This paper presents a general theory of system composition for #possibilistic" security properties. We see that these properties fall outside of the AlpernSchneider safety#liveness domain and hence, are not subject to the Abadi-Lamport Composition Principle. We then introduce a set of trace constructors called selective interleaving functions and show that possibilistic security properties are closure properties with respect to di#erent classes of selectiveinterleaving functions. This provides a uniform framework for analyzing these properties and allows us to construct a partial ordering for them. We presentanumber of composition constructs, show the extent to which each preserves closure with respect to di#erent classes of selectiveinterleaving functions, and show that they are su#cient for forming the general hook-up construction. We see that although closure under a class of selectiveinterleaving functions is generally preserved by product and cascading, it is not generally preserv...

The access matrix model as formalized by Harrison, Ruzzo, and Ullman (HRU) has broad expressive power. Unfortunately, HRU has weak safety properties (i.e., the determination of whether or not a given subject can ever acquire access to a given object). Most security policies of practical interest fall into the undecidable cases of HRU. This is true even for monotonic policies (i.e., where access rights can be deleted only if the deletion is itself reversible). In this paper we define the typed access matrix (TAM) model by introducing strong typing into HRU (i.e., each subject or object is created to be of a particular type which thereafter does not change). We prove that monotonic TAM (MTAM) has strong safety properties similar to Sandhu's Schematic Protection Model. Safety in MTAM's decidable case is, however, NP-hard. We develop a model called ternary MTAM which has polynomial safety for its decidable case, and which nevertheless retains the full expressive power of MTAM. There is compelling evidence that the decidable safety cases of ternary MTAM are quite adequate for modeling practial monotonic security policies.

We present a probability-sensitive confidentiality specification -- a form of probabilistic noninterference -- for a small multi-threaded programming language with dynamic thread creation. Probabilistic covert channels arise from a scheduler which is probabilistic. Since scheduling policy is typically outside the language specification for multithreaded languages, we describe how to generalise the security condition in order to define robust security with respect to a wide class of schedulers, not excluding the possibility of deterministic (e.g., round-robin) schedulers and program-controlled thread priorities. The formulation is based on an adaptation of Larsen and Skou's notion of probabilistic bisimulation. We show how the security condition satisfies compositionality properties which facilitate straightforward proofs of correctness for, e.g., security type systems. We illustrate this by defining a security type system which improves on previous multi-threaded systems, and by proving it correct with respect to our stronger scheduler-independent security condition.

Abstract not found

This paper proposes an extensional semantics-based formal specification of secure information-flow properties in sequential programs based on representing degrees of security by partial equivalence relations (pers). The specification clarifies and unifies a number of specific correctness arguments in the literature and connections to other forms of program analysis. The approach is inspired by (and in the deterministic case equivalent to) the use of partial equivalence relations in specifying binding-time analysis, and is thus able to specify security properties of higher-order functions and "partially confidential data". We also show how the per approach can handle nondeterminism for a first-order language, by using powerdomain semantics and show how probabilistic security properties can be formalised by using probabilistic powerdomain semantics. We illustrate the usefulness of the compositional nature of the security specifications by presenting a straightforward correctness proof for a simple type-based security analysis.

this article we focus on the primary use of security models, which has been to describe general confidentiality requirements. We then give pointers to security model work in other areas. 2 Models of Confidentiality

In most existing systems, authorization is specified using some low-level system-specific mechanisms, e.g., protection bits, capabilities and access control lists. We argue that authorization is an independent semantic concept that must be separated from implementation mechanisms and given a precise semantics. We propose a logical approach to representing and evaluating authorization. Specifically, we introduce a language for specifying policy bases. A policy base encodes a set of authorization requirements and is given a precise semantics based upon a formal notion of authorization policy. The semantics is computable, thus providing a basis for authorization evaluation. 1 Introduction To guarantee the security of a distributed system, many concerns need to be addressed. These include authentication, authorization, auditing, accounting and availability, among others. In this paper, we propose a new foundation for authorization, specifically, one that is appropriate for the design and ...

Much work on security-typed languages lacks a satisfactory account of intentional information release. In the context of confidentiality, a typical security guarantee provided by security type systems is noninterference, which allows no information flow from secret inputs to public outputs. However, many intuitively secure programs do allow some release, or declassification, of secret information (e.g., password checking, information purchase, and spreadsheet computation). Noninterference fails to recognize such programs as secure. In this respect, many security type systems enforcing noninterference are impractical.

In most systems, authorization is specified using some low-level system-specific mechanisms, e.g. protection bits, capabilities and access control lists. We argue that authorization is an independent semantic concept that must be separated from implementation mechanisms and given a precise semantics. We propose a logical approach to representing and evaluating authorization. Specifically, we introduce a language for specifying policy bases. A policy base encodes a set of authorization requirements and is given a precise semantics based upon a formal notion of authorization policy. The semantics is computable, thus providing a basis for authorization evaluation. We also introduce two composition operators for policy bases, which are appropriate for modeling distributed systems with multiple administrative domains.

this paper we advocate showing that an abstract functional specification satisfies Noninterference directly and then showing that the program satisfies the functional specification. By being carried out on as abstract a level as possible, our security proof can survive implementation changes that do not affect the user interface to the system.