Luigi Logrippo

2024-03-12

Abstract:Some theories on data flow security are based on order-theoretical concepts, most commonly on lattice concepts. This paper presents a correspondence between security concepts and partial order concepts, by which the former become an application of the latter. The formalization involves concepts of data flow, equivalence classes of entities that can access the same data, and labels. Efficient, well-known algorithms to obtain one of these from one of the others are presented. Security concepts such as secrecy (also called confidentiality), integrity and conflict can be expressed in this theory. Further, it is shown that complex tuple labels used in the literature to express security levels can be translated into equivalent set labels. A consequence is that any network's data flow or access control relationships can be defined by assigning simple set labels to the entities. Finally, it is shown how several partial orders can be combined when different data flows must coexist.

Cryptography and Security

Sebastian Hunt,David Sands,Sandro Stucki

DOI: https://doi.org/10.1145/3571740

2023-02-03

Abstract:This paper proposes a reconciliation of two different theories of information. The first, originally proposed in a lesser-known work by Claude Shannon, describes how the information content of channels can be described qualitatively, but still abstractly, in terms of information elements, i.e. equivalence relations over the data source domain. Shannon showed that these elements form a complete lattice, with the order expressing when one element is more informative than another. In the context of security and information flow this structure has been independently rediscovered several times, and used as a foundation for reasoning about information flow. The second theory of information is Dana Scott's domain theory, a mathematical framework for giving meaning to programs as continuous functions over a particular topology. Scott's partial ordering also represents when one element is more informative than another, but in the sense of computational progress, i.e. when one element is a more defined or evolved version of another. To give a satisfactory account of information flow in programs it is necessary to consider both theories together, to understand what information is conveyed by a program viewed as a channel (à la Shannon) but also by the definedness of its encoding (à la Scott). We combine these theories by defining the Lattice of Computable Information (LoCI), a lattice of preorders rather than equivalence relations. LoCI retains the rich lattice structure of Shannon's theory, filters out elements that do not make computational sense, and refines the remaining information elements to reflect how Scott's ordering captures the way that information is presented. We show how the new theory facilitates the first general definition of termination-insensitive information flow properties, a weakened form of information flow property commonly targeted by static program analyses.

Programming Languages,Cryptography and Security,Logic in Computer Science

Ezio Bartocci,Thomas A. Henzinger,Dejan Nickovic,Ana Oliveira da Costa

2024-06-20

Abstract:Information-flow interfaces is a formalism recently proposed for specifying, composing, and refining system-wide security requirements. In this work, we show how the widely used concept of security lattices provides a natural semantic interpretation for information-flow interfaces.

Formal Languages and Automata Theory

Fangzhou Wu,Ethan Cecchetti,Chaowei Xiao

2024-10-10

Abstract:Large Language Model-based systems (LLM systems) are information and query processing systems that use LLMs to plan operations from natural-language prompts and feed the output of each successive step into the LLM to plan the next. This structure results in powerful tools that can process complex information from diverse sources but raises critical security concerns. Malicious information from any source may be processed by the LLM and can compromise the query processing, resulting in nearly arbitrary misbehavior. To tackle this problem, we present a system-level defense based on the principles of information flow control that we call an f-secure LLM system. An f-secure LLM system disaggregates the components of an LLM system into a context-aware pipeline with dynamically generated structured executable plans, and a security monitor filters out untrusted input into the planning process. This structure prevents compromise while maximizing flexibility. We provide formal models for both existing LLM systems and our f-secure LLM system, allowing analysis of critical security guarantees. We further evaluate case studies and benchmarks showing that f-secure LLM systems provide robust security while preserving functionality and efficiency. Our code is released at <a class="link-external link-https" href="https://github.com/fzwark/Secure_LLM_System" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security

Pasquale Malacaria

DOI: https://doi.org/10.48550/arXiv.1101.3453

2011-01-18

Abstract:Several mathematical ideas have been investigated for Quantitative Information Flow. Information theory, probability, guessability are the main ideas in most proposals. They aim to quantify how much information is leaked, how likely is to guess the secret and how long does it take to guess the secret respectively. In this paper, we show how the Lattice of Information provides a valuable foundation for all these approaches; not only it provides an elegant algebraic framework for the ideas, but also to investigate their relationship. In particular we will use this lattice to prove some results establishing order relation correspondences between the different quantitative approaches. The implications of these results w.r.t. recent work in the community is also investigated. While this work concentrates on the foundational importance of the Lattice of Information its practical relevance has been recently proven, notably with the quantitative analysis of Linux kernel vulnerabilities. Overall we believe these works set the case for establishing the Lattice of Information as one of the main reference structure for Quantitative Information Flow.

Information Theory

Robert E. Kent

DOI: https://doi.org/10.48550/arXiv.1603.03475

2016-03-10

Logic in Computer Science

Abstract:This paper describes information flow within logical environments. The theory of information flow, the logic of distributed systems, was first defined by Barwise and Seligman (Information Flow: The Logic of Distributed Systems. 1997). Logical environments are a semantic-oriented version of institutions. The theory of institutions, which was initiated by Goguen and Burstall (Institutions: Abstract Model Theory for Specification and Programming. 1992), is abstract model theory. Information flow is the flow of information in channels over distributed systems. The semantic integration of distributed systems, be they ontologies, databases or other information resources, can be defined in terms of the channel theory of information flow. As originally defined, the theory of information flow uses only a specific logical environment in order to discuss information flow. This paper shows how information flow can be defined in an arbitrary logical environment.

Owen Arden,Anitha Gollamudi,Ethan Cecchetti,Stephen Chong,Andrew C. Myers

DOI: https://doi.org/10.48550/arXiv.2104.10379

2021-04-21

Abstract:Real-world applications routinely make authorization decisions based on dynamic computation. Reasoning about dynamically computed authority is challenging. Integrity of the system might be compromised if attackers can improperly influence the authorizing computation. Confidentiality can also be compromised by authorization, since authorization decisions are often based on sensitive data such as membership lists and passwords. Previous formal models for authorization do not fully address the security implications of permitting trust relationships to change, which limits their ability to reason about authority that derives from dynamic computation. Our goal is an approach to constructing dynamic authorization mechanisms that do not violate confidentiality or integrity. The Flow-Limited Authorization Calculus (FLAC) is a simple, expressive model for reasoning about dynamic authorization as well as an information flow control language for securely implementing various authorization mechanisms. FLAC combines the insights of two previous models: it extends the Dependency Core Calculus with features made possible by the Flow-Limited Authorization Model. FLAC provides strong end-to-end information security guarantees even for programs that incorporate and implement rich dynamic authorization mechanisms. These guarantees include noninterference and robust declassification, which prevent attackers from influencing information disclosures in unauthorized ways. We prove these security properties formally for all FLAC programs and explore the expressiveness of FLAC with several examples.

Cryptography and Security,Programming Languages

Gaurav Srivastava,Richa Agrawal,Kunwar Singh,Rajeev Tripathi,Kshirasagar Naik

DOI: https://doi.org/10.1007/s12083-019-00776-6

2019-08-14

Abstract:Routing and secure communication are important concerns in Delay Tolerant Networks (DTNs). Previously designed security schemes utilize traditional public key cryptosystems for entity and data security that provide security under some hard problems like integer factorization and discrete logarithmic problems. These algorithms are vulnerable to Quantum attacks. In this paper lattice based cryptosystem has been used first time for DTN security. Lattice based cryptosystems utilize post-quantum cryptographic algorithms which are unbreakable by quantum attacks. First we present a novel Hierarchical structure for DTN having intracluster and intercluster communications. Then, we propose a security design to provide end-to-end security to DTN application data using lattice based cryptographic signature and encryption algorithms, secure under LWE hard problem over lattices. For securing intracluster and intercluster communication, three new schemes have been proposed: (i) Lattice based hierarchical identity-based key agreement scheme, based on lattice based Diffie-Hellman key agreement protocol, secure under LWE assumption but adapted to hierarchical structure. (ii) To derive new session keys, i.e. keys for new joining nodes and for key refreshment, a new lattice based hierarchical identity-based key update scheme has been proposed, which is based on Singh et al.'s lattice based forward secure identity-based encryption algorithm, (iii) A lattice based non-interactive key agreement scheme, based on schemes proposed by Agrawal et al. and Singh et al., has been proposed for generating a secret key for two communicating nodes in different clusters. This design can effectively resist man-in-the-middle attack, replay attack, dictionary attack, and parallel session attack and maintains forward and backward secrecy.

computer science, information systems,telecommunications

Ethan Cecchetti,Andrew C. Myers,Owen Arden

DOI: https://doi.org/10.1145/3133956.3134054

2017-09-01

Abstract:Noninterference is a popular semantic security condition because it offers strong end-to-end guarantees, it is inherently compositional, and it can be enforced using a simple security type system. Unfortunately, it is too restrictive for real systems. Mechanisms for downgrading information are needed to capture real-world security requirements, but downgrading eliminates the strong compositional security guarantees of noninterference. We introduce nonmalleable information flow, a new formal security condition that generalizes noninterference to permit controlled downgrading of both confidentiality and integrity. While previous work on robust declassification prevents adversaries from exploiting the downgrading of confidentiality, our key insight is transparent endorsement, a mechanism for downgrading integrity while defending against adversarial exploitation. Robust declassification appeared to break the duality of confidentiality and integrity by making confidentiality depend on integrity, but transparent endorsement makes integrity depend on confidentiality, restoring this duality. We show how to extend a security-typed programming language with transparent endorsement and prove that this static type system enforces nonmalleable information flow, a new security property that subsumes robust declassification and transparent endorsement. Finally, we describe an implementation of this type system in the context of Flame, a flow-limited authorization plugin for the Glasgow Haskell Compiler.

Cryptography and Security,Programming Languages

Cong Sun,Ennan Zhai,Zhong Chen,Jianfeng Ma

DOI: https://doi.org/10.1007/978-3-642-25243-3_28

2011-01-01

Abstract:Interactive/Reactive computational model is known to be proper abstraction of many pervasively used systems, such as clientside web-based applications. The critical task of information flow control mechanisms aims to determine whether the interactive program can guarantee the confidentiality of secret data. We propose an efficient and flow-sensitive static analysis to enforce information flow policy on program with interactive I/Os. A reachability analysis is performed on the abstract model after a form of transformation, called multi-composition, to check the conformance with the policy. In the multi-composition we develop a store-match pattern to avoid duplicating the I/O channels in the model, and use the principle of secure multi-execution to generalize the security lattice model which is supported by other approaches based on automated verification. We also extend our approach to support a stronger version of termination-insensitive noninterference. The results of preliminary experiments show that our approach is more precise than existing flow-sensitive analysis and the cost of verification is reduced through the store-match pattern.

H Liu,Ml Li,Jd Yu,L Cao,Y Li,W Jin,Q Qian

DOI: https://doi.org/10.1007/978-3-540-24680-0_82

2004-01-01

Abstract:This paper presents a lattice framework to implement OGSA. It comprises nine semantic constructs: port, probe, adapter, action, activity, workflow, grid service, constraint and trigger, which form four different integration levels while each level could handle the semantics of presentation, functionality and resource separately. This paper focuses on the structures of constructs and the composition scenario based on this lattice framework.

Nicolas Boltz,Sebastian Hahner,Christopher Gerking,Robert Heinrich

2024-03-14

Abstract:The growing interconnection between software systems increases the need for security already at design time. Security-related properties like confidentiality are often analyzed based on data flow diagrams (DFDs). However, manually analyzing DFDs of large software systems is bothersome and error-prone, and adjusting an already deployed software is costly. Additionally, closed analysis ecosystems limit the reuse of modeled information and impede comprehensive statements about a system's security. In this paper, we present an open and extensible framework for data flow analysis. The central element of our framework is our new implementation of a well-validated data-flow-based analysis approach. The framework is compatible with DFDs and can also extract data flows from the Palladio architectural description language. We showcase the extensibility with multiple model and analysis extensions. Our evaluation indicates that we can analyze similar scenarios while achieving higher scalability compared to previous implementations.

Software Engineering,Cryptography and Security

Iulia Bastys,Frank Piessens,Andrei Sabelfeld

DOI: https://doi.org/10.1145/3264820.3264824

2018-01-15

Abstract:Recent years have seen a proliferation of research on information flow control. While the progress has been tremendous, it has also given birth to a bewildering breed of concepts, policies, conditions, and enforcement mechanisms. Thus, when designing information flow controls for a new application domain, the designer is confronted with two basic questions: (i) What is the right security characterization for a new application domain? and (ii) What is the right enforcement mechanism for a new application domain? This paper puts forward six informal principles for designing information flow security definitions and enforcement mechanisms: attacker-driven security, trust-aware enforcement, separation of policy annotations and code, language-independence, justified abstraction, and permissiveness. We particularly highlight the core principles of attacker-driven security and trust-aware enforcement, giving us a rationale for deliberating over soundness vs. soundiness. The principles contribute to roadmapping the state of the art in information flow security, weeding out inconsistencies from the folklore, and providing a rationale for designing information flow characterizations and enforcement mechanisms for new application domains.

Juan Ye,Lorcan Coyle,Simon Dobson,Paddy Nixon

2007-01-01

Abstract:Much recent research has focused on using situations rather than individual pieces of context as a means to trigger adaptive system behaviour. While current research on situations emphasises their repre- sentation and composition, they do not provide an approach on how to organise and identify their occurrences eciently. This paper describes how lattice theory can be utilised to organise situations, which reflects the internal structure of situations such as generalisation and dependence. We claim that situation lattices will prove beneficial in identifying situa- tions, and maintaining the consistency and integrity of situations. They will also help in resolving the uncertainty issues inherent in context and situations by working with Bayesian Networks.

Marco Eilers,Thibault Dardinier,Peter Müller

DOI: https://doi.org/10.48550/arXiv.2211.08459

2023-04-12

Abstract:Information flow security ensures that the secret data manipulated by a program does not influence its observable output. Proving information flow security is especially challenging for concurrent programs, where operations on secret data may influence the execution time of a thread and, thereby, the interleaving between different threads. Such internal timing channels may affect the observable outcome of a program even if an attacker does not observe execution times. Existing verification techniques for information flow security in concurrent programs attempt to prove that secret data does not influence the relative timing of threads. However, these techniques are often restrictive (for instance because they disallow branching on secret data) and make strong assumptions about the execution platform (ignoring caching, processor instructions with data-dependent runtime, and other common features that affect execution time). In this paper, we present a novel verification technique for secure information flow in concurrent programs that lifts these restrictions and does not make any assumptions about timing behavior. The key idea is to prove that all mutating operations performed on shared data commute, such that different thread interleavings do not influence its final value. Crucially, commutativity is required only for an abstraction of the shared data that contains the information that will be leaked to a public output. Abstract commutativity is satisfied by many more operations than standard commutativity, which makes our technique widely applicable. We formalize our technique in CommCSL, a relational concurrent separation logic with support for commutativity-based reasoning, and prove its soundness in Isabelle/HOL. We implemented CommCSL in HyperViper, an automated verifier based on the Viper verification infrastructure, and demonstrate its ability to verify challenging examples.

Cryptography and Security,Programming Languages

Hans Riess

2023-04-06

Abstract:In this thesis, we argue that (order-) lattice-based multi-agent information systems constitute a broad class of networked multi-agent systems in which relational data is passed between nodes. Mathematically modeled as lattice-valued sheaves, we initiate a discrete Hodge theory with a Laplace operator, analogous to the graph Laplacian and the graph connection Laplacian, acting on assignments of data to the nodes of a Tarski sheaf. The Hodge-Tarski theorem (the main theorem) relates the fixed point theory of this operator, called the Tarski Laplacian in deference to the Tarski Fixed Point Theorem, to the global sections (consistent global states) of the sheaf. We present novel applications to signal processing and multi-agent semantics and supply a plethora of examples throughout.

Multiagent Systems,Signal Processing,Algebraic Topology

Robert E. Kent

DOI: https://doi.org/10.48550/arXiv.1810.11369

IF: 14.4

2018-10-19

Artificial Intelligence

Abstract:The sharing of ontologies between diverse communities of discourse allows them to compare their own information structures with that of other communities that share a common terminology and semantics - ontology sharing facilitates interoperability between online knowledge organizations. This paper demonstrates how ontology sharing is formalizable within the conceptual knowledge model of Information Flow (IF). Information Flow indirectly represents sharing through a specifiable, ontology extension hierarchy augmented with synonymic type equivalencing - two ontologies share terminology and meaning through a common generic ontology that each extends. Using the paradigm of participant community ontologies formalized as IF logics, a common shared extensible ontology formalized as an IF theory, participant community specification links from the common ontology to the participating community ontology formalizable as IF theory interpretations, this paper argues that ontology sharing is concentrated in a virtual ontology of community connections, and demonstrates how this virtual ontology is computable as the fusion of the participant ontologies - the quotient of the sum of the participant ontologies modulo the ontological sharing structure.

Sean Weerakkody,Bruno Sinopoli,Soummya Kar,Anupam Datta

DOI: https://doi.org/10.48550/arXiv.1603.05710

2016-03-18

Abstract:This paper considers the development of information flow analyses to support resilient design and active detection of adversaries in cyber physical systems (CPS). The area of CPS security, though well studied, suffers from fragmentation. In this paper, we consider control systems as an abstraction of CPS. Here, we extend the notion of information flow analysis, a well established set of methods developed in software security, to obtain a unified framework that captures and extends system theoretic results in control system security. In particular, we propose the Kullback Liebler (KL) divergence as a causal measure of information flow, which quantifies the effect of adversarial inputs on sensor outputs. We show that the proposed measure characterizes the resilience of control systems to specific attack strategies by relating the KL divergence to optimal detection techniques. We then relate information flows to stealthy attack scenarios where an adversary can bypass detection. Finally, this article examines active detection mechanisms where a defender intelligently manipulates control inputs or the system itself in order to elicit information flows from an attacker's malicious behavior. In all previous cases, we demonstrate an ability to investigate and extend existing results by utilizing the proposed information flow analyses.

Systems and Control

Nadia Polikarpova,Deian Stefan,Jean Yang,Shachar Itzhaky,Travis Hance,Armando Solar-Lezama

DOI: https://doi.org/10.48550/arXiv.1607.03445

2020-07-01

Abstract:We present Lifty, a domain-specific language for data-centric applications that manipulate sensitive data. A Lifty programmer annotates the sources of sensitive data with declarative security policies, and the language statically and automatically verifies that the application handles the data according to the policies. Moreover, if verification fails, Lifty suggests a provably correct repair, thereby easing the programmer burden of implementing policy enforcing code throughout the application. The main insight behind Lifty is to encode information flow control using liquid types, an expressive yet decidable type system. Liquid types enable fully automatic checking of complex, data dependent policies, and power our repair mechanism via type-driven error localization and patch synthesis. Our experience using Lifty to implement three case studies from the literature shows that (1) the Lifty policy language is sufficiently expressive to specify many real-world policies, (2) the Lifty type checker is able to verify secure programs and find leaks in insecure programs quickly, and (3) even if the programmer leaves out all policy enforcing code, the Lifty repair engine is able to patch all leaks automatically within a reasonable time.

Programming Languages

Alan Dearle,Graham Kirby,Andrew McCarthy,Juan-Carlos Diaz y Carballo

DOI: https://doi.org/10.48550/arXiv.1006.5940

2010-06-29

Distributed, Parallel, and Cluster Computing

Abstract:In this paper we describe an architecture which: Permits the deployment and execution of components in appropriate geographical locations. Provides security mechanisms that prevent misuse of the architecture. Supports a programming model that is familiar to application programmers. Permits installed components to share data. Permits the deployed components to communicate via communication channels. Provides evolution mechanisms permitting the dynamic rearrangement of inter-connection topologies the components that they connect. Supports the specification and deployment of distributed component deployments.