JIANG Li,CHEN Jian,PING Ling-di,CHEN Xiao-ping

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.05.004

2010-01-01

Abstract:In multithreaded environment,sensitive information is often deliberately released by many real applications and sometimes information needs to become more confidential. In order to address this situation,a security policy was defined in the style of strong bisimulation equivalence,which can handle both information leaking and erasing. The policy controls what information is released and guarantees that attackers cannot exploit information releasing mechanisms to reveal more sensitive data than intended. Moreover,it ensures that public data after erasing cannot be abused by attackers. Then a secure transforming type system was proposed to enforce the security policy by using the cross-copying technique,which can eliminate internal timing covert channels resulting from the interplay between different threads. The transforming type system can transform an insecure program into a secure one,trying to close information leaks. The secure program has the same structure as the original program and models the same timing behavior. Finally,the soundness of the type system was proved with respect to the operational semantics. Results indicate that if a program can be transformed according to typing rules,the resulting program satisfies the security policy.

Li Jiang,Lingdi Ping,Xuezeng Pan

DOI: https://doi.org/10.1007/978-3-540-76788-6_6

2007-01-01

Abstract:Information flow and in particular noninterference ensure that sensitive information does not affect public information. But noninterference is too restrictive: real computing systems sometimes need to dynamically release certain amount of sensitive information. In this paper, we propose a new security property that requires the decision to perform information release have high integrity, and permits low integrity data which comes from untrusted sources to dynamically affect information release by upgrading (or endorsing) its integrity. To control such integrity upgrading, we introduce an endorsement mechanism that takes the form of a local integrity endorsing policy declaration. So the programmer can express more precise ways of endorsing, by specifying the integrity levels from which information may be endorsed. In addition, we show a new type system to enforce the security property.

郭艳卿,何德全,尤新刚,孔祥维

DOI: https://doi.org/10.3321/j.issn:0529-6579.2004.z2.027

2004-01-01

Abstract:As a latest subject, Information Hiding has received a rapid development in recent years. But the essence of Information Hiding is still obscure. In this paper, we make an analysis of different methods for evaluating the performance of Information Hiding. Then, after finding the analogy between physics and Information Hiding, we introduce the concept level property of Information Hiding and discuss the security of Information Hiding in terms of level property.

Yong Huang,Lingdi Ping,Shanping Li,Xuezeng Pan

DOI: https://doi.org/10.4304/jsw.4.1.90-97

2009-01-01

Journal of Software

Abstract:Real-time information flow security properties such as timed noninterference provide assurances that some time dependent information flows may not become possible. However, with transitive noninterference formulation, it is difficult to deal with intransitive flow policies like channel control and secure downgrading of information with time constraints. In this paper, we introduce the notion of trust domain into Timed Secure Process Algebra (tSPA), extending intransitive noninterference to real-time systems. Based on weak timed bisimulation equivalence, some security properties for intransitive flow are reformulated in a realtime setting, in particular one property which is persistent, meaning that if a system is secure then all of its reachable states are secure too. Furthermore, we prove that such persistent intransitive timed property is compositional, which is thus possible to alleviate the state space explosion problem caused by the interleaving of all the possible executions of parallel processes. Finally, we provide one case study showing that it is possible to model and analyze the real-time system through our approach.

姜励,平玲娣,陈小平,潘雪增,李善平

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.12.010

2008-01-01

Abstract:The concept of trust domain was introduced into probabilistic secure process algebra(PSPA),and the intransitive noninterference information flow security model was extended to probabilistic systems to implement many important security policies such as secure downgrading of probabilistic information and channel control.Intransitive probabilistic information flow security properties were analyzed based on the probabilistic weak bisimulation equivalence.Intransitive bisimulation strong probabilistic noninterference(I_BSPNI) and intransitive probabilistic bisimulation-based nondeducibility on composition(I_PBNDC) were presented.To expose the potential secure problem that I_PBNDC cannot discover in dynamic context,the persistent I_PBNDC property was proposed,which required that every reachable state of the system must satisfy I_PBNDC.The properties like bisimulation-based nondeducibility on composition are difficult to prove.To overcome this shortcoming,strong I_PBNDC property was defined in terms of unwinding conditions demanding properties of individual actions.Finally,the relations between these properties were given and proved.

Cong Sun,Liyong Tang,Zhong Chen

DOI: https://doi.org/10.1109/icis.2011.20

2011-01-01

Abstract:Language-based information flow security provides a way to enforce either the baseline noninterference property or more relaxed properties specifying intended information release. This paper presents a new approach for enforcing information release policy on programming language with I/O channels. First we present a relaxed security property complying with the security policy on the what-dimension of declassification. Second we propose an enforcement mechanism for the security property based on reach ability analysis of pushdown system. The self-composition is equipped with a store-match pattern, which reduces the cost of verification by avoiding duplication of I/O channels. The pattern also facilitates characterization of the security property. The experimental results show the preciseness of our enforcement.

Cong Sun,Ning Xi,Sheng Gao,Zhong Chen,JianFeng Ma

DOI: https://doi.org/10.1007/s11432-014-5168-7

2014-01-01

Science China Information Sciences

Abstract:Language-based information flow security is a promising approach for enforcement of strong security and protection of the data confidentiality for the end-to-end communications. Here, noninterference is the standard and most restricted security property that completely forbids confidential data from being released to public context. Although this baseline property has been extensively enforced in various cases, there are still many programs, which are considered secure enough, violating this property in some way. In order to control the information release in these programs, the predetermined ways should be specified by means of which confidential data can be released. These intentional releases, also called declassifications, are regulated by several more relaxed security properties than noninterference. The security properties for controlled declassification have been developed on different dimensions with declassification goals. However, the mechanisms used to enforce these properties are still unaccommodating, unspecific, and insufficiently studied. In this work, a new security property, the Relaxed Release with Reference Points (R3P), is presented to limit the information that can be declassified in a program. Moreover, a new mechanism using reachability analysis has been proposed for the pushdown system to enforce R3P on programs. In order to show R3P is competent for use, it has been proved that it complies with the well-known prudent principles of declassification, and in addition finds some restrictions on our security policy. The widespread usage, precision, efficiency, and the influencing factors of our enforcement have been evaluated.

Cong Sun,Liyong Tang,Zhong Chen

DOI: https://doi.org/10.1109/infcomw.2011.5928777

2011-01-01

Abstract:Language-based information flow security aims to decide whether an action-observable program can unintentionally leak confidential information if it has the authority to access confidential data. Recent concerns about declassification polices have provided many choices for practical intended information release, but more precise enforcement mechanism for these policies is insufficiently studied. In this paper, we propose a security property on the where-dimension of declassification and present an enforcement based on automated verification. The approach automatically transforms the abstract model with a variant of self-composition, and checks the reachability of illegal-flow state of the model after transformation. The self-composition is equipped with a store-match pattern to reduce the state space and to model the equivalence of declassified expressions in the premise of property. The evaluation shows that our approach is more precise than type-based enforcement.

Zhi-Yu Peng,Shan-Ping Li

DOI: https://doi.org/10.1109/icmlc.2008.4620616

2008-01-01

Abstract:As pervasive computing leading to an increased collection of information in the computational world as well as the real world, privacy leaking becomes a serious issue. Although privacy protection has drawn great attention in recent years, the privacy-preserving trust management has not been brought forward. Credential chain discovery problem is the key issue in trust management, and traditionally credentials are full open in the whole system. This could expose users' access control policies as well as other private information, and leads to a great risk of being cheated by malicious users. This paper advocates a privacy-preserving credential chain discovery mechanism, in which credentials are no longer available to everyone. By merely learning credentials of one's logic neighbors, this mechanism still achieves good results. The simulations show that this mechanism is practical.

Yang Zhao,Ligong Yu,Jia Bei

DOI: https://doi.org/10.1109/csse.2008.890

2008-01-01

Abstract:This paper proposes to use permissions to assure some important parallel interference patterns in multithreaded programs. With pre-defined annotations, programmers are able to express their design intent which could be interpreted as permission representations. A permission is a value associated with some piece of state in a program and it is designed to permit certain operations. There are two inherent transformations among permissions: fraction and nesting, such that the former allows one permission to be split into several pieces, while the latter builds a protection relation between the nested and nester permissions. Based on the permission interpretation and reasoning, we are able to tell whether the high level annotations match with the low level program code and hence some important interference patterns in multithreaded programs could be assured.

Ethan Cecchetti,Andrew C. Myers,Owen Arden

DOI: https://doi.org/10.1145/3133956.3134054

2017-09-01

Abstract:Noninterference is a popular semantic security condition because it offers strong end-to-end guarantees, it is inherently compositional, and it can be enforced using a simple security type system. Unfortunately, it is too restrictive for real systems. Mechanisms for downgrading information are needed to capture real-world security requirements, but downgrading eliminates the strong compositional security guarantees of noninterference. We introduce nonmalleable information flow, a new formal security condition that generalizes noninterference to permit controlled downgrading of both confidentiality and integrity. While previous work on robust declassification prevents adversaries from exploiting the downgrading of confidentiality, our key insight is transparent endorsement, a mechanism for downgrading integrity while defending against adversarial exploitation. Robust declassification appeared to break the duality of confidentiality and integrity by making confidentiality depend on integrity, but transparent endorsement makes integrity depend on confidentiality, restoring this duality. We show how to extend a security-typed programming language with transparent endorsement and prove that this static type system enforces nonmalleable information flow, a new security property that subsumes robust declassification and transparent endorsement. Finally, we describe an implementation of this type system in the context of Flame, a flow-limited authorization plugin for the Glasgow Haskell Compiler.

Cryptography and Security,Programming Languages

Cong Sun,Ennan Zhai,Zhong Chen,Jianfeng Ma

DOI: https://doi.org/10.1007/978-3-642-25243-3_28

2011-01-01

Abstract:Interactive/Reactive computational model is known to be proper abstraction of many pervasively used systems, such as clientside web-based applications. The critical task of information flow control mechanisms aims to determine whether the interactive program can guarantee the confidentiality of secret data. We propose an efficient and flow-sensitive static analysis to enforce information flow policy on program with interactive I/Os. A reachability analysis is performed on the abstract model after a form of transformation, called multi-composition, to check the conformance with the policy. In the multi-composition we develop a store-match pattern to avoid duplicating the I/O channels in the model, and use the principle of secure multi-execution to generalize the security lattice model which is supported by other approaches based on automated verification. We also extend our approach to support a stronger version of termination-insensitive noninterference. The results of preliminary experiments show that our approach is more precise than existing flow-sensitive analysis and the cost of verification is reduced through the store-match pattern.

Mário S. Alvim

DOI: https://doi.org/10.48550/arXiv.1111.3013

2012-02-14

Abstract:In this thesis we consider the problem of information hiding in the scenarios of interactive systems, statistical disclosure control, and refinement of specifications. We apply quantitative approaches to information flow in the first two cases, and we propose improvements for the usual solutions based on process equivalences for the third case. In the first scenario we consider the problem of defining the information leakage in interactive systems where secrets and observables can alternate during the computation and influence each other. We show that the information-theoretic approach which interprets such systems as (simple) noisy channels is not valid. The principle can be recovered if we consider channels with memory and feedback. We also propose the use of directed information from input to output as the real measure of leakage in interactive systems. In the second scenario we consider the problem of statistical disclosure control, which concerns how to reveal accurate statistics about a set of respondents while preserving the privacy of individuals. We focus on the concept of differential privacy, a notion that has become very popular in the database community. We show how to model the query system in terms of an information-theoretic channel, and we compare the notion of differential privacy with that of min-entropy <a class="link-external link-http" href="http://leakage.In" rel="external noopener nofollow">this http URL</a> the third scenario we address the problem of using process equivalences to characterize information-hiding properties. We show that, in the presence of nondeterminism, this approach may rely on the assumption that the scheduler "works for the benefit of the protocol", and this is often not a safe assumption. We present a formalism in which we can specify admissible schedulers and, correspondingly, safe versions of complete-trace equivalence and bisimulation, and we show that safe equivalences can be used to establish information-hiding properties.

Cryptography and Security

Cristian Ene,Laurent Mounier,Marie-Laure Potet

DOI: https://doi.org/10.48550/arXiv.1909.09567

2019-09-20

Cryptography and Security

Abstract:Constant-time programming is a countermeasure to prevent cache based attacks where programs should not perform memory accesses that depend on secrets. In some cases this policy can be safely relaxed if one can prove that the program does not leak more information than the public outputs of the computation. We propose a novel approach for verifying constant-time programming based on a new information flow property, called output-sensitive noninterference. Noninterference states that a public observer cannot learn anything about the private data. Since real systems need to intentionally declassify some information, this property is too strong in practice. In order to take into account public outputs we proceed as follows: instead of using complex explicit declassification policies, we partition variables in three sets: input, output and leakage variables. Then, we propose a typing system to statically check that leakage variables do not leak more information about the secret inputs than the public normal output. The novelty of our approach is that we track the dependence of leakage variables with respect not only to the initial values of input variables (as in classical approaches for noninterference), but taking also into account the final values of output variables. We adapted this approach to LLVM IR and we developed a prototype to verify LLVM implementations.

Zi-Peng Zhang,Ming Fu,Xin-Yu Feng

DOI: https://doi.org/10.1007/s11390-019-1949-1

2019-01-01

Abstract:Inter-process communication (IPC) provides a message passing mechanism for information exchange between applications. It has been long believed that IPCs can be abused by malware writers to launch collusive information leak using two or more applications. Much work on privacy protection focuses on the simple information leak caused by the individual applications and lacks effective approaches to preventing the collusive information leak caused by IPCs between multiple processes. In this paper, we propose a hybrid approach to prevent the collusive information leak based on information flow control. Our approach combines static information flow analysis and dynamic runtime checking together. Information leak caused by individual processes is prevented through static information flow control, and dynamic checking is done at runtime to prevent the collusive information leak. Such a combination may effectively reduce the runtime overhead of pure dynamic checking, and reduce false-alarms in pure static analysis. We develop this approach based on an abstract and simplified programming model, and formalize a novel definition of the leak-freedom property as our target security property. A simulation-based proof technique is used to prove that our approach is able to guarantee leak-freedom. All proofs are mechanized in Coq.

Sun Jianling,He Zhijun

1997-01-01

Abstract:A technique for transparent access to persistent objects is presented, which is a key technique for achieving the seamless integration of object-oriented databases and programming languages, in the condition of keeping the object-level concurrency control, version management and constraint checking

SUN Cong,TANG Li-yong,CHEN Zhong

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.07.023

2011-01-01

Computer Science

Abstract:We proposed an approach for analyzing information-flow security of imperative language with output channels.The program is Abstracted with pushdown system,which is then self-composed in order to adapt noninterference as a safety property.The output operations in the two relevant runs are respectively modeled as storing and matching procedure by pushdown rules.Then the termination-insensitive noninterference is verified by a reachability analysis of illegal-flow state.A variation of this approach can deal with program containing divergent run.An upper-bound regression algorithm was proposed to find the maximum upper-bound in order to trigger coercive termination of divergent run.The experimental results show that the approach is more precise and efficient than existing work.

Zi Xiaochao,Yao Lihong,Pan Li

DOI: https://doi.org/10.1109/ICCIAS.2006.295325

2007-01-01

Abstract:Access control mechanisms can't efficiently restrict hidden information flow, and confidential information can stealthily leak out with hidden information flow. We outline a state-based approach to analyzing hidden information flow. The main idea of the approach is to model secure systems as finite automata, and analyze the properties of information flow by studying the characteristic of the finite automata

Jean-Yves Marion,Romain Péchoux

DOI: https://doi.org/10.48550/arXiv.1203.6878

2012-03-31

Abstract:We propose a type system to analyze the time consumed by multi-threaded imperative programs with a shared global memory, which delineates a class of safe multi-threaded programs. We demonstrate that a safe multi-threaded program runs in polynomial time if (i) it is strongly terminating wrt a non-deterministic scheduling policy or (ii) it terminates wrt a deterministic and quiet scheduling policy. As a consequence, we also characterize the set of polynomial time functions. The type system presented is based on the fundamental notion of data tiering, which is central in implicit computational complexity. It regulates the information flow in a computation. This aspect is interesting in that the type system bears a resemblance to typed based information flow analysis and notions of non-interference. As far as we know, this is the first characterization by a type system of polynomial time multi-threaded programs.

Computational Complexity

Junyao Hou,Xiang Yin,Shaoyuan Li

DOI: https://doi.org/10.1016/j.automatica.2022.110238

IF: 6.4

2022-01-01

Automatica

Abstract:Opacity is an important information-flow security property that characterizes the plausible deniability of a dynamic system for its “secret” against eavesdropping attacks. As an information-flow property, the underlying observation model is the key in the modeling and analysis of opacity. In this paper, we investigate the verification of current-state opacity for discrete-event systems under Orwellian-type observations, i.e., the system is allowed to re-interpret the observation of an event based on its future suffix. First, we propose a new Orwellian-type observation model called the dynamic information release mechanism (DIRM). In the DIRM, when to release previous “hold on” events is state-dependent. Then we propose a new definition of opacity based on the notion of history-equivalence rather than the standard projection-equivalence. This definition is more suitable for observations that are not prefix-closed. Finally, we show that by constructing a new structure called the DIRM-observer, current-state opacity can be effectively verified under the DIRM. Computational complexity analysis as well as illustrative examples for the proposed approach is also provided. Compared with the existing Orwellian-type observation model, the proposed framework is more general in the sense that the information-release-mechanism is state-dependent, information is partially released and the corresponding definition of opacity is more suitable for non-prefix-closed observations.