## Secure information flow as a safety problem (2005)

### Cached

### Download Links

- [www.kb.ecei.tohoku.ac.jp]
- [www.kb.ecei.tohoku.ac.jp]
- [theory.stanford.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | In SAS |

Citations: | 57 - 3 self |

### BibTeX

@INPROCEEDINGS{Terauchi05secureinformation,

author = {Tachio Terauchi and Alex Aiken},

title = {Secure information flow as a safety problem},

booktitle = {In SAS},

year = {2005},

pages = {352--367}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. The termination insensitive secure information flow problem can be reduced to solving a safety problem via a simple program transformation. Barthe, D’Argenio, and Rezk coined the term “self-composition” to describe this reduction. This paper generalizes the self-compositional approach with a form of information downgrading recently proposed by Li and Zdancewic. We also identify a problem with applying the self-compositional approach in practice, and we present a solution to this problem that makes use of more traditional type-based approaches. The result is a framework that combines the best of both worlds, i.e., better than traditional type-based approaches and better than the selfcompositional approach. 1

### Citations

604 | Language-based information-flow security
- Sabelfeld, Myers
(Show Context)
Citation Context ... low-security variables). Secure information flow has applications in software security. There is an excellent survey by Sabelfeld and Myers on issues ranging from applications to analysis techniques =-=[1]-=-. We note that the definition above can be extended to multi-label cases (i.e., beyond just “high” and “low”) by posing the problem multiple times with different choices of high-security variables and... |

473 | Lazy abstraction
- Henzinger, Jhala, et al.
- 2002
(Show Context)
Citation Context ...-composition is a promising approach to solving difficult secure information flow instances thanks to the recent success on generic automatic software safety analysis tools such as SLAM [5] and BLAST =-=[6]-=-, to name a few. Both SLAM and BLAST combine theorem proving and model checking in an iteratively refining manner to achieve robust safety analysis that can scale to programs of non-trivial size writt... |

393 | The SLAM project: Debugging system software via static analysis - Ball, Rajamani - 2002 |

158 | A General Theory of Composition for Trace Sets Closed under Selective Interleaving Functions
- McLean
- 1994
(Show Context)
Citation Context ... = {P | ∀M.〈M, P 〉 = ⊥ ⇒ φ(〈M, P 〉, M)} A safety problem is a membership problem for some safety property. Secure information flow, termination sensitive or not, is not a safety property (see, e.g., =-=[2]-=- for a proof). However, the termination insensitive secure information flow problem is almost a safety problem. To this end, we introduce the concept of a 2-safety property which is intuitively a prop... |

135 | A type-based approach to program security
- Volpano, Smith
- 1997
(Show Context)
Citation Context ...s a standard structural property for (flowinsensitive) type systems. The last condition says that P itself can be typed under Γ. For example, the well-known Volpano and Smith type inference algorithm =-=[14]-=- when restricted to the language While can satisfy the above requirement for vanilla secure information flow (i.e., the downgrading policy e is some constant) by letting ∼Γ= {(M1, M2) | M1(x) = M2(x),... |

87 | Secure Information Flow by SelfComposition
- Barthe, D’Argenio, et al.
(Show Context)
Citation Context ...rectly from Definition 2 without going through the generalization of defining a 2-safety property as we have done here. As far as we know, the direct formulation appears in at least two recent papers =-=[3, 4]-=-. We borrowed the term “self-composition” from Barthe, D’Argenio, and Rezk [4], although they define it slightly differently. Self-composition is a promising approach to solving difficult secure infor... |

81 | A Theorem Proving Approach to Analysis of Secure Information Flow
- Darvas, Hähnle, et al.
- 2005
(Show Context)
Citation Context ...rectly from Definition 2 without going through the generalization of defining a 2-safety property as we have done here. As far as we know, the direct formulation appears in at least two recent papers =-=[3, 4]-=-. We borrowed the term “self-composition” from Barthe, D’Argenio, and Rezk [4], although they define it slightly differently. Self-composition is a promising approach to solving difficult secure infor... |

79 | Downgrading Policies and Relaxed Noninterference
- Li, Zdancewic
- 2005
(Show Context)
Citation Context ... main contributions of this paper are as follows:– We extend the self-compositional approach to the secure information flow problem with information downgrading recently proposed by Li and Zdancewic =-=[9]-=-. – We identify a problem with applying the self-compositional approach in practice. We then present a solution to this problem that makes use of more traditional type-based approaches. The first cont... |

75 |
Abstract non-interference: parameterizing noninterference by abstract interpretation
- Giacobazzi, Mastroeni
- 2004
(Show Context)
Citation Context ...e proposed various ways to relax secure information flow to permit policies like the one above, such as robust declassification [10], delimited information release [11], and abstract non-interference =-=[12]-=-. A particularly nice approach called relaxed non-interference has been recently proposed by Li and Zdancewic [9]. Their idea is to express downgrading by the existence of a clean function that takes ... |

67 | A model for delimited information release
- Sabelfeld, Myers
- 2004
(Show Context)
Citation Context ...-security variables. Researchers have proposed various ways to relax secure information flow to permit policies like the one above, such as robust declassification [10], delimited information release =-=[11]-=-, and abstract non-interference [12]. A particularly nice approach called relaxed non-interference has been recently proposed by Li and Zdancewic [9]. Their idea is to express downgrading by the exist... |

60 | Relative completeness of abstraction refinement for software model checking
- BALL, PODELSKI, et al.
- 2002
(Show Context)
Citation Context ...atively refining manner to achieve robust safety analysis that can scale to programs of non-trivial size written in feature-rich programming languages like C. Also, they are in theory almost complete =-=[7]-=-. In practice, they have been able to verify many safety properties that were too difficult for older approaches that were not fully path-sensitive and sometimes not even flow-sensitive. What does thi... |

52 |
Transition Predicate Abstraction and Fair Termination
- Podelski, Rybalchenko
(Show Context)
Citation Context ... any 2-liveness problem to a 1-liveness problem. But since there are not practical frameworks for checking general software liveness properties (though some promising proposals are starting to appear =-=[8]-=-), we limit the content of this paper to the termination insensitive case. Also, non-deterministic programs are outside of the scope of this paper. 1.1 Contributions The two main contributions of this... |

33 | Information flow analysis in logical form - Amtoft, Banerjee |

21 |
S.K.: The SLAM project: debugging system software via static analysis
- Ball, Rajamani
- 2002
(Show Context)
Citation Context ...ferently. Self-composition is a promising approach to solving difficult secure information flow instances thanks to the recent success on generic automatic software safety analysis tools such as SLAM =-=[5]-=- and BLAST [6], to name a few. Both SLAM and BLAST combine theorem proving and model checking in an iteratively refining manner to achieve robust safety analysis that can scale to programs of non-triv... |

1 |
A.C.: Robust declassification. In: CSFW ’01
- Zdancewic, Myers
- 2001
(Show Context)
Citation Context ...d of leaking anything about the high-security variables. Researchers have proposed various ways to relax secure information flow to permit policies like the one above, such as robust declassification =-=[10]-=-, delimited information release [11], and abstract non-interference [12]. A particularly nice approach called relaxed non-interference has been recently proposed by Li and Zdancewic [9]. Their idea is... |