Computing systems often deliberately release (or declassify) sensitive information. A principal security concern for systems permitting information release is whether this release is safe: is it possible that the attacker compromises the information release mechanism and extracts more secret information than intended? While the security community has recognised the importance of the problem, the state-of-theart in information release is, unfortunately, a number of approaches with somewhat unconnected semantic goals. We provide a road map of the main directions of current research, by classifying the basic goals according to what information is released, who releases information, where in the system information is released, and when information can be released. With a general declassification framework as a long-term goal, we identify some prudent principles of declassification. These principles shed light on existing definitions and may also serve as useful "sanity checks" for emerging models.

Abstract. Security protocols are critical for protecting modern communication infrastructures and are therefore subject to thorough analysis. However practical implementations of these protocols lack the same level of attention and thus may be more exposed to attacks. This paper discusses security assurance provided by security-typed languages when implementing cryptographic protocols. Our results are based on a case study using Jif, a Java-based security-typed language, for implementing a non-trivial cryptographic protocol that allows playing online poker without a trusted third party. The case study deploys the largest program written in a security-typed language to date and identifies insights ranging from security guarantees to useful patterns of secure programming. 1

This paper provides a way to specify expressive declassification policies, in particular, when, what, and where policies that include conditions under which downgrading is allowed. Secondly, an end-to-end semantic property is introduced, based on a model that allows observations of intermediate low states as well as termination. An attacker’s knowledge only increases at explicit declassification steps, and within limits set by policy. Thirdly, static enforcement is provided by combining type-checking with program verification techniques applied to the small subprograms that carry out declassifications. Enforcement is proved sound for a simple programming language and the extension to object-oriented programs is described. 1.

Abstract. Security protocols are critical for protecting modern communication infrastructures and are therefore subject to thorough analysis. However practical implementations of these protocols lack the same level of attention and thus may be more exposed to attacks. This paper discusses security assurance provided by security-typed languages when implementing cryptographic protocols. Our results are based on a case study using Jif, a Java-based security-typed language, for implementing a non-trivial cryptographic protocol that allows playing online poker without a trusted third party. The case study deploys the largest program written in a security-typed language to date and identifies insights ranging from security guarantees to useful patterns of secure programming. 1

www.cs.chalmers.se/˜{andrei, dave} Computing systems often deliberately release (or declassify) sensitive information. A principal security concern for systems permitting information release is whether this release is safe: is it possible that the attacker compromises the information release mechanism and extracts more secret information than intended? While the security community has recognised the importance of the problem, the state-of-the-art in information release is, unfortunately, a number of approaches with somewhat unconnected semantic goals. We provide a road map of the main directions of current research, by classifying the basic goals according to what information is released, who releases information, where in the system information is released and when information can be released. With a general declassification framework as a long-term goal, we identify some prudent principles of declassification. These principles shed light on existing definitions and may also serve as useful “sanity checks ” for emerging models. 1

Information release (or declassification) policies are the key challenge for language-based information security. Although much progress has been made, different approaches to information release tend to address different aspects of information release. In a recent classification, these aspects are referred to as what, who, where, and when dimensions of declassification. In order to avoid information laundering, it is important to combine defense along the different dimensions. As a step in this direction, this paper presents a combination of what and where information release policies. Moreover, we show that a minor modification of a security type system from the literature (which was designed for treating the what dimension) in fact enforces the combination of what and where policies.

A control hijacking attack exploits software vulnerabilities such as buffer overflow to seize the execution control of a server program, and uses the privileges of the victim program to make system calls to compromise the computer. In this dissertation, we first present a novel low overhead array bounds checking system called Cash that prevents buffer overflow from happening. Even if an attack can successfully hijack the execution control of a program, we present a defense system called Paid to prevent the attack from making illegitimate system calls. The Cash approach allocates a separate segment to each static or dynamic array, and generates instructions for array references in such a way that the segment limit check in X86’s virtual memory protection mechanism performs the required array bounds checking for free. In those cases that hardware bounds checking is not possible, it falls back to software bounds checking. Paid is a system call based intrusion prevention system, which includes a comprehensive program analysis tool that can automatically derive an accurate application-specific system call model, which includes the information such as call sites, call stacks, call order, and their constant arguments,

Pervasive computing is the next generation of computing environments. Thus applications are dynamically deployed on a growing set of small safe devices. Applications must share code and data with each other, while they are issued from different sources and cannot trust each other. We present an information flow analysis for full Java bytecode adapted to applications dedicated to embedded systems. Existing techniques are not well adapted to this domain and often too complex. To ease the onboard operations and eliminate overhead, an external static analysis is effectuated, and the results are embedded as annotations with the code and certified at loading time. More, unlike other analysis, dynamic class loading is supported. We tested our model on a case study from the literature and obtained the same results as the other papers, only that we have more restrictive circumstances. Results show that annotations can be successfully loaded and the external analysis is justified.

We integrate programming constructs for managing confidentiality in an ML-like imperative and higher-order programming language, dealing with both access control and information flow control. Our language includes in particular a construct for declassifying information, and constructs for granting, restricting or testing the read access level of a program. We introduce a type and effect system to statically check access rights and information flow. We show that typable programs are secure, that is, they do not attempt at making illegal read accesses, nor illegal information leakage. This provides us with a natural restriction on declassification, namely that a program may only declassify information that it has the right to read.

A grand challenge in information protection is how to preserve the confidentiality of sensitive information under spyware surveillance. This problem has not been well addressed by the existing access-control mechanisms which cannot prevent the spyware already in a system from monitoring an authorized party’s interactions with sensitive data. Our answer to this challenge is PRECIP, a new security policy model which takes a first step towards practical and retrofittable confidential information protection. This model is designed to offer efficient online protection for commercial applications and operating systems. It intends to be retrofitted to these applications and systems without modifying their code. To this end, PRECIP addresses several practical issues critical to containing spyware surveillance, which however are not well handled by the previous work in access control and information-flow security. Examples include the models for human input devices such as keyboard whose sensitivity level must be dynamically determined, other shared resources such as clipboard and screen which must be accessed by different processes, and the multitasked processes which work on public and sensitive data concurrently. We applied PRECIP to Windows XP to protect the applications for editing or viewing sensitive documents and browsing sensitive websites. We demonstrate that our implementation works effectively against a wide spectrum of spyware, including keyloggers, screen grabbers and file stealers. We also evaluated the overheads of our technique, which are shown to be very small. 1