Results 1 - 10
of
27
Dynamic dependency monitoring to secure information flow
- In: Proc. Computer Security Foundations Symposium, IEEE Computer Society
, 2007
"... Although static systems for information flow security are well-studied, few works address run-time information flow monitoring. Run-time information flow control offers distinct advantages in precision and in the ability to support dynamically defined policies. To this end, we here develop a new run ..."
Abstract
-
Cited by 41 (2 self)
- Add to MetaCart
(Show Context)
Although static systems for information flow security are well-studied, few works address run-time information flow monitoring. Run-time information flow control offers distinct advantages in precision and in the ability to support dynamically defined policies. To this end, we here develop a new run-time information flow system based on the runtime tracking of indirect dependencies between program points. Our system tracks both direct and indirect information flows, and noninterference results are proved. 1
Trusted Declassification -- High-level policy for a security-typed language
, 2006
"... Security-typed languages promise to be a powerful tool with which provably secure software applications may be developed. Programs written in these languages enforce a strong, global policy of noninterference which ensures that high-security data will not be observable on low-security channels. Beca ..."
Abstract
-
Cited by 31 (13 self)
- Add to MetaCart
(Show Context)
Security-typed languages promise to be a powerful tool with which provably secure software applications may be developed. Programs written in these languages enforce a strong, global policy of noninterference which ensures that high-security data will not be observable on low-security channels. Because noninterference is typically too strong a property, most programs use some form of declassification to selectively leak high security information, e.g. when performing a password check or data encryption. Unfortunately, such a declassification is often expressed as an operation within a given program, rather than as part of a global policy, making reasoning about the security implications of a policy more difficult. In this paper, we propose a simple idea we call trusted declassification in which special declassifier functions are specified as part of the global policy. In particular, individual principals declaratively specify which declassifiers they trust so that all information flows implied by the policy can be reasoned about in absence of a particular program. We formalize our approach for a Javalike language and prove a modified form of noninterference which we call noninterference modulo trusted methods. We have implemented our approach as an extension to Jif and provide some of our experience using it to build a secure e-mail client.
Enforcing Authorization Policies using Transactional Memory Introspection
- CCS'08
, 2008
"... Correct enforcement of authorization policies is a difficult task, especially for multi-threaded software. Even in carefully-reviewed code, unauthorized access may be possible in subtle corner cases. We introduce Transactional Memory Introspection (TMI), a novel reference monitor architecture that b ..."
Abstract
-
Cited by 21 (2 self)
- Add to MetaCart
Correct enforcement of authorization policies is a difficult task, especially for multi-threaded software. Even in carefully-reviewed code, unauthorized access may be possible in subtle corner cases. We introduce Transactional Memory Introspection (TMI), a novel reference monitor architecture that builds on Software Transactional Memory—a new, attractive alternative for writing correct, multi-threaded software. TMI facilitates correct security enforcement by simplifying how the reference monitor integrates with software functionality. TMI can ensure complete mediation of security-relevant operations, eliminate race conditions related to security checks, and simplify handling of authorization failures. We present the design and implementation of a TMI-based reference monitor and experiment with its use in enforcing authorization policies on four significant servers. Our experiments confirm the benefits of the TMI architecture and show that it imposes an acceptable runtime overhead.
Paralocks -- Role-based Information Flow Control . . .
, 2010
"... This paper presents Paralocks, a language for building expressive but statically verifiable fine-grained information flow policies. Paralocks combine the expressive power of Flow Locks (Broberg & Sands, ESOP’06) with the ability to express policies involving runtime principles, roles (in the sty ..."
Abstract
-
Cited by 19 (0 self)
- Add to MetaCart
This paper presents Paralocks, a language for building expressive but statically verifiable fine-grained information flow policies. Paralocks combine the expressive power of Flow Locks (Broberg & Sands, ESOP’06) with the ability to express policies involving runtime principles, roles (in the style of role-based access control), and relations (such as “acts-for ” in discretionary access control). We illustrate the Paralocks policy language by giving a simple encoding of Myers and Liskov’s Decentralized Label Model (DLM). Furthermore – and unlike the DLM – we provide an information flow semantics for full Paralock policies. Lastly we illustrate how Paralocks can be statically verified by providing a simple programming language incorporating Paralock policy specifications, and a static type system which soundly enforces information flow security according to the Paralock semantics.
From Languages to Systems: Understanding Practical Application Development in Security-typed Languages
- In Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC 2006
, 2006
"... Security-typed languages are an evolving tool for implementing systems with provable security guarantees. However, to date, these tools have only been used to build simple “toy ” programs. As described in this paper, we have developed the first real-world, security-typed application: a secure email ..."
Abstract
-
Cited by 17 (5 self)
- Add to MetaCart
(Show Context)
Security-typed languages are an evolving tool for implementing systems with provable security guarantees. However, to date, these tools have only been used to build simple “toy ” programs. As described in this paper, we have developed the first real-world, security-typed application: a secure email system written in the Java language variant Jif. Real-world policies are mapped onto the information flows controlled by the language primitives, and we consider the process and tractability of broadly enforcing security policy in commodity applications. We find that while the language provided the rudimentary tools to achieve low-level security goals, additional tools, services, and language extensions were necessary to formulate and enforce application policy. We detail the design and use of these tools. We also show how the strong guarantees of Jif in conjunction with our policy tools can be used to evaluate security. This work serves as a starting point–we have demonstrated that it is possible to implement real-world systems and policy using security-typed languages. However, further investigation of the developer tools and supporting policy infrastructure is necessary before they can fulfill their considerable promise of enabling more secure systems. 1
Flow-sensitive semantics for dynamic information flow policies
- In Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security
, 2009
"... Flow-Sensitive semantics for dynamic information flow policies ..."
Abstract
-
Cited by 11 (1 self)
- Add to MetaCart
(Show Context)
Flow-Sensitive semantics for dynamic information flow policies
ABSTRACT Cross-tier, Label-based Security Enforcement for Web Applications
"... This paper presents SELinks, an extension of the Links web programming language, that allows a database and web server to collaboratively enforce a security policy with high assurance. Our approach has a number of benefits. First, the relationship between data and its security label is made explicit ..."
Abstract
-
Cited by 10 (0 self)
- Add to MetaCart
(Show Context)
This paper presents SELinks, an extension of the Links web programming language, that allows a database and web server to collaboratively enforce a security policy with high assurance. Our approach has a number of benefits. First, the relationship between data and its security label is made explicit by the SELinks type system, which allows the compiler to ensure that a policy is always correctly enforced. Next, application-specific logic is communicated seamlessly to the database by compiling SELinks code and values to user-defined functions and custom datatypes, respectively, to be stored in the database. As a result, application-specific security policies can be enforced at the database while processing queries, improving both the overall efficiency of the application, as well as ensuring that sensitive data never leaves the database needlessly. Our experience with two sizeable web applications indicates that cross-tier policy enforcement in SELinks is flexible, relatively easy to use and improves efficiency, in terms of increased throughput, by as much as an order of magnitude. 1.
A trust management approach for flexible policy management in security-typed languages. http://elephant.cs.uiuc.edu/ sbandha2/publications/ccs07.pdf
"... Early work on security-typed languages required that legal information flows be defined statically. More recently, techniques have been introduced that relax these assumptions and allow policies to change at run-time. For example, the Rx language uses a policy language based on RT, a trust managemen ..."
Abstract
-
Cited by 9 (0 self)
- Add to MetaCart
(Show Context)
Early work on security-typed languages required that legal information flows be defined statically. More recently, techniques have been introduced that relax these assumptions and allow policies to change at run-time. For example, the Rx language uses a policy language based on RT, a trust management framework for representing authorization policies. While Rx made significant strides toward the goal of allowing policy updates in security-typed languages, in this paper we observe that certain design choices of Rx violate the privacy and autonomy requirements of principals in trust management systems, thus making decentralized control over information difficult. To address these problems, we propose RTI, a new security-typed language. In addition to avoiding prior pitfalls, RTI’s most distinguishing characteristic is that it supports fine-grained specification of security for dynamic policy. We also provide a proof of noninterference for RTI. 1
Information Flow for Secure Distributed Applications
, 2009
"... Private and confidential information is increasingly stored online and increasingly being exposed due to human errors as well as malicious attacks. Information leaks threaten confidentiality, lead to lawsuits, damage enterprise reputations, and cost billion of dollars. While distributed computing ar ..."
Abstract
-
Cited by 8 (0 self)
- Add to MetaCart
(Show Context)
Private and confidential information is increasingly stored online and increasingly being exposed due to human errors as well as malicious attacks. Information leaks threaten confidentiality, lead to lawsuits, damage enterprise reputations, and cost billion of dollars. While distributed computing architectures provide data and service integration, they also create information flow control problems due to the interaction complexity among service providers. A main problem is the lack of an appropriate programming model to capture expected information flow behaviors in these large distributed software infrastructures. This research tackles this problem by proposing a programming methodology and enforcement platform for application developers to protect and share their sensitive data. We introduce Aeolus, a new platform intended to make it easier to build distributed
A Dependent Type Theory for Verification of Information Flow and Access Control Policies
"... We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can a ..."
Abstract
-
Cited by 7 (1 self)
- Add to MetaCart
(Show Context)
We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in types, abstract predicates, and modules. Example security policies include conditional declassification, information erasure, and state-dependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic.
