type Abstraction for Relaxed Noninterference. In 31st European Conference on Object-Oriented Programming, ECOOP 2017, June 19-23, 2017, Barcelona, Spain, Peter Müller (Ed.) (LIPIcs, Vol. 74). Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 7:1–7:27. https://doi.org/10.4230/LIPIcs.ECOOP.2017.7
Google Scholar
Cross Ref
- Dan Frumin, Robbert Krebbers, and Lars Birkedal. 2021. Compositional Non-Interference for Fine-Grained Concurrent Programs. In 42nd IEEE Symposium on Security and Privacy, SP 2021, San Francisco, CA, USA, 24-27 May 2021. IEEE, 1416–1433. https://doi.org/10.1109/SP40001.2021.00003
Google Scholar
Cross Ref
- Lennard Gäher, Michael Sammler, Simon Spies, Ralf Jung, Hoang-Hai Dang, Robbert Krebbers, Jeehoon Kang, and Derek Dreyer. 2022. Simuliris: a separation logic framework for verifying concurrent program optimizations. Proc. ACM Program. Lang., 6, POPL (2022), 1–31. https://doi.org/10.1145/3498689
Google Scholar
Digital Library
- Simon Oddershede Gregersen, Johan Bay, Amin Timany, and Lars Birkedal. 2021. Mechanized logical relations for termination-insensitive noninterference. Proc. ACM Program. Lang., 5, POPL (2021), 1–29. https://doi.org/10.1145/3434291
Google Scholar
Digital Library
- Chung-Kil Hur, Derek Dreyer, Georg Neis, and Viktor Vafeiadis. 2012. The marriage of bisimulations and Kripke logical relations. In Proceedings of the 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2012, Philadelphia, Pennsylvania, USA, January 22-28, 2012, John Field and Michael Hicks (Eds.). ACM, 59–72. https://doi.org/10.1145/2103656.2103666
Google Scholar
Digital Library
- Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Ales Bizjak, Lars Birkedal, and Derek Dreyer. 2018. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. J. Funct. Program., 28 (2018), e20. https://doi.org/10.1017/S0956796818000151
Google Scholar
Cross Ref
- Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and Invariants as an Orthogonal Basis for Concurrent Reasoning. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2015, Mumbai, India, January 15-17, 2015, Sriram K. Rajamani and David Walker (Eds.). ACM, 637–650. https://doi.org/10.1145/2676726.2676980
Google Scholar
Digital Library
- Elisavet Kozyri and Fred B. Schneider. 2020. RIF: Reactive information flow labels. J. Comput. Secur., 28, 2 (2020), 191–228. https://doi.org/10.3233/JCS-191316
Google Scholar
Digital Library
- Peng Li and Steve Zdancewic. 2005. Downgrading policies and relaxed noninterference. In Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2005, Long Beach, California, USA, January 12-14, 2005, Jens Palsberg and Martín Abadi (Eds.). ACM, 158–170. https://doi.org/10.1145/1040305.1040319
Google Scholar
Digital Library
- Heiko Mantel and David Sands. 2004. Controlled Declassification Based on Intransitive Noninterference. In Programming Languages and Systems: Second Asian Symposium, APLAS 2004, Taipei, Taiwan, November 4-6, 2004. Proceedings, Wei-Ngan Chin (Ed.) (Lecture Notes in Computer Science, Vol. 3302). Springer, 129–145. https://doi.org/10.1007/978-3-540-30477-7_9
Google Scholar
Cross Ref
- Ana Almeida Matos and Gérard Boudol. 2005. On Declassification and the Non-Disclosure Policy. In 18th IEEE Computer Security Foundations Workshop, (CSFW-18 2005), 20-22 June 2005, Aix-en-Provence, France. IEEE Computer Society, 226–240. https://doi.org/10.1109/CSFW.2005.21
Google Scholar
Digital Library
- Jan Menz, Andrew Hirsch, Peixuan Li, and Deepak Garg. 2023. Compositional Security Definitions for Higher-Order Where Declassification - Technical Appendix. https://gitlab.mpi-sws.org/Quarkbeast/lambda-where-fullproofs/-/raw/main/Technical_Appendix.pdf
Google Scholar
- Minh Ngo, David A. Naumann, and Tamara Rezk. 2020. Type-Based Declassification for Free. In Formal Methods and Software Engineering - 22nd International Conference on Formal Engineering Methods, ICFEM 2020, Singapore, Singapore, March 1-3, 2021, Proceedings, Shang-Wei Lin, Zhe Hou, and Brendan P. Mahony (Eds.) (Lecture Notes in Computer Science, Vol. 12531). Springer, 181–197. https://doi.org/10.1007/978-3-030-63406-3_11
Google Scholar
Digital Library
- Vineet Rajani and Deepak Garg. 2018. Types for Information Flow Control: Labeling Granularity and Semantic Models. In 31st IEEE Computer Security Foundations Symposium, CSF 2018, Oxford, United Kingdom, July 9-12, 2018. IEEE Computer Society, 233–246. https://doi.org/10.1109/CSF.2018.00024
Google Scholar
Cross Ref
- Andrei Sabelfeld and Andrew C. Myers. 2003. A Model for Delimited Information Release. In Software Security - Theories and Systems, Second Mext-NSF-JSPS International Symposium, ISSS 2003, Tokyo, Japan, November 4-6, 2003, Revised Papers, Kokichi Futatsugi, Fumio Mizoguchi, and Naoki Yonezaki (Eds.) (Lecture Notes in Computer Science, Vol. 3233). Springer, 174–191. https://doi.org/10.1007/978-3-540-37621-7_9
Google Scholar
Cross Ref
- The Coq Development Team. 2022. The Coq Proof Assistant. https://doi.org/10.5281/zenodo.5846982
Google Scholar
Cross Ref
Index Terms
Compositional Security Definitions for Higher-Order Where Declassification
Recommendations
Trusted declassification:: high-level policy for a security-typed language
PLAS '06: Proceedings of the 2006 workshop on Programming languages and analysis for securitySecurity-typed languages promise to be a powerful tool with which provably secure software applications may be developed. Programs written in these languages enforce a strong, global policy of noninterferencewhich ensures that high-security data will ...
A Type System for Robust Declassification
Language-based approaches to information security have led to the development of security type systems that permit the programmer to describe confidentiality policies on data. Security type systems are usually intended to enforce noninterference, a ...
Interactive proofs in higher-order concurrent separation logic
POPL '17When using a proof assistant to reason in an embedded logic -- like separation logic -- one cannot benefit from the proof contexts and basic tactics of the proof assistant. This results in proofs that are at a too low level of abstraction because they ...






Comments