Li Jiang,Lingdi Ping,Xuezeng Pan

DOI: https://doi.org/10.1007/978-3-540-76788-6_6

2007-01-01

Abstract:Information flow and in particular noninterference ensure that sensitive information does not affect public information. But noninterference is too restrictive: real computing systems sometimes need to dynamically release certain amount of sensitive information. In this paper, we propose a new security property that requires the decision to perform information release have high integrity, and permits low integrity data which comes from untrusted sources to dynamically affect information release by upgrading (or endorsing) its integrity. To control such integrity upgrading, we introduce an endorsement mechanism that takes the form of a local integrity endorsing policy declaration. So the programmer can express more precise ways of endorsing, by specifying the integrity levels from which information may be endorsed. In addition, we show a new type system to enforce the security property.

Lì Jiāng,Lingdi Ping,Xuezeng Pan

DOI: https://doi.org/10.1109/cis.2007.58

2007-01-01

Abstract:Language-based information flow security proper- ties such as noninterference ensure confidential data cannot interfere with public data. But in real comput- ing systems sensitive information sometimes needs to be released or to become more confidential. In this paper, we propose a new security property including support for both information release and erasure. Since the property is in the style of strong bisimulation equivalence, it is applicable to multi-threaded pro- grams. To ensure that declassification cannot be ex- ploited to reveal more secret data than intended, our property addresses what information may be released. Moreover, the property guarantees that dynamic up- grading the security label of data due to erasure re- quirement cannot affect the publicly visible behavior.

姜励,平玲娣,陈小平,潘雪增,李善平

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.12.010

2008-01-01

Abstract:The concept of trust domain was introduced into probabilistic secure process algebra(PSPA),and the intransitive noninterference information flow security model was extended to probabilistic systems to implement many important security policies such as secure downgrading of probabilistic information and channel control.Intransitive probabilistic information flow security properties were analyzed based on the probabilistic weak bisimulation equivalence.Intransitive bisimulation strong probabilistic noninterference(I_BSPNI) and intransitive probabilistic bisimulation-based nondeducibility on composition(I_PBNDC) were presented.To expose the potential secure problem that I_PBNDC cannot discover in dynamic context,the persistent I_PBNDC property was proposed,which required that every reachable state of the system must satisfy I_PBNDC.The properties like bisimulation-based nondeducibility on composition are difficult to prove.To overcome this shortcoming,strong I_PBNDC property was defined in terms of unwinding conditions demanding properties of individual actions.Finally,the relations between these properties were given and proved.

JIANG Li,CHEN Jian,PING Ling-di,CHEN Xiao-ping

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.05.004

2010-01-01

Abstract:In multithreaded environment,sensitive information is often deliberately released by many real applications and sometimes information needs to become more confidential. In order to address this situation,a security policy was defined in the style of strong bisimulation equivalence,which can handle both information leaking and erasing. The policy controls what information is released and guarantees that attackers cannot exploit information releasing mechanisms to reveal more sensitive data than intended. Moreover,it ensures that public data after erasing cannot be abused by attackers. Then a secure transforming type system was proposed to enforce the security policy by using the cross-copying technique,which can eliminate internal timing covert channels resulting from the interplay between different threads. The transforming type system can transform an insecure program into a secure one,trying to close information leaks. The secure program has the same structure as the original program and models the same timing behavior. Finally,the soundness of the type system was proved with respect to the operational semantics. Results indicate that if a program can be transformed according to typing rules,the resulting program satisfies the security policy.

Yong Huang,Lingdi Ping,Shanping Li,Xuezeng Pan

DOI: https://doi.org/10.4304/jsw.4.1.90-97

2009-01-01

Journal of Software

Abstract:Real-time information flow security properties such as timed noninterference provide assurances that some time dependent information flows may not become possible. However, with transitive noninterference formulation, it is difficult to deal with intransitive flow policies like channel control and secure downgrading of information with time constraints. In this paper, we introduce the notion of trust domain into Timed Secure Process Algebra (tSPA), extending intransitive noninterference to real-time systems. Based on weak timed bisimulation equivalence, some security properties for intransitive flow are reformulated in a realtime setting, in particular one property which is persistent, meaning that if a system is secure then all of its reachable states are secure too. Furthermore, we prove that such persistent intransitive timed property is compositional, which is thus possible to alleviate the state space explosion problem caused by the interleaving of all the possible executions of parallel processes. Finally, we provide one case study showing that it is possible to model and analyze the real-time system through our approach.

Cong Sun,Liyong Tang,Zhong Chen

DOI: https://doi.org/10.1109/infcomw.2011.5928777

2011-01-01

Abstract:Language-based information flow security aims to decide whether an action-observable program can unintentionally leak confidential information if it has the authority to access confidential data. Recent concerns about declassification polices have provided many choices for practical intended information release, but more precise enforcement mechanism for these policies is insufficiently studied. In this paper, we propose a security property on the where-dimension of declassification and present an enforcement based on automated verification. The approach automatically transforms the abstract model with a variant of self-composition, and checks the reachability of illegal-flow state of the model after transformation. The self-composition is equipped with a store-match pattern to reduce the state space and to model the equivalence of declassified expressions in the premise of property. The evaluation shows that our approach is more precise than type-based enforcement.

Ethan Cecchetti,Andrew C. Myers,Owen Arden

DOI: https://doi.org/10.1145/3133956.3134054

2017-09-01

Abstract:Noninterference is a popular semantic security condition because it offers strong end-to-end guarantees, it is inherently compositional, and it can be enforced using a simple security type system. Unfortunately, it is too restrictive for real systems. Mechanisms for downgrading information are needed to capture real-world security requirements, but downgrading eliminates the strong compositional security guarantees of noninterference. We introduce nonmalleable information flow, a new formal security condition that generalizes noninterference to permit controlled downgrading of both confidentiality and integrity. While previous work on robust declassification prevents adversaries from exploiting the downgrading of confidentiality, our key insight is transparent endorsement, a mechanism for downgrading integrity while defending against adversarial exploitation. Robust declassification appeared to break the duality of confidentiality and integrity by making confidentiality depend on integrity, but transparent endorsement makes integrity depend on confidentiality, restoring this duality. We show how to extend a security-typed programming language with transparent endorsement and prove that this static type system enforces nonmalleable information flow, a new security property that subsumes robust declassification and transparent endorsement. Finally, we describe an implementation of this type system in the context of Flame, a flow-limited authorization plugin for the Glasgow Haskell Compiler.

Cryptography and Security,Programming Languages

XIE Jun,HUANG Hao

DOI: https://doi.org/10.1360/jos171601

2006-01-01

Journal of Software

Abstract:The noninterference concept for actions of system to information domains is proposed.On the basis of this concept, the noninterference model is extended to nondeterministic systems.The noninterference concept based on actions of system simplifies the "purge" of the action sequence of the system.As a result, this model has concise unwinding conditions which are easy to understand and use.The extended model can be used to verify not only static but also dynamic information flow policies.Finally, a dynamic label based access control model is designed, in which the concrete semantic of the actions such as read, write and execute are defined, and its security is verified by the noninterference model.

Andrea Esposito,Alessandro Aldini,Marco Bernardo,Sabina Rossi

2024-07-18

Abstract:The theory of noninterference supports the analysis of information leakage and the execution of secure computations in multi-level security systems. Classical equivalence-based approaches to noninterference mainly rely on weak bisimulation semantics. We show that this approach is not sufficient to identify potential covert channels in the presence of reversible computations. As illustrated via a database management system example, the activation of backward computations may trigger information flows that are not observable when proceeding in the standard forward direction. To capture the effects of back-and-forth computations, it is necessary to switch to a more expressive semantics, which has been proven to be branching bisimilarity in a previous work by De Nicola, Montanari, and Vaandrager. In this paper we investigate a taxonomy of noninterference properties based on branching bisimilarity along with their preservation and compositionality features, then we compare it with the taxonomy of Focardi and Gorrieri based on weak bisimilarity.

Cryptography and Security

Cong Sun,Liyong Tang,Zhong Chen

DOI: https://doi.org/10.1109/qsic.2010.50

2010-01-01

Abstract:Automated verification of noninterference is commonly considered more precise than type-based approach on enforcing secure information flow for program. We propose an approach on model checking symbolic pushdown system generated from Java bytecode, and develop a deployment-time verification framework to ensure noninterference of bytecode. In order to overcome the constraints brought by the nature of object-oriented language and application scenario, we extend self-composition to low-recorded self-composition to reduce the partial correctness judgements on safety property to reachability analysis. In this variation, meta-level indices of heap are recorded into the self-composed pushdown system for the construction of auxiliary interleaving assignments and branch condition to illegal-flow state. Our experiments show that the approach is more scalable than previous work based on automated verification.

Youngju Song,Minki Cho,Dongjae Lee,Chung-Kil Hur

DOI: https://doi.org/10.48550/arXiv.2109.02991

2021-09-07

Abstract:Contextual refinement and separation logics are successful verification techniques that are very different in nature. First, the former guarantees behavioral refinement between a concrete program and an abstract program while the latter guarantees safety of a concrete program under certain conditions (expressed in terms of pre and post conditions). Second, the former does not allow any assumption about the context when locally reasoning about a module while the latter allows rich assumptions. In this paper, we present a new verification technique, called abstraction logic (AL), that inherently combines contextual refinement and separation logics such as Iris and VST, thereby taking the advantages of both. Specifically, AL allows us to locally verify a concrete module against an abstract module under separation-logic-style pre and post conditions about external modules. AL are fully formalized in Coq and provides a proof mode that supports a combination of simulation-style reasoning using our own tactics and SL-style reasoning using IPM (Iris Proof Mode). Using the proof mode, we verified various examples to demonstrate reasoning about ownership (based on partial commutative monoids) and purity ($i.e.$, termination with no system call), cyclic and higher-order reasoning about mutual recursion and function pointers, and reusable and gradual verification via intermediate abstractions. Also, the verification results are combined with CompCert, so that we formally establish behavioral refinement from top-level abstract programs, all the way down to their assembly code.

Programming Languages

Cong Sun,Ennan Zhai,Zhong Chen,Jianfeng Ma

DOI: https://doi.org/10.1007/978-3-642-25243-3_28

2011-01-01

Abstract:Interactive/Reactive computational model is known to be proper abstraction of many pervasively used systems, such as clientside web-based applications. The critical task of information flow control mechanisms aims to determine whether the interactive program can guarantee the confidentiality of secret data. We propose an efficient and flow-sensitive static analysis to enforce information flow policy on program with interactive I/Os. A reachability analysis is performed on the abstract model after a form of transformation, called multi-composition, to check the conformance with the policy. In the multi-composition we develop a store-match pattern to avoid duplicating the I/O channels in the model, and use the principle of secure multi-execution to generalize the security lattice model which is supported by other approaches based on automated verification. We also extend our approach to support a stronger version of termination-insensitive noninterference. The results of preliminary experiments show that our approach is more precise than existing flow-sensitive analysis and the cost of verification is reduced through the store-match pattern.

Sebastian Eggert,Henning Schnoor,Thomas Wilke

DOI: https://doi.org/10.48550/arXiv.1208.5580

2013-06-14

Abstract:We develop a theory for state-based noninterference in a setting where different security policies---we call them local policies---apply in different parts of a given system. Our theory comprises appropriate security definitions, characterizations of these definitions, for instance in terms of unwindings, algorithms for analyzing the security of systems with local policies, and corresponding complexity results.

Cryptography and Security

Marco Eilers,Thibault Dardinier,Peter Müller

DOI: https://doi.org/10.48550/arXiv.2211.08459

2023-04-12

Abstract:Information flow security ensures that the secret data manipulated by a program does not influence its observable output. Proving information flow security is especially challenging for concurrent programs, where operations on secret data may influence the execution time of a thread and, thereby, the interleaving between different threads. Such internal timing channels may affect the observable outcome of a program even if an attacker does not observe execution times. Existing verification techniques for information flow security in concurrent programs attempt to prove that secret data does not influence the relative timing of threads. However, these techniques are often restrictive (for instance because they disallow branching on secret data) and make strong assumptions about the execution platform (ignoring caching, processor instructions with data-dependent runtime, and other common features that affect execution time). In this paper, we present a novel verification technique for secure information flow in concurrent programs that lifts these restrictions and does not make any assumptions about timing behavior. The key idea is to prove that all mutating operations performed on shared data commute, such that different thread interleavings do not influence its final value. Crucially, commutativity is required only for an abstraction of the shared data that contains the information that will be leaked to a public output. Abstract commutativity is satisfied by many more operations than standard commutativity, which makes our technique widely applicable. We formalize our technique in CommCSL, a relational concurrent separation logic with support for commutativity-based reasoning, and prove its soundness in Isabelle/HOL. We implemented CommCSL in HyperViper, an automated verifier based on the Viper verification infrastructure, and demonstrate its ability to verify challenging examples.

Cryptography and Security,Programming Languages

Cong Sun,Liyong Tang,Zhong Chen

DOI: https://doi.org/10.1109/icis.2011.20

2011-01-01

Abstract:Language-based information flow security provides a way to enforce either the baseline noninterference property or more relaxed properties specifying intended information release. This paper presents a new approach for enforcing information release policy on programming language with I/O channels. First we present a relaxed security property complying with the security policy on the what-dimension of declassification. Second we propose an enforcement mechanism for the security property based on reach ability analysis of pushdown system. The self-composition is equipped with a store-match pattern, which reduces the cost of verification by avoiding duplication of I/O channels. The pattern also facilitates characterization of the security property. The experimental results show the preciseness of our enforcement.

Abhishek Bichhawat,Vineet Rajani,Deepak Garg,Christian Hammer

DOI: https://doi.org/10.48550/arXiv.1506.03950

2015-06-12

Cryptography and Security

Abstract:Preventing implicit information flows by dynamic program analysis requires coarse approximations that result in false positives, because a dynamic monitor sees only the executed trace of the program. One widely deployed method is the no-sensitive-upgrade check, which terminates a program whenever a variable's taint is upgraded (made more sensitive) due to a control dependence on tainted data. Although sound, this method is restrictive, e.g., it terminates the program even if the upgraded variable is never used subsequently. To counter this, Austin and Flanagan introduced the permissive-upgrade check, which allows a variable upgrade due to control dependence, but marks the variable "partially-leaked". The program is stopped later if it tries to use the partially-leaked variable. Permissive-upgrade handles the dead-variable assignment problem and remains sound. However, Austin and Flanagan develop permissive-upgrade only for a two-point (low-high) security lattice and indicate a generalization to pointwise products of such lattices. In this paper, we develop a non-trivial and non-obvious generalization of permissive-upgrade to arbitrary lattices. The key difficulty lies in finding a suitable notion of partial leaks that is both sound and permissive and in developing a suitable definition of memory equivalence that allows an inductive proof of soundness.

Crystal Chang Din,Reiner Hähnle,Ludovic Henrio,Einar Broch Johnsen,Violet Ka I Pun,S. Lizeth Tapia Tarifa

DOI: https://doi.org/10.1145/3648439

IF: 1.714

2024-02-16

ACM Transactions on Programming Languages and Systems

Abstract:Formal, mathematically rigorous programming language semantics are the essential prerequisite for the design of logics and calculi that permit automated reasoning about concurrent programs. We propose a novel modular semantics designed to align smoothly with program logics used in deductive verification and formal specification of concurrent programs. Our semantics separates local evaluation of expressions and statements performed in an abstract, symbolic environment from their composition into global computations, at which point they are concretised. This makes incremental addition of new language concepts possible, without the need to revise the framework. The basis is a generalisation of the notion of a program trace as a sequence of evolving states that we enrich with event descriptors and trailing continuation markers. This allows to postpone scheduling constraints from the level of local evaluation to the global composition stage, where well-formedness predicates over the event structure declaratively characterise a wide range of concurrency models. We also illustrate how a sound program logic and calculus can be defined for this semantics.

computer science, software engineering

Aslan Askarov,Andrew Myers

DOI: https://doi.org/10.2168/LMCS-7%283%3A17%292011

2011-09-23

Abstract:Language-based information flow methods offer a principled way to enforce strong security properties, but enforcing noninterference is too inflexible for realistic applications. Security-typed languages have therefore introduced declassification mechanisms for relaxing confidentiality policies, and endorsement mechanisms for relaxing integrity policies. However, a continuing challenge has been to define what security is guaranteed when such mechanisms are used. This paper presents a new semantic framework for expressing security policies for declassification and endorsement in a language-based setting. The key insight is that security can be characterized in terms of the influence that declassification and endorsement allow to the attacker. The new framework introduces two notions of security to describe the influence of the attacker. Attacker control defines what the attacker is able to learn from observable effects of this code; attacker impact captures the attacker's influence on trusted locations. This approach yields novel security conditions for checked endorsements and robust integrity. The framework is flexible enough to recover and to improve on the previously introduced notions of robustness and qualified robustness. Further, the new security conditions can be soundly enforced by a security type system. The applicability and enforcement of the new policies is illustrated through various examples, including data sanitization and authentication.

Programming Languages,Cryptography and Security

Shuling Wang,Qin Shu,Yijing Liu,Zongyan Qiu

DOI: https://doi.org/10.1007/s11704-009-0075-6

2010-01-01

Abstract:Confinement is required in object-oriented programming in order to protect sensitive object references. Recently a range of confinement schemes have been proposed to achieve object encapsulation by defining static type systems, but unavoidably, with strong restrictions. On the other hand, no similarity in concepts makes assessing of these schemes a difficulty. We build in this paper a semantic model for confinement in μJava, a subset of sequential Java that offers most object-oriented features. This model has limited restriction for programs. From a semantic view, confinement is defined with respect to a given context that specifies partition of the object pool and confinement constraint among them. Moreover, we present the main Locality theorem for checking well confinement of programs locally. By applying this theorem, we have solved a security breach problem from Java JDK 1.1.1, and furthermore, proved the soundness of two widely used confinement schemes: confined types and ownership types.

Cong Sun,Ning Xi,Sheng Gao,Zhong Chen,JianFeng Ma

DOI: https://doi.org/10.1007/s11432-014-5168-7

2014-01-01

Science China Information Sciences

Abstract:Language-based information flow security is a promising approach for enforcement of strong security and protection of the data confidentiality for the end-to-end communications. Here, noninterference is the standard and most restricted security property that completely forbids confidential data from being released to public context. Although this baseline property has been extensively enforced in various cases, there are still many programs, which are considered secure enough, violating this property in some way. In order to control the information release in these programs, the predetermined ways should be specified by means of which confidential data can be released. These intentional releases, also called declassifications, are regulated by several more relaxed security properties than noninterference. The security properties for controlled declassification have been developed on different dimensions with declassification goals. However, the mechanisms used to enforce these properties are still unaccommodating, unspecific, and insufficiently studied. In this work, a new security property, the Relaxed Release with Reference Points (R3P), is presented to limit the information that can be declassified in a program. Moreover, a new mechanism using reachability analysis has been proposed for the pushdown system to enforce R3P on programs. In order to show R3P is competent for use, it has been proved that it complies with the well-known prudent principles of declassification, and in addition finds some restrictions on our security policy. The widespread usage, precision, efficiency, and the influencing factors of our enforcement have been evaluated.