Skip to main content Accessibility help
×
Home
Hostname: page-component-65dc7cd545-vqgdd Total loading time: 0.256 Render date: 2021-07-24T20:01:46.292Z Has data issue: true Feature Flags: { "shouldUseShareProductTool": true, "shouldUseHypothesis": true, "isUnsiloEnabled": true, "metricsAbstractViews": false, "figures": true, "newCiteModal": false, "newCitedByModal": true, "newEcommerce": true, "newUsageEvents": true }

Flexible dynamic information flow control in the presence of exceptions*

Published online by Cambridge University Press:  12 January 2017

DEIAN STEFAN
Affiliation:
UC San Diego, La Jolla, CA, USA (e-mail: deian@cs.ucsd.edu)
DAVID MAZIÈRES
Affiliation:
Stanford University, Stanford, CA, USA (e-mail: mitchell@cs.stanford.edu)
JOHN C. MITCHELL
Affiliation:
Stanford University, Stanford, CA, USA (e-mail: mitchell@cs.stanford.edu)
ALEJANDRO RUSSO
Affiliation:
Chalmers University of Technology, Gothenburg, Sweden (e-mail: russo@chalmers.se)

Abstract

We describe a language-based, dynamic information flow control (IFC) system called LIO. Our system presents a new design point for IFC, influenced by the challenge of implementing IFC as a Haskell library, as opposed to the more typical approach of modifying the language runtime system. In particular, we take a coarse-grained, floating-label approach, previously used by IFC Operating Systems, and associate a single, mutable label—the current label—with all the data in a computation's context. This label is always raised to reflect the reading of sensitive information and it is used to restrict the underlying computation's effects. To preserve the flexibility of fine-grained systems, LIO also provides programmers with a means for associating an explicit label with a piece of data. Interestingly, these labeled values can be used to encapsulate the results of sensitive computations which would otherwise lead to the creeping of the current label. Unlike other language-based systems, LIO also bounds the current label with a current clearance, providing a form of discretionary access control that LIO programs can use to deal with covert channels. Moreover, LIO provides programmers with mutable references and exceptions. The latter, exceptions, are used in LIO to encode and recover from monitor failures, all while preserving data confidentiality and integrity—this addresses a longstanding concern that dynamic IFC is inherently prone to information leakage due to monitor failure.

Type
Articles
Copyright
Copyright © Cambridge University Press 2017 

Access options

Get access to the full version of this content by using one of the access options below.

Footnotes

1

This work was partially done while the author was at Stanford.

*

This work was funded by DARPA CRASH under contract N66001-10-2-4088, by multiple gifts from Google, by a gift from The Mozilla Corporation, and by the Swedish research agencies VR and the Barbro Oshers Pro Suecia Foundation. Deian Stefan was supported by the DoD through the NDSEG Fellowship Program.

References

Abadi, M., Banerjee, A., Heintze, N. & Riecke, J. (1999) A core calculus of dependency. In Proceedings of Symposium on Principles of Programming Panguages. New York, NY, USA: ACM.Google Scholar
Agat, J. (2000) Transforming out timing leaks. In Proceedings of Symposium on Principles of Programming Languages. New York, NY, USA: ACM.Google Scholar
Askarov, A. & Sabelfeld, A. (2009a) Catch me if you can: Permissive yet secure error handling. In Proceedings of Programming Languages and Analysis for Security. New York, NY, USA: ACM.Google Scholar
Askarov, A. & Sabelfeld, A. (2009b) Tight enforcement of information-release policies for dynamic languages. In Proceedings of Computer Security Foundations symposium. Washington, DC, USA: IEEE Computer Society.Google Scholar
Askarov, A., Hunt, S., Sabelfeld, A. & Sands, D. (2008) Termination-insensitive noninterference leaks more than just a bit. In Proceedings of European Symposium on Research in Computer Security. Berlin, Heidelberg: Springer-Verlag.Google Scholar
Atkey, R. (2009) Parameterised notions of computation. J. Funct.Program. 19 (3–4), 335376.CrossRefGoogle Scholar
Austin, T. H. & Flanagan, C. (2009) Efficient purely-dynamic information flow analysis. In Proceedings of Workshop on Programming Languages and Analysis for Security. New York, NY, USA: ACM.Google Scholar
Austin, T. H. & Flanagan, C. (2010) Permissive dynamic information flow analysis. In Proceedings of Workshop on Programming Languages and Analysis for Security. New York, NY, USA: ACM.Google Scholar
Bell, D. E. & La Padula, L. (1976) Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report MTR-2997, Rev. 1. MITRE Corp. Google Scholar
Biba, K. J. (1977 April) Integrity Considerations for Secure Computer Systems. Technical Report ESD-TR-76-372. MITRE Corp. Google Scholar
Buiras, P., Stefan, D. & Russo, A. (2014) On flow-sensitive floating-label systems. In Proceedings of Computer Security Foundations Symposium. Washington, DC, USA: IEEE Computer Society.Google Scholar
Crary, K., Kliger, A. & Pfenning, F. (2005) A monadic analysis of information flow security with mutable state. J. Funct. Program. 15 (2), 249291.CrossRefGoogle Scholar
Denning, D. E. (1976) A lattice model of secure information flow. Commun. ACM 19 (5), 236243.CrossRefGoogle Scholar
Denning, D. E. & Denning, P. J. (1977) Certification of programs for secure information flow. Commun. ACM 20 (7), 504513.CrossRefGoogle Scholar
Department of Defense. (1985) Trusted Computer System Evaluation Criteria (Orange Book). DoD 5200.28-STD edn. Department of Defense.Google Scholar
Devriese, D. & Piessens, F. (2011) Information flow enforcement in monadic libraries. In Proceedings of Workshop on Types in Language Design and Implementation. New York, NY, USA: ACM.Google Scholar
Efstathopoulos, P., Krohn, M., VanDeBogart, S., Frey, C., Ziegler, D., Kohler, E., Mazières, D., Kaashoek, F. & Morris, R. (2005) Labels and event processes in the Asbestos operating system. In Proceedings of Symposium on Operating Systems Principles. New York, NY, USA: ACM.Google Scholar
Friedman, D. P. & Wise, D. S. (1976) The impact of applicative programming on multiprocessing. In Proceedings of International Conference on Parallel Processing. Indiana University, Computer Science Department.Google Scholar
Giffin, D. B., Levy, A., Stefan, D., Terei, D., Mazières, D., Mitchell, J., & Russo, A. (2012) Hails: Protecting data privacy in untrusted web applications. In Proceedings of Symposium on Operating Systems Design and Implementation. Berkeley, CA, USA: USENIX.Google Scholar
Goguen, J. A. & Meseguer, J. (1982) Security policies and security models. In Proceedings of Symposium on Security and Privacy. Washington, DC, USA: IEEE Computer Society.Google Scholar
Harrison, W. L. (2005) Achieving information flow security through precise control of effects. In Proceedings of Computer Security Foundations Workshop. Washington, DC, USA: IEEE Computer Society.Google Scholar
Hedin, D. & Sabelfeld, A. (2012) Information-flow security for a core of JavaScript. In Proceedings of Computer Security Foundations Symposium. Washington, DC, USA: IEEE Computer Society.Google Scholar
Hedin, D. & Sands, D. (2006) Noninterference in the presence of non-opaque pointers. In Proceedings of Computer Security Foundations Workshop. Washington, DC, USA: IEEE Computer Society.Google Scholar
Heintze, N. & Riecke, J. G. (1998) The SLam calculus: Programming with secrecy and integrity. In Proceedings of Symposium on Principles of Programming Languages. New York, NY, USA: ACM.Google Scholar
Heule, S., Stefan, D., Yang, E. Z., Mitchell, J. C. & Russo, A. (2015) IFC inside: Retrofitting languages with dynamic information flow control. In Proceedings of Conference on Principles of Security and Trust. Berlin, Heidelberg: Springer.Google Scholar
Hriţcu, C., Greenberg, M., Karel, B., Pierce, B. C. & Morrisett, G. (2013) All your IFC exceptions are belong to us. In Proceedings of Symposium on Security and Privacy. Washington, DC, USA: IEEE Computer Society.Google Scholar
Hughes, J. (2000) Generalising monads to arrows. Sci. Comput. Program. 37 (1–3), 67111.CrossRefGoogle Scholar
Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M. F., Kohler, E. & Morris, R. (2007) Information flow control for standard OS abstractions. In Proceedings of Symposium on Operating Systems Principles. New York, NY, USA: ACM.Google Scholar
Lampson, B. W. (1973) A note on the confinement problem. Commun. ACM 16 (10), 613615.CrossRefGoogle Scholar
Landwehr, C. E. (1981) Formal models for computer security. Comput. Survels 13 (3), 247278.CrossRefGoogle Scholar
Li, P. & Zdancewic, S. (2006) Encoding information flow in Haskell. In Proceedings of Computer Security Foundations Workshop. Washington, DC, USA: IEEE Computer Society.Google Scholar
Li, P. & Zdancewic, S. (2010) Arrows for secure information flow. Theor. Comput. Sci. 411 (19), 19741994.CrossRefGoogle Scholar
Liang, S., Hudak, P. & Jones, M. (1995) Monad transformers and modular interpreters. In Proceedings of Symposium on Principles of Programming Languages. New York, NY, USA: ACM.Google Scholar
Miller, M. S. (2006) Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. PhD Thesis, Johns Hopkins University.Google Scholar
Morgenstern, J. & Licata, D. R. (2010) Security-typed programming within dependently typed programming. In Proceedings of International Conference on Functional Programming. New York, NY, USA: ACM.Google Scholar
Myers, A. C. & Liskov, B. (1997) A decentralized model for information flow control. In Proceedings of Symposium on Operating Systems Principles. New York, NY, USA: ACM.Google Scholar
Myers, A. C. & Liskov, B. (2000) Protecting privacy using the decentralized label model. ACM Trans. Comput. Syst. 9 (4), 410442.Google Scholar
Myers, A. C., Zheng, L., Zdancewic, S., Chong, S. & Nystrom, N. (2001) Jif: Java Information Flow. Software release. Accessed December 8, 2016. Available at: http://www.cs.cornell.edu/jif Google Scholar
Peyton Jones, S. (2001) Tackling the awkward squad: monadic input/output, concurrency, exceptions, and foreign-language calls in Haskell. Engineering theories of software construction. Clifton, VA, USA: IOS Press.Google Scholar
Pottier, F. & Simonet, V. (2002) Information flow inference for ML. In Proceedings of Symposium on Principles of Programming Languages. New York, NY, USA: ACM.Google Scholar
Rondon, P. M, Kawaguci, M. & Jhala, R. (2008) Liquid types. ACM SIGPLAN Not. 43 (6), 159169.CrossRefGoogle Scholar
Roy, I., Porter, D. E., Bond, M. D., McKinley, K. S. & Witchel, E. (2009) Laminar: Practical fine-grained decentralized information flow control. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation. PLDI '09. New York, NY, USA: ACM.Google Scholar
Russo, A., Claessen, K. & Hughes, J. (2008) A library for light-weight information-flow security in Haskell. In Proceedings of Symposium on Haskell. ACM SIGPLAN.Google Scholar
Russo, A. & Sabelfeld, A. (2010) Dynamic vs. static flow-sensitive security analysis. In Proceedings of Computer Security Foundations Symposium. Washington, DC, USA: IEEE Computer Society.Google Scholar
Sabelfeld, A. & Myers, A. C. (2003) Language-based information-flow security. IEEE J. Sel. Areas Commun. 21 (1), 519.CrossRefGoogle Scholar
Sabelfeld, A. & Russo, A. (2009) From dynamic to static and back: Riding the roller coaster of information-flow control research. In Proceedings of Conference on Perspectives of System Informatics. Berlin, Heidelberg: Springer.Google Scholar
Saltzer, J. H. & Schroeder, M. D. (1975) The protection of information in computer systems. Proc. IEEE 63 (9), 12781308.CrossRefGoogle Scholar
Simonet, V. (2003) The Flow Caml system. Software release. Accessed December 8, 2016. Available at: http://cristal.inria.fr/simonet/soft/flowcaml/.Google Scholar
Stefan, D., Russo, A., Buiras, P., Levy, A., Mitchell, J. C. & Mazières, D. (2012a) Addressing covert termination and timing channels in concurrent information flow systems. In Proceedings of International Conference on Functional Programming. New York, NY, USA: ACM SIGPLAN.Google Scholar
Stefan, D., Russo, A., Mazières, D. & Mitchell, J. C. (2011a) Disjunction category labels. In Proceedings of Nordic conference on secure IT systems. Berlin, Heidelberg: Springer.Google Scholar
Stefan, D., Russo, A., Mitchell, J. C. & Mazières, D. (2011b) Flexible dynamic information flow control in Haskell. In Proceedings of Symposium on Haskell. New York, NY, USA: ACM SIGPLAN.Google Scholar
Stefan, D., Russo, A., Mitchell, J. C. & Mazières, D. (2012b) Flexible dynamic information flow control in the presence of exceptions. Preprint arxiv:1207.1457.Google Scholar
Stoughton, A. (1981) Access flow: A protection model which integrates access control and information flow. In Proceedings of Symposium on Security and Privacy. Washington, DC, USA: IEEE Computer Society.Google Scholar
Sulzmann, M., Duck, G. J., Peyton Jones, S. & Stuckey, P. J. (2007) Understanding functional dependencies via constraint handling rules. J. Funct. Program. 17 (1), 83129.CrossRefGoogle Scholar
Terei, D., Marlow, S., Peyton Jones, S. & Mazières, D. (2012) Safe Haskell. In Proceedings of Symposium on Haskell. New York, NY, USA: ACM SIGPLAN.Google Scholar
Tsai, T., Russo, A. & Hughes, J. (2007) A library for secure multi-threaded information flow in Haskell. In Proceedings of Computer Security Foundations Symposium. Washington, DC, USA: IEEE Computer Society.Google Scholar
Tse, S. & Zdancewic, S. (2004) Translating dependency into parametricity. In Proceedings of 9th ACM Sigplan International Conference on Functional Programming. New York, NY, USA: ACM.Google Scholar
VanDeBogart, S., Efstathopoulos, P., Kohler, E., Krohn, M., Frey, C., Ziegler, D., Kaashoek, F., Morris, R. & Mazières, D. (2007) Labels and event processes in the Asbestos operating system. ACM Trans. Comput. Syst. 25 (4), 1730.CrossRefGoogle Scholar
Waye, L., Buiras, P., King, D., Chong, S. & Russo, A. (2015) It's my privilege: Controlling downgrading in DC-labels. In Proceedings of Security and Trust Management - 11th International Workshop, STM 2015. Vienna, Austria, September 21–22, 2015. Berlin, Heidelberg: Springer, pp. 203219.Google Scholar
Winskel, G. (1993) The Formal Semantics of Programming Languages: An Introduction. MIT Press.Google Scholar
Zdancewic, S. & Myers, A. C. (2003) Observational determinism for concurrent program security. In Proceedings of Computer Security Foundations Workshop. Washington, DC, USA: IEEE Computer Society.Google Scholar
Zdancewic, S. A. (2002) Programming Languages for Information Security. Ph.D. thesis, Cornell University.Google Scholar
Zdancewic, S. & Myers, A. C. (2001) Robust declassification. In csfw. Washington, DC, USA: IEEE, pp. 1523.Google Scholar
Zeldovich, N., Boyd-Wickizer, S., Kohler, E. & Mazières, D. (2006) Making information flow explicit in HiStar. In Proceedings of Symposium on operating systems design and implementation.Google Scholar
Submit a response

Discussions

No Discussions have been published for this article.
13
Cited by

Send article to Kindle

To send this article to your Kindle, first ensure no-reply@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about sending to your Kindle. Find out more about sending to your Kindle.

Note you can select to send to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be sent to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

Find out more about the Kindle Personal Document Service.

Flexible dynamic information flow control in the presence of exceptions*
Available formats
×

Send article to Dropbox

To send this article to your Dropbox account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Dropbox.

Flexible dynamic information flow control in the presence of exceptions*
Available formats
×

Send article to Google Drive

To send this article to your Google Drive account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Google Drive.

Flexible dynamic information flow control in the presence of exceptions*
Available formats
×
×

Reply to: Submit a response

Please enter your response.

Your details

Please enter a valid email address.

Conflicting interests

Do you have any conflicting interests? *