for enforcing strong end-to-end confidentiality and integrity policies. Such policies, however, are usually specified in term of static information---data is labeled high or low security at compile time. In practice, the confidentiality of data may depend on information available only while the system is running This paper studies language support for run-time principals, a mechanism for specifying information-flow security policies that depend on which principals interact with the system. We establish the basic property of noninterference for programs written in such language, and use run-time principals for specifying run-time authority in downgrading mechanisms such as declassification.

Noninterference is a property of sequential programs that is useful for expressing security policies for data confidentiality and integrity. However, extending noninterference to concurrent programs has proved problematic. In this paper we present a relatively expressive secure concurrent language. This language, based on existing concurrent calculi, provides first-class channels, higher-order functions, and an unbounded number of threads. Well-typed programs obey a generalization of noninterference that ensures immunity to internal timing attacks and to attacks that exploit information about the thread scheduler. Elimination of these refinement attacks is possible because the enforced security property extends noninterference with observational determinism. Although the security property is strong, it also avoids some of the restrictiveness imposed on previous securitytyped concurrent languages.

This paper gives a language in which information flow is securely controlled by a dependent type system, yet the security classes of data can vary dynamically. Information flow policies provide the means to express strong security requirements for data confidentiality and integrity. Recent work on security-typed programming languages has shown that information flow can be analyzed statically, ensuring that programs will respect the restrictions placed on data. However, real computing systems have security policies that vary dynamically and that cannot be determined at the time of program analysis. For example, a file has associated access permissions that cannot be known with certainty until it is opened. Although one security-typed programming language has included support for dynamic security labels, there has been no demonstration that a general mechanism for dynamic labels can securely control information flow. In this paper, we present an expressive language-based mechanism for reasoning about dynamic security labels. The mechanism is formally presented in a core language based on the typed lambda calculus; any well-typed program in this language is provably secure because it satisfies noninterference.

We propose a new type system for information flow analysis for the

A static program analysis called information flow analysis has been studied for high-level programming languages, to check that programs do not leak information about secret data such as passwords.

Abstract. Non-interference is a desirable property of systems in a multilevel security architecture, stating that confidential information is not disclosed in public output. The challenge of studying information flow for assembly languages is that the control flow constructs that guide the analysis in high-level languages are not present. To address this problem, we define a typed assembly language that uses pseudo-instructions to impose a stack discipline on the control flow of programs. We develop a type system for checking that assembly programs enjoy non-interference and its proof of soundness. 1

The Microsoft Windows Vista operating system implements mandatory access control (MAC) for multi-level integrity. Vista’s MAC implementation is designed to balance security with functionality—trusted processes may read untrusted values, and integrity labels may be changed dynamically. While such flexibility makes the system more usable, it also opens the door for information flow vulnerabilities. We propose data-flow integrity (DFI) as a practical security property in this context, and present a type system to enforce DFI in Vista. As long as all trusted code is certified by the type system, we guarantee that locations whose contents are trusted never contain untrusted values, regardless of what untrusted code runs in the environment. Our type system relies on Vista’s dynamic MAC checks for soundness, and illustrates the genuine interplay between static analysis and runtime checks that is needed to ensure such protection. Our study may be viewed as a formalization of the security design of Vista; in particular, our type system formalizes conjectured best practices for secure programming on Vista. Further, we show that while Vista’s write access checks are necessary to enforce DFI, the access control on execution of binaries can in fact be eliminated as a runtime optimization if trusted code is typed using our type system.

This paper presents a language in which information flow is securely controlled by a type system, yet the security class of data can vary dynamically. Information flow policies provide the means to express strong security requirements for data confidentiality and integrity. Recent work on security-typed programming languages has shown that information flow can be analyzed statically, ensuring that programs will respect the restrictions placed on data. However, real computing systems have security policies that cannot be determined at the time of program analysis. For example, a file has associated access permissions that cannot be known with certainty until it is opened. Although one security-typed programming language has included support for dynamic security labels, there has been no demonstration that a general mechanism for dynamic labels can securely control information flow. In this paper, we present an expressive language-based mechanism for reasoning about dynamic security labels. The mechanism is formally presented in a core language based on the typed lambda calculus; any well-typed program in this language is secure because it satisfies noninterference. 1

A method is presented for checking secure information flow in Java bytecode, assuming a multilevel security policy that assigns security levels to the objects. The method exploits the type-level abstract interpretation of standard bytecode verification to detect illegal information flows. We define an algorithm transforming the original code into another code in such a way that a typing error detected by the Verifier on the transformed code corresponds to a possible illicit information flow in the original code. We present a prototype tool that implements the code transformation and we show an example of application of the method.

Abstract. We study secure information flow in a stack based Typed Assembly Language (TAL). We define a TAL with an execution stack and establish the soundness of its type system by proving non-interference. One of the problems of studying information flow for a low-level language is the absence of high-level control flow constructs that guide information flow analysis in high-level languages. Furthermore, in the presence of an execution stack, code that frees space on the stack must be constrained in order to avoid illegal flows. Finally, in the presence of stack polymorphism, we must ensure that type variables are instantiated without observable differences. These issues are addressed by introducing junction points into the type system, ensuring that they behave as ordered linear continuations and that they interact safely with the execution stack. We also discuss several limitations of our approach and point out some issues that are left open. 1