Lì Jiāng,Lingdi Ping,Xuezeng Pan

DOI: https://doi.org/10.1109/cis.2007.58

2007-01-01

Abstract:Language-based information flow security proper- ties such as noninterference ensure confidential data cannot interfere with public data. But in real comput- ing systems sensitive information sometimes needs to be released or to become more confidential. In this paper, we propose a new security property including support for both information release and erasure. Since the property is in the style of strong bisimulation equivalence, it is applicable to multi-threaded pro- grams. To ensure that declassification cannot be ex- ploited to reveal more secret data than intended, our property addresses what information may be released. Moreover, the property guarantees that dynamic up- grading the security label of data due to erasure re- quirement cannot affect the publicly visible behavior.

JIANG Li,CHEN Jian,PING Ling-di,CHEN Xiao-ping

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.05.004

2010-01-01

Abstract:In multithreaded environment,sensitive information is often deliberately released by many real applications and sometimes information needs to become more confidential. In order to address this situation,a security policy was defined in the style of strong bisimulation equivalence,which can handle both information leaking and erasing. The policy controls what information is released and guarantees that attackers cannot exploit information releasing mechanisms to reveal more sensitive data than intended. Moreover,it ensures that public data after erasing cannot be abused by attackers. Then a secure transforming type system was proposed to enforce the security policy by using the cross-copying technique,which can eliminate internal timing covert channels resulting from the interplay between different threads. The transforming type system can transform an insecure program into a secure one,trying to close information leaks. The secure program has the same structure as the original program and models the same timing behavior. Finally,the soundness of the type system was proved with respect to the operational semantics. Results indicate that if a program can be transformed according to typing rules,the resulting program satisfies the security policy.

Cong Sun,Liyong Tang,Zhong Chen

DOI: https://doi.org/10.1109/icis.2011.20

2011-01-01

Abstract:Language-based information flow security provides a way to enforce either the baseline noninterference property or more relaxed properties specifying intended information release. This paper presents a new approach for enforcing information release policy on programming language with I/O channels. First we present a relaxed security property complying with the security policy on the what-dimension of declassification. Second we propose an enforcement mechanism for the security property based on reach ability analysis of pushdown system. The self-composition is equipped with a store-match pattern, which reduces the cost of verification by avoiding duplication of I/O channels. The pattern also facilitates characterization of the security property. The experimental results show the preciseness of our enforcement.

Cong Sun,Ning Xi,Sheng Gao,Zhong Chen,JianFeng Ma

DOI: https://doi.org/10.1007/s11432-014-5168-7

2014-01-01

Science China Information Sciences

Abstract:Language-based information flow security is a promising approach for enforcement of strong security and protection of the data confidentiality for the end-to-end communications. Here, noninterference is the standard and most restricted security property that completely forbids confidential data from being released to public context. Although this baseline property has been extensively enforced in various cases, there are still many programs, which are considered secure enough, violating this property in some way. In order to control the information release in these programs, the predetermined ways should be specified by means of which confidential data can be released. These intentional releases, also called declassifications, are regulated by several more relaxed security properties than noninterference. The security properties for controlled declassification have been developed on different dimensions with declassification goals. However, the mechanisms used to enforce these properties are still unaccommodating, unspecific, and insufficiently studied. In this work, a new security property, the Relaxed Release with Reference Points (R3P), is presented to limit the information that can be declassified in a program. Moreover, a new mechanism using reachability analysis has been proposed for the pushdown system to enforce R3P on programs. In order to show R3P is competent for use, it has been proved that it complies with the well-known prudent principles of declassification, and in addition finds some restrictions on our security policy. The widespread usage, precision, efficiency, and the influencing factors of our enforcement have been evaluated.

Yong Huang,Lingdi Ping,Shanping Li,Xuezeng Pan

DOI: https://doi.org/10.4304/jsw.4.1.90-97

2009-01-01

Journal of Software

Abstract:Real-time information flow security properties such as timed noninterference provide assurances that some time dependent information flows may not become possible. However, with transitive noninterference formulation, it is difficult to deal with intransitive flow policies like channel control and secure downgrading of information with time constraints. In this paper, we introduce the notion of trust domain into Timed Secure Process Algebra (tSPA), extending intransitive noninterference to real-time systems. Based on weak timed bisimulation equivalence, some security properties for intransitive flow are reformulated in a realtime setting, in particular one property which is persistent, meaning that if a system is secure then all of its reachable states are secure too. Furthermore, we prove that such persistent intransitive timed property is compositional, which is thus possible to alleviate the state space explosion problem caused by the interleaving of all the possible executions of parallel processes. Finally, we provide one case study showing that it is possible to model and analyze the real-time system through our approach.

Ethan Cecchetti,Andrew C. Myers,Owen Arden

DOI: https://doi.org/10.1145/3133956.3134054

2017-09-01

Abstract:Noninterference is a popular semantic security condition because it offers strong end-to-end guarantees, it is inherently compositional, and it can be enforced using a simple security type system. Unfortunately, it is too restrictive for real systems. Mechanisms for downgrading information are needed to capture real-world security requirements, but downgrading eliminates the strong compositional security guarantees of noninterference. We introduce nonmalleable information flow, a new formal security condition that generalizes noninterference to permit controlled downgrading of both confidentiality and integrity. While previous work on robust declassification prevents adversaries from exploiting the downgrading of confidentiality, our key insight is transparent endorsement, a mechanism for downgrading integrity while defending against adversarial exploitation. Robust declassification appeared to break the duality of confidentiality and integrity by making confidentiality depend on integrity, but transparent endorsement makes integrity depend on confidentiality, restoring this duality. We show how to extend a security-typed programming language with transparent endorsement and prove that this static type system enforces nonmalleable information flow, a new security property that subsumes robust declassification and transparent endorsement. Finally, we describe an implementation of this type system in the context of Flame, a flow-limited authorization plugin for the Glasgow Haskell Compiler.

Cryptography and Security,Programming Languages

姜励,平玲娣,陈小平,潘雪增,李善平

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.12.010

2008-01-01

Abstract:The concept of trust domain was introduced into probabilistic secure process algebra(PSPA),and the intransitive noninterference information flow security model was extended to probabilistic systems to implement many important security policies such as secure downgrading of probabilistic information and channel control.Intransitive probabilistic information flow security properties were analyzed based on the probabilistic weak bisimulation equivalence.Intransitive bisimulation strong probabilistic noninterference(I_BSPNI) and intransitive probabilistic bisimulation-based nondeducibility on composition(I_PBNDC) were presented.To expose the potential secure problem that I_PBNDC cannot discover in dynamic context,the persistent I_PBNDC property was proposed,which required that every reachable state of the system must satisfy I_PBNDC.The properties like bisimulation-based nondeducibility on composition are difficult to prove.To overcome this shortcoming,strong I_PBNDC property was defined in terms of unwinding conditions demanding properties of individual actions.Finally,the relations between these properties were given and proved.

Xuezeng Pan

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.08.005

2009-01-01

Abstract:To resolve the problem that the simple combination of BLP and Biba models will lead to poor availability,a confidentiality and integrity dynamic union model based on multi-level security(MLS) policy was presented.The two dimensions of secure model are composed of confidentiality and integrity,on which the security label is separated into write privilege range and read privilege range respectively,whereupon subject's access range is adjusted dynamically according to the security label of related objects and the history situation of the subject's access,improving the agility and practicability of the model.The formal definition of this model was given,and the security was also analyzed with proof.Finally,examples were illuminated to show the effectiveness and usability of this model.

CHEN Jin,LV Hongbing,PAN Xuezeng

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.05.021

2011-01-01

Computer Engineering and Applications Journal

Abstract:The BLP can guarantee the security of information by allowing downward information flow from the low security level to high security level.However,under some circumstances,the upward information flow is also necessary.Clark-Wilson model is used to control and audit subject’s state transition and run time adjustment of low-water-mark policy parameters.This paper proposes a model that allows the upward information flow in the control of Clark-Wilson model.The model is proved secure and applicable.

Aslan Askarov,Andrew Myers

DOI: https://doi.org/10.2168/LMCS-7%283%3A17%292011

2011-09-23

Abstract:Language-based information flow methods offer a principled way to enforce strong security properties, but enforcing noninterference is too inflexible for realistic applications. Security-typed languages have therefore introduced declassification mechanisms for relaxing confidentiality policies, and endorsement mechanisms for relaxing integrity policies. However, a continuing challenge has been to define what security is guaranteed when such mechanisms are used. This paper presents a new semantic framework for expressing security policies for declassification and endorsement in a language-based setting. The key insight is that security can be characterized in terms of the influence that declassification and endorsement allow to the attacker. The new framework introduces two notions of security to describe the influence of the attacker. Attacker control defines what the attacker is able to learn from observable effects of this code; attacker impact captures the attacker's influence on trusted locations. This approach yields novel security conditions for checked endorsements and robust integrity. The framework is flexible enough to recover and to improve on the previously introduced notions of robustness and qualified robustness. Further, the new security conditions can be soundly enforced by a security type system. The applicability and enforcement of the new policies is illustrated through various examples, including data sanitization and authentication.

Programming Languages,Cryptography and Security

Abhishek Bichhawat,Vineet Rajani,Deepak Garg,Christian Hammer

DOI: https://doi.org/10.48550/arXiv.1506.03950

2015-06-12

Cryptography and Security

Abstract:Preventing implicit information flows by dynamic program analysis requires coarse approximations that result in false positives, because a dynamic monitor sees only the executed trace of the program. One widely deployed method is the no-sensitive-upgrade check, which terminates a program whenever a variable's taint is upgraded (made more sensitive) due to a control dependence on tainted data. Although sound, this method is restrictive, e.g., it terminates the program even if the upgraded variable is never used subsequently. To counter this, Austin and Flanagan introduced the permissive-upgrade check, which allows a variable upgrade due to control dependence, but marks the variable "partially-leaked". The program is stopped later if it tries to use the partially-leaked variable. Permissive-upgrade handles the dead-variable assignment problem and remains sound. However, Austin and Flanagan develop permissive-upgrade only for a two-point (low-high) security lattice and indicate a generalization to pointwise products of such lattices. In this paper, we develop a non-trivial and non-obvious generalization of permissive-upgrade to arbitrary lattices. The key difficulty lies in finding a suitable notion of partial leaks that is both sound and permissive and in developing a suitable definition of memory equivalence that allows an inductive proof of soundness.

Cong Sun,Liyong Tang,Zhong Chen

DOI: https://doi.org/10.1109/infcomw.2011.5928777

2011-01-01

Abstract:Language-based information flow security aims to decide whether an action-observable program can unintentionally leak confidential information if it has the authority to access confidential data. Recent concerns about declassification polices have provided many choices for practical intended information release, but more precise enforcement mechanism for these policies is insufficiently studied. In this paper, we propose a security property on the where-dimension of declassification and present an enforcement based on automated verification. The approach automatically transforms the abstract model with a variant of self-composition, and checks the reachability of illegal-flow state of the model after transformation. The self-composition is equipped with a store-match pattern to reduce the state space and to model the equivalence of declassified expressions in the premise of property. The evaluation shows that our approach is more precise than type-based enforcement.

Cong Sun,Ennan Zhai,Zhong Chen,Jianfeng Ma

DOI: https://doi.org/10.1007/978-3-642-25243-3_28

2011-01-01

Abstract:Interactive/Reactive computational model is known to be proper abstraction of many pervasively used systems, such as clientside web-based applications. The critical task of information flow control mechanisms aims to determine whether the interactive program can guarantee the confidentiality of secret data. We propose an efficient and flow-sensitive static analysis to enforce information flow policy on program with interactive I/Os. A reachability analysis is performed on the abstract model after a form of transformation, called multi-composition, to check the conformance with the policy. In the multi-composition we develop a store-match pattern to avoid duplicating the I/O channels in the model, and use the principle of secure multi-execution to generalize the security lattice model which is supported by other approaches based on automated verification. We also extend our approach to support a stronger version of termination-insensitive noninterference. The results of preliminary experiments show that our approach is more precise than existing flow-sensitive analysis and the cost of verification is reduced through the store-match pattern.

Iulia Bastys,Frank Piessens,Andrei Sabelfeld

DOI: https://doi.org/10.1145/3264820.3264824

2018-01-15

Abstract:Recent years have seen a proliferation of research on information flow control. While the progress has been tremendous, it has also given birth to a bewildering breed of concepts, policies, conditions, and enforcement mechanisms. Thus, when designing information flow controls for a new application domain, the designer is confronted with two basic questions: (i) What is the right security characterization for a new application domain? and (ii) What is the right enforcement mechanism for a new application domain? This paper puts forward six informal principles for designing information flow security definitions and enforcement mechanisms: attacker-driven security, trust-aware enforcement, separation of policy annotations and code, language-independence, justified abstraction, and permissiveness. We particularly highlight the core principles of attacker-driven security and trust-aware enforcement, giving us a rationale for deliberating over soundness vs. soundiness. The principles contribute to roadmapping the state of the art in information flow security, weeding out inconsistencies from the folklore, and providing a rationale for designing information flow characterizations and enforcement mechanisms for new application domains.

XIE Jun,HUANG Hao

DOI: https://doi.org/10.1360/jos171601

2006-01-01

Journal of Software

Abstract:The noninterference concept for actions of system to information domains is proposed.On the basis of this concept, the noninterference model is extended to nondeterministic systems.The noninterference concept based on actions of system simplifies the "purge" of the action sequence of the system.As a result, this model has concise unwinding conditions which are easy to understand and use.The extended model can be used to verify not only static but also dynamic information flow policies.Finally, a dynamic label based access control model is designed, in which the concrete semantic of the actions such as read, write and execute are defined, and its security is verified by the noninterference model.

Jianwen Sun,Xiang Long,Yongwang Zhao

DOI: https://doi.org/10.1109/access.2018.2815766

IF: 3.9

2018-01-01

IEEE Access

Abstract:Formal verification of information flow security with dynamic policies of security-critical systems is a grand challenge. This paper presents the first effort to formally specify and verify a capability-based system model with dynamic information flow policies. We build a generic security model with dynamic security policies. In the security model, we define a set of information flow security properties and provide an inference framework for them. Based on the security model, we propose a system model for capability-based secure systems. The system model specifies critical events including system initialization, inter-domain communication, and capability management. We prove information flow security of the capability-based model by an unwinding theorem. Formal specification and security proof are carried out in the Isabelle/HOL theorem prover and could be applied to formally develop and verify the security of capability-based secure systems, such as separation kernels and secure hypervisors. To our knowledge, this is the first machine-checked proof of capability-based information security with dynamic policies.

SHEN Qing-ni,QING Si-han,HE Ye-ping,LI Li-ping

DOI: https://doi.org/10.3321/j.issn:0372-2112.2006.10.012

2006-01-01

Abstract:Least privilege mechanism can provide a reasonable degree of security assurance for secure operating systems.This paper described a framework for implementing dynamically modified least privilege security policy,which combined role's duty separation property and domain's function separation property.Under the control of its new capability mechanism based on a process's executable image,current role and current domain,it restricted the process to the minimum amount of privileges within these contexts.This paper illustrated its implementation in ANSHENG OS v4.0,a copyrighted secure operating system satisfying all the specified requirements of Criteria class 4,"Structured-Protection",in GB17859-1999(equally,the B2 level in TCSEC) in China.Thus it demonstrates that this framework can help enforcing dynamically least privilege control on a secure operating system,while still providing a flexible efficient system.

Gabriel P. Fernandez,Andrey Brito,Ardhi Putra Pratama Hartono,Muhammad Usama Sardar,Christof Fetzer

DOI: https://doi.org/10.48550/arXiv.2311.06154

2023-11-11

Abstract:Our objective is to protect the integrity and confidentiality of applications operating in untrusted environments. Trusted Execution Environments (TEEs) are not a panacea. Hardware TEEs fail to protect applications against Sybil, Fork and Rollback Attacks and, consequently, fail to preserve the consistency and integrity of applications. We introduce a novel system, LLD, that enforces the integrity and consistency of applications in a transparent and scalable fashion. Our solution augments TEEs with instantiation control and rollback protection. Instantiation control, enforced with TEE-supported leases, mitigates Sybil/Fork Attacks without incurring the high costs of solving crypto-puzzles. Our rollback detection mechanism does not need excessive replication, nor does it sacrifice durability. We show that implementing these functionalities in the LLD runtime automatically protects applications and services such as a popular DBMS.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Farzaneh Derakhshan,Stephanie Balzer,Yue Yao

2024-07-30

Abstract:Noninterference guarantees that an attacker cannot infer secrets by interacting with a program. Information flow control (IFC) type systems assert noninterference by tracking the level of information learned (pc) and disallowing communication to entities of lesser or unrelated level than the pc. Control flow constructs such as loops are at odds with this pattern because they necessitate downgrading the pc upon recursion to be practical. In a concurrent setting, however, downgrading is not generally safe. This paper utilizes session types to track the flow of information and contributes an IFC type system for message-passing concurrent processes that allows downgrading the pc upon recursion. To make downgrading safe, the paper introduces regrading policies. Regrading policies are expressed in terms of integrity labels, which are also key to safe composition of entities with different regrading policies. The paper develops the type system and proves progress-sensitive noninterference for well-typed processes, ruling out timing attacks that exploit the relative order of messages. The type system has been implemented in a type checker, which supports security-polymorphic processes using local security theories.

Programming Languages,Logic in Computer Science

Qian Wang,Cong Wang,Kui Ren,Wenjing Lou,Jin Li

DOI: https://doi.org/10.1109/tpds.2010.183

IF: 5.3

2010-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Cloud Computing has been envisioned as the next-generation architecture of IT Enterprise. It moves the application software and databases to the centralized large data centers, where the management of the data and services may not be fully trustworthy. This unique paradigm brings about many new security challenges, which have not been well understood. This work studies the problem of ensuring the integrity of data storage in Cloud Computing. In particular, we consider the task of allowing a third party auditor (TPA), on behalf of the cloud client, to verify the integrity of the dynamic data stored in the cloud. The introduction of TPA eliminates the involvement of the client through the auditing of whether his data stored in the cloud are indeed intact, which can be important in achieving economies of scale for Cloud Computing. The support for data dynamics via the most general forms of data operation, such as block modification, insertion, and deletion, is also a significant step toward practicality, since services in Cloud Computing are not limited to archive or backup data only. While prior works on ensuring remote data integrity often lacks the support of either public auditability or dynamic data operations, this paper achieves both. We first identify the difficulties and potential security problems of direct extensions with fully dynamic data updates from prior works and then show how to construct an elegant verification scheme for the seamless integration of these two salient features in our protocol design. In particular, to achieve efficient data dynamics, we improve the existing proof of storage models by manipulating the classic Merkle Hash Tree construction for block tag authentication. To support efficient handling of multiple auditing tasks, we further explore the technique of bilinear aggregate signature to extend our main result into a multiuser setting, where TPA can perform multiple auditing tasks simultaneously. Extensive security and performance analysis show that the proposed schemes are highly efficient and provably secure.