Hostname: page-component-7c8c6479df-p566r Total loading time: 0 Render date: 2024-03-27T11:22:27.528Z Has data issue: false hasContentIssue false

Flexible dynamic information flow control in the presence of exceptions*

Published online by Cambridge University Press:  12 January 2017

DEIAN STEFAN
Affiliation:
UC San Diego, La Jolla, CA, USA (e-mail: deian@cs.ucsd.edu)
DAVID MAZIÈRES
Affiliation:
Stanford University, Stanford, CA, USA (e-mail: mitchell@cs.stanford.edu)
JOHN C. MITCHELL
Affiliation:
Stanford University, Stanford, CA, USA (e-mail: mitchell@cs.stanford.edu)
ALEJANDRO RUSSO
Affiliation:
Chalmers University of Technology, Gothenburg, Sweden (e-mail: russo@chalmers.se)
Rights & Permissions [Opens in a new window]

Abstract

Core share and HTML view are not available for this content. However, as you have access to this content, a full PDF is available via the ‘Save PDF’ action button.

We describe a language-based, dynamic information flow control (IFC) system called LIO. Our system presents a new design point for IFC, influenced by the challenge of implementing IFC as a Haskell library, as opposed to the more typical approach of modifying the language runtime system. In particular, we take a coarse-grained, floating-label approach, previously used by IFC Operating Systems, and associate a single, mutable label—the current label—with all the data in a computation's context. This label is always raised to reflect the reading of sensitive information and it is used to restrict the underlying computation's effects. To preserve the flexibility of fine-grained systems, LIO also provides programmers with a means for associating an explicit label with a piece of data. Interestingly, these labeled values can be used to encapsulate the results of sensitive computations which would otherwise lead to the creeping of the current label. Unlike other language-based systems, LIO also bounds the current label with a current clearance, providing a form of discretionary access control that LIO programs can use to deal with covert channels. Moreover, LIO provides programmers with mutable references and exceptions. The latter, exceptions, are used in LIO to encode and recover from monitor failures, all while preserving data confidentiality and integrity—this addresses a longstanding concern that dynamic IFC is inherently prone to information leakage due to monitor failure.

Type
Articles
Copyright
Copyright © Cambridge University Press 2017 

Footnotes

1

This work was partially done while the author was at Stanford.

*

This work was funded by DARPA CRASH under contract N66001-10-2-4088, by multiple gifts from Google, by a gift from The Mozilla Corporation, and by the Swedish research agencies VR and the Barbro Oshers Pro Suecia Foundation. Deian Stefan was supported by the DoD through the NDSEG Fellowship Program.

References

Abadi, M., Banerjee, A., Heintze, N. & Riecke, J. (1999) A core calculus of dependency. In Proceedings of Symposium on Principles of Programming Panguages. New York, NY, USA: ACM.Google Scholar
Agat, J. (2000) Transforming out timing leaks. In Proceedings of Symposium on Principles of Programming Languages. New York, NY, USA: ACM.Google Scholar
Askarov, A. & Sabelfeld, A. (2009a) Catch me if you can: Permissive yet secure error handling. In Proceedings of Programming Languages and Analysis for Security. New York, NY, USA: ACM.Google Scholar
Askarov, A. & Sabelfeld, A. (2009b) Tight enforcement of information-release policies for dynamic languages. In Proceedings of Computer Security Foundations symposium. Washington, DC, USA: IEEE Computer Society.Google Scholar
Askarov, A., Hunt, S., Sabelfeld, A. & Sands, D. (2008) Termination-insensitive noninterference leaks more than just a bit. In Proceedings of European Symposium on Research in Computer Security. Berlin, Heidelberg: Springer-Verlag.Google Scholar
Atkey, R. (2009) Parameterised notions of computation. J. Funct.Program. 19 (3–4), 335376.CrossRefGoogle Scholar
Austin, T. H. & Flanagan, C. (2009) Efficient purely-dynamic information flow analysis. In Proceedings of Workshop on Programming Languages and Analysis for Security. New York, NY, USA: ACM.Google Scholar
Austin, T. H. & Flanagan, C. (2010) Permissive dynamic information flow analysis. In Proceedings of Workshop on Programming Languages and Analysis for Security. New York, NY, USA: ACM.Google Scholar
Bell, D. E. & La Padula, L. (1976) Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report MTR-2997, Rev. 1. MITRE Corp. Google Scholar
Biba, K. J. (1977 April) Integrity Considerations for Secure Computer Systems. Technical Report ESD-TR-76-372. MITRE Corp. Google Scholar
Buiras, P., Stefan, D. & Russo, A. (2014) On flow-sensitive floating-label systems. In Proceedings of Computer Security Foundations Symposium. Washington, DC, USA: IEEE Computer Society.Google Scholar
Crary, K., Kliger, A. & Pfenning, F. (2005) A monadic analysis of information flow security with mutable state. J. Funct. Program. 15 (2), 249291.Google Scholar
Denning, D. E. (1976) A lattice model of secure information flow. Commun. ACM 19 (5), 236243.CrossRefGoogle Scholar
Denning, D. E. & Denning, P. J. (1977) Certification of programs for secure information flow. Commun. ACM 20 (7), 504513.Google Scholar
Department of Defense. (1985) Trusted Computer System Evaluation Criteria (Orange Book). DoD 5200.28-STD edn. Department of Defense.Google Scholar
Devriese, D. & Piessens, F. (2011) Information flow enforcement in monadic libraries. In Proceedings of Workshop on Types in Language Design and Implementation. New York, NY, USA: ACM.Google Scholar
Efstathopoulos, P., Krohn, M., VanDeBogart, S., Frey, C., Ziegler, D., Kohler, E., Mazières, D., Kaashoek, F. & Morris, R. (2005) Labels and event processes in the Asbestos operating system. In Proceedings of Symposium on Operating Systems Principles. New York, NY, USA: ACM.Google Scholar
Friedman, D. P. & Wise, D. S. (1976) The impact of applicative programming on multiprocessing. In Proceedings of International Conference on Parallel Processing. Indiana University, Computer Science Department.Google Scholar
Giffin, D. B., Levy, A., Stefan, D., Terei, D., Mazières, D., Mitchell, J., & Russo, A. (2012) Hails: Protecting data privacy in untrusted web applications. In Proceedings of Symposium on Operating Systems Design and Implementation. Berkeley, CA, USA: USENIX.Google Scholar
Goguen, J. A. & Meseguer, J. (1982) Security policies and security models. In Proceedings of Symposium on Security and Privacy. Washington, DC, USA: IEEE Computer Society.Google Scholar
Harrison, W. L. (2005) Achieving information flow security through precise control of effects. In Proceedings of Computer Security Foundations Workshop. Washington, DC, USA: IEEE Computer Society.Google Scholar
Hedin, D. & Sabelfeld, A. (2012) Information-flow security for a core of JavaScript. In Proceedings of Computer Security Foundations Symposium. Washington, DC, USA: IEEE Computer Society.Google Scholar
Hedin, D. & Sands, D. (2006) Noninterference in the presence of non-opaque pointers. In Proceedings of Computer Security Foundations Workshop. Washington, DC, USA: IEEE Computer Society.Google Scholar
Heintze, N. & Riecke, J. G. (1998) The SLam calculus: Programming with secrecy and integrity. In Proceedings of Symposium on Principles of Programming Languages. New York, NY, USA: ACM.Google Scholar
Heule, S., Stefan, D., Yang, E. Z., Mitchell, J. C. & Russo, A. (2015) IFC inside: Retrofitting languages with dynamic information flow control. In Proceedings of Conference on Principles of Security and Trust. Berlin, Heidelberg: Springer.Google Scholar
Hriţcu, C., Greenberg, M., Karel, B., Pierce, B. C. & Morrisett, G. (2013) All your IFC exceptions are belong to us. In Proceedings of Symposium on Security and Privacy. Washington, DC, USA: IEEE Computer Society.Google Scholar
Hughes, J. (2000) Generalising monads to arrows. Sci. Comput. Program. 37 (1–3), 67111.Google Scholar
Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M. F., Kohler, E. & Morris, R. (2007) Information flow control for standard OS abstractions. In Proceedings of Symposium on Operating Systems Principles. New York, NY, USA: ACM.Google Scholar
Lampson, B. W. (1973) A note on the confinement problem. Commun. ACM 16 (10), 613615.Google Scholar
Landwehr, C. E. (1981) Formal models for computer security. Comput. Survels 13 (3), 247278.Google Scholar
Li, P. & Zdancewic, S. (2006) Encoding information flow in Haskell. In Proceedings of Computer Security Foundations Workshop. Washington, DC, USA: IEEE Computer Society.Google Scholar
Li, P. & Zdancewic, S. (2010) Arrows for secure information flow. Theor. Comput. Sci. 411 (19), 19741994.CrossRefGoogle Scholar
Liang, S., Hudak, P. & Jones, M. (1995) Monad transformers and modular interpreters. In Proceedings of Symposium on Principles of Programming Languages. New York, NY, USA: ACM.Google Scholar
Miller, M. S. (2006) Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. PhD Thesis, Johns Hopkins University.Google Scholar
Morgenstern, J. & Licata, D. R. (2010) Security-typed programming within dependently typed programming. In Proceedings of International Conference on Functional Programming. New York, NY, USA: ACM.Google Scholar
Myers, A. C. & Liskov, B. (1997) A decentralized model for information flow control. In Proceedings of Symposium on Operating Systems Principles. New York, NY, USA: ACM.Google Scholar
Myers, A. C. & Liskov, B. (2000) Protecting privacy using the decentralized label model. ACM Trans. Comput. Syst. 9 (4), 410442.Google Scholar
Myers, A. C., Zheng, L., Zdancewic, S., Chong, S. & Nystrom, N. (2001) Jif: Java Information Flow. Software release. Accessed December 8, 2016. Available at: http://www.cs.cornell.edu/jif Google Scholar
Peyton Jones, S. (2001) Tackling the awkward squad: monadic input/output, concurrency, exceptions, and foreign-language calls in Haskell. Engineering theories of software construction. Clifton, VA, USA: IOS Press.Google Scholar
Pottier, F. & Simonet, V. (2002) Information flow inference for ML. In Proceedings of Symposium on Principles of Programming Languages. New York, NY, USA: ACM.Google Scholar
Rondon, P. M, Kawaguci, M. & Jhala, R. (2008) Liquid types. ACM SIGPLAN Not. 43 (6), 159169.Google Scholar
Roy, I., Porter, D. E., Bond, M. D., McKinley, K. S. & Witchel, E. (2009) Laminar: Practical fine-grained decentralized information flow control. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation. PLDI '09. New York, NY, USA: ACM.Google Scholar
Russo, A., Claessen, K. & Hughes, J. (2008) A library for light-weight information-flow security in Haskell. In Proceedings of Symposium on Haskell. ACM SIGPLAN.Google Scholar
Russo, A. & Sabelfeld, A. (2010) Dynamic vs. static flow-sensitive security analysis. In Proceedings of Computer Security Foundations Symposium. Washington, DC, USA: IEEE Computer Society.Google Scholar
Sabelfeld, A. & Myers, A. C. (2003) Language-based information-flow security. IEEE J. Sel. Areas Commun. 21 (1), 519.Google Scholar
Sabelfeld, A. & Russo, A. (2009) From dynamic to static and back: Riding the roller coaster of information-flow control research. In Proceedings of Conference on Perspectives of System Informatics. Berlin, Heidelberg: Springer.Google Scholar
Saltzer, J. H. & Schroeder, M. D. (1975) The protection of information in computer systems. Proc. IEEE 63 (9), 12781308.Google Scholar
Simonet, V. (2003) The Flow Caml system. Software release. Accessed December 8, 2016. Available at: http://cristal.inria.fr/simonet/soft/flowcaml/.Google Scholar
Stefan, D., Russo, A., Buiras, P., Levy, A., Mitchell, J. C. & Mazières, D. (2012a) Addressing covert termination and timing channels in concurrent information flow systems. In Proceedings of International Conference on Functional Programming. New York, NY, USA: ACM SIGPLAN.Google Scholar
Stefan, D., Russo, A., Mazières, D. & Mitchell, J. C. (2011a) Disjunction category labels. In Proceedings of Nordic conference on secure IT systems. Berlin, Heidelberg: Springer.Google Scholar
Stefan, D., Russo, A., Mitchell, J. C. & Mazières, D. (2011b) Flexible dynamic information flow control in Haskell. In Proceedings of Symposium on Haskell. New York, NY, USA: ACM SIGPLAN.Google Scholar
Stefan, D., Russo, A., Mitchell, J. C. & Mazières, D. (2012b) Flexible dynamic information flow control in the presence of exceptions. Preprint arxiv:1207.1457.Google Scholar
Stoughton, A. (1981) Access flow: A protection model which integrates access control and information flow. In Proceedings of Symposium on Security and Privacy. Washington, DC, USA: IEEE Computer Society.Google Scholar
Sulzmann, M., Duck, G. J., Peyton Jones, S. & Stuckey, P. J. (2007) Understanding functional dependencies via constraint handling rules. J. Funct. Program. 17 (1), 83129.Google Scholar
Terei, D., Marlow, S., Peyton Jones, S. & Mazières, D. (2012) Safe Haskell. In Proceedings of Symposium on Haskell. New York, NY, USA: ACM SIGPLAN.Google Scholar
Tsai, T., Russo, A. & Hughes, J. (2007) A library for secure multi-threaded information flow in Haskell. In Proceedings of Computer Security Foundations Symposium. Washington, DC, USA: IEEE Computer Society.Google Scholar
Tse, S. & Zdancewic, S. (2004) Translating dependency into parametricity. In Proceedings of 9th ACM Sigplan International Conference on Functional Programming. New York, NY, USA: ACM.Google Scholar
VanDeBogart, S., Efstathopoulos, P., Kohler, E., Krohn, M., Frey, C., Ziegler, D., Kaashoek, F., Morris, R. & Mazières, D. (2007) Labels and event processes in the Asbestos operating system. ACM Trans. Comput. Syst. 25 (4), 1730.Google Scholar
Waye, L., Buiras, P., King, D., Chong, S. & Russo, A. (2015) It's my privilege: Controlling downgrading in DC-labels. In Proceedings of Security and Trust Management - 11th International Workshop, STM 2015. Vienna, Austria, September 21–22, 2015. Berlin, Heidelberg: Springer, pp. 203219.Google Scholar
Winskel, G. (1993) The Formal Semantics of Programming Languages: An Introduction. MIT Press.Google Scholar
Zdancewic, S. & Myers, A. C. (2003) Observational determinism for concurrent program security. In Proceedings of Computer Security Foundations Workshop. Washington, DC, USA: IEEE Computer Society.Google Scholar
Zdancewic, S. A. (2002) Programming Languages for Information Security. Ph.D. thesis, Cornell University.Google Scholar
Zdancewic, S. & Myers, A. C. (2001) Robust declassification. In csfw. Washington, DC, USA: IEEE, pp. 1523.Google Scholar
Zeldovich, N., Boyd-Wickizer, S., Kohler, E. & Mazières, D. (2006) Making information flow explicit in HiStar. In Proceedings of Symposium on operating systems design and implementation.Google Scholar
Submit a response

Discussions

No Discussions have been published for this article.