Skip to main content
×
Home

Flexible dynamic information flow control in the presence of exceptions*

  • DEIAN STEFAN (a1), DAVID MAZIÈRES (a2), JOHN C. MITCHELL (a2) and ALEJANDRO RUSSO (a3)
Abstract
Abstract

We describe a language-based, dynamic information flow control (IFC) system called LIO. Our system presents a new design point for IFC, influenced by the challenge of implementing IFC as a Haskell library, as opposed to the more typical approach of modifying the language runtime system. In particular, we take a coarse-grained, floating-label approach, previously used by IFC Operating Systems, and associate a single, mutable label—the current label—with all the data in a computation's context. This label is always raised to reflect the reading of sensitive information and it is used to restrict the underlying computation's effects. To preserve the flexibility of fine-grained systems, LIO also provides programmers with a means for associating an explicit label with a piece of data. Interestingly, these labeled values can be used to encapsulate the results of sensitive computations which would otherwise lead to the creeping of the current label. Unlike other language-based systems, LIO also bounds the current label with a current clearance, providing a form of discretionary access control that LIO programs can use to deal with covert channels. Moreover, LIO provides programmers with mutable references and exceptions. The latter, exceptions, are used in LIO to encode and recover from monitor failures, all while preserving data confidentiality and integrity—this addresses a longstanding concern that dynamic IFC is inherently prone to information leakage due to monitor failure.

Copyright
Footnotes
Hide All
1

This work was partially done while the author was at Stanford.

*

This work was funded by DARPA CRASH under contract N66001-10-2-4088, by multiple gifts from Google, by a gift from The Mozilla Corporation, and by the Swedish research agencies VR and the Barbro Oshers Pro Suecia Foundation. Deian Stefan was supported by the DoD through the NDSEG Fellowship Program.

Footnotes
References
Hide All
Abadi M., Banerjee A., Heintze N. & Riecke J. (1999) A core calculus of dependency. In Proceedings of Symposium on Principles of Programming Panguages. New York, NY, USA: ACM.
Agat J. (2000) Transforming out timing leaks. In Proceedings of Symposium on Principles of Programming Languages. New York, NY, USA: ACM.
Askarov A. & Sabelfeld A. (2009a) Catch me if you can: Permissive yet secure error handling. In Proceedings of Programming Languages and Analysis for Security. New York, NY, USA: ACM.
Askarov A. & Sabelfeld A. (2009b) Tight enforcement of information-release policies for dynamic languages. In Proceedings of Computer Security Foundations symposium. Washington, DC, USA: IEEE Computer Society.
Askarov A., Hunt S., Sabelfeld A. & Sands D. (2008) Termination-insensitive noninterference leaks more than just a bit. In Proceedings of European Symposium on Research in Computer Security. Berlin, Heidelberg: Springer-Verlag.
Atkey R. (2009) Parameterised notions of computation. J. Funct.Program. 19 (3–4), 335376.
Austin T. H. & Flanagan C. (2009) Efficient purely-dynamic information flow analysis. In Proceedings of Workshop on Programming Languages and Analysis for Security. New York, NY, USA: ACM.
Austin T. H. & Flanagan C. (2010) Permissive dynamic information flow analysis. In Proceedings of Workshop on Programming Languages and Analysis for Security. New York, NY, USA: ACM.
Bell D. E. & La Padula L. (1976) Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report MTR-2997, Rev. 1. MITRE Corp.
Biba K. J. (1977 April) Integrity Considerations for Secure Computer Systems. Technical Report ESD-TR-76-372. MITRE Corp.
Buiras P., Stefan D. & Russo A. (2014) On flow-sensitive floating-label systems. In Proceedings of Computer Security Foundations Symposium. Washington, DC, USA: IEEE Computer Society.
Crary K., Kliger A. & Pfenning F. (2005) A monadic analysis of information flow security with mutable state. J. Funct. Program. 15 (2), 249291.
Denning D. E. (1976) A lattice model of secure information flow. Commun. ACM 19 (5), 236243.
Denning D. E. & Denning P. J. (1977) Certification of programs for secure information flow. Commun. ACM 20 (7), 504513.
Department of Defense. (1985) Trusted Computer System Evaluation Criteria (Orange Book). DoD 5200.28-STD edn. Department of Defense.
Devriese D. & Piessens F. (2011) Information flow enforcement in monadic libraries. In Proceedings of Workshop on Types in Language Design and Implementation. New York, NY, USA: ACM.
Efstathopoulos P., Krohn M., VanDeBogart S., Frey C., Ziegler D., Kohler E., Mazières D., Kaashoek F. & Morris R. (2005) Labels and event processes in the Asbestos operating system. In Proceedings of Symposium on Operating Systems Principles. New York, NY, USA: ACM.
Friedman D. P. & Wise D. S. (1976) The impact of applicative programming on multiprocessing. In Proceedings of International Conference on Parallel Processing. Indiana University, Computer Science Department.
Giffin D. B., Levy A., Stefan D., Terei, D., Mazières, D., Mitchell, J., & Russo A. (2012) Hails: Protecting data privacy in untrusted web applications. In Proceedings of Symposium on Operating Systems Design and Implementation. Berkeley, CA, USA: USENIX.
Goguen J. A. & Meseguer J. (1982) Security policies and security models. In Proceedings of Symposium on Security and Privacy. Washington, DC, USA: IEEE Computer Society.
Harrison W. L. (2005) Achieving information flow security through precise control of effects. In Proceedings of Computer Security Foundations Workshop. Washington, DC, USA: IEEE Computer Society.
Hedin D. & Sabelfeld A. (2012) Information-flow security for a core of JavaScript. In Proceedings of Computer Security Foundations Symposium. Washington, DC, USA: IEEE Computer Society.
Hedin D. & Sands D. (2006) Noninterference in the presence of non-opaque pointers. In Proceedings of Computer Security Foundations Workshop. Washington, DC, USA: IEEE Computer Society.
Heintze N. & Riecke J. G. (1998) The SLam calculus: Programming with secrecy and integrity. In Proceedings of Symposium on Principles of Programming Languages. New York, NY, USA: ACM.
Heule S., Stefan D., Yang E. Z., Mitchell J. C. & Russo A. (2015) IFC inside: Retrofitting languages with dynamic information flow control. In Proceedings of Conference on Principles of Security and Trust. Berlin, Heidelberg: Springer.
Hriţcu C., Greenberg M., Karel B., Pierce, B. C. & Morrisett G. (2013) All your IFC exceptions are belong to us. In Proceedings of Symposium on Security and Privacy. Washington, DC, USA: IEEE Computer Society.
Hughes J. (2000) Generalising monads to arrows. Sci. Comput. Program. 37 (1–3), 67111.
Krohn M., Yip A., Brodsky M., Cliffer N., Kaashoek M. F., Kohler E. & Morris R. (2007) Information flow control for standard OS abstractions. In Proceedings of Symposium on Operating Systems Principles. New York, NY, USA: ACM.
Lampson B. W. (1973) A note on the confinement problem. Commun. ACM 16 (10), 613615.
Landwehr C. E. (1981) Formal models for computer security. Comput. Survels 13 (3), 247278.
Li P. & Zdancewic S. (2006) Encoding information flow in Haskell. In Proceedings of Computer Security Foundations Workshop. Washington, DC, USA: IEEE Computer Society.
Li P. & Zdancewic S. (2010) Arrows for secure information flow. Theor. Comput. Sci. 411 (19), 19741994.
Liang S., Hudak P. & Jones M. (1995) Monad transformers and modular interpreters. In Proceedings of Symposium on Principles of Programming Languages. New York, NY, USA: ACM.
Miller M. S. (2006) Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. PhD Thesis, Johns Hopkins University.
Morgenstern J. & Licata D. R. (2010) Security-typed programming within dependently typed programming. In Proceedings of International Conference on Functional Programming. New York, NY, USA: ACM.
Myers A. C. & Liskov B. (1997) A decentralized model for information flow control. In Proceedings of Symposium on Operating Systems Principles. New York, NY, USA: ACM.
Myers A. C. & Liskov B. (2000) Protecting privacy using the decentralized label model. ACM Trans. Comput. Syst. 9 (4), 410442.
Myers A. C., Zheng L., Zdancewic S., Chong, S. & Nystrom N. (2001) Jif: Java Information Flow. Software release. Accessed December 8, 2016. Available at: http://www.cs.cornell.edu/jif
Peyton Jones S. (2001) Tackling the awkward squad: monadic input/output, concurrency, exceptions, and foreign-language calls in Haskell. Engineering theories of software construction. Clifton, VA, USA: IOS Press.
Pottier F. & Simonet V. (2002) Information flow inference for ML. In Proceedings of Symposium on Principles of Programming Languages. New York, NY, USA: ACM.
Rondon P. M, Kawaguci, M. & Jhala R. (2008) Liquid types. ACM SIGPLAN Not. 43 (6), 159169.
Roy I., Porter D. E., Bond M. D., McKinley K. S. & Witchel E. (2009) Laminar: Practical fine-grained decentralized information flow control. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation. PLDI '09. New York, NY, USA: ACM.
Russo A., Claessen K. & Hughes J. (2008) A library for light-weight information-flow security in Haskell. In Proceedings of Symposium on Haskell. ACM SIGPLAN.
Russo A. & Sabelfeld A. (2010) Dynamic vs. static flow-sensitive security analysis. In Proceedings of Computer Security Foundations Symposium. Washington, DC, USA: IEEE Computer Society.
Sabelfeld A. & Myers A. C. (2003) Language-based information-flow security. IEEE J. Sel. Areas Commun. 21 (1), 519.
Sabelfeld A. & Russo A. (2009) From dynamic to static and back: Riding the roller coaster of information-flow control research. In Proceedings of Conference on Perspectives of System Informatics. Berlin, Heidelberg: Springer.
Saltzer J. H. & Schroeder M. D. (1975) The protection of information in computer systems. Proc. IEEE 63 (9), 12781308.
Simonet V. (2003) The Flow Caml system. Software release. Accessed December 8, 2016. Available at: http://cristal.inria.fr/simonet/soft/flowcaml/.
Stefan D., Russo A., Buiras P., Levy A., Mitchell J. C. & Mazières D. (2012a) Addressing covert termination and timing channels in concurrent information flow systems. In Proceedings of International Conference on Functional Programming. New York, NY, USA: ACM SIGPLAN.
Stefan D., Russo A., Mazières D. & Mitchell J. C. (2011a) Disjunction category labels. In Proceedings of Nordic conference on secure IT systems. Berlin, Heidelberg: Springer.
Stefan D., Russo A., Mitchell J. C. & Mazières D. (2011b) Flexible dynamic information flow control in Haskell. In Proceedings of Symposium on Haskell. New York, NY, USA: ACM SIGPLAN.
Stefan D., Russo A., Mitchell J. C. & Mazières D. (2012b) Flexible dynamic information flow control in the presence of exceptions. Preprint arxiv:1207.1457.
Stoughton A. (1981) Access flow: A protection model which integrates access control and information flow. In Proceedings of Symposium on Security and Privacy. Washington, DC, USA: IEEE Computer Society.
Sulzmann M., Duck G. J., Peyton Jones S. & Stuckey P. J. (2007) Understanding functional dependencies via constraint handling rules. J. Funct. Program. 17 (1), 83129.
Terei D., Marlow S., Peyton Jones S. & Mazières D. (2012) Safe Haskell. In Proceedings of Symposium on Haskell. New York, NY, USA: ACM SIGPLAN.
Tsai T., Russo A. & Hughes J. (2007) A library for secure multi-threaded information flow in Haskell. In Proceedings of Computer Security Foundations Symposium. Washington, DC, USA: IEEE Computer Society.
Tse S. & Zdancewic S. (2004) Translating dependency into parametricity. In Proceedings of 9th ACM Sigplan International Conference on Functional Programming. New York, NY, USA: ACM.
VanDeBogart S., Efstathopoulos P., Kohler E., Krohn M., Frey C., Ziegler D., Kaashoek F., Morris R. & Mazières D. (2007) Labels and event processes in the Asbestos operating system. ACM Trans. Comput. Syst. 25 (4), 1730.
Waye L., Buiras P., King D., Chong S. & Russo A. (2015) It's my privilege: Controlling downgrading in DC-labels. In Proceedings of Security and Trust Management - 11th International Workshop, STM 2015. Vienna, Austria, September 21–22, 2015. Berlin, Heidelberg: Springer, pp. 203219.
Winskel G. (1993) The Formal Semantics of Programming Languages: An Introduction. MIT Press.
Zdancewic S. & Myers A. C. (2003) Observational determinism for concurrent program security. In Proceedings of Computer Security Foundations Workshop. Washington, DC, USA: IEEE Computer Society.
Zdancewic S. A. (2002) Programming Languages for Information Security. Ph.D. thesis, Cornell University.
Zdancewic S. & Myers A. C. (2001) Robust declassification. In csfw. Washington, DC, USA: IEEE, pp. 1523.
Zeldovich N., Boyd-Wickizer S., Kohler E. & Mazières D. (2006) Making information flow explicit in HiStar. In Proceedings of Symposium on operating systems design and implementation.
Recommend this journal

Email your librarian or administrator to recommend adding this journal to your organisation's collection.

Journal of Functional Programming
  • ISSN: 0956-7968
  • EISSN: 1469-7653
  • URL: /core/journals/journal-of-functional-programming
Please enter your name
Please enter a valid email address
Who would you like to send this to? *
×

Metrics

Full text views

Total number of HTML views: 0
Total number of PDF views: 62 *
Loading metrics...

Abstract views

Total abstract views: 328 *
Loading metrics...

* Views captured on Cambridge Core between 12th January 2017 - 22nd November 2017. This data will be updated every 24 hours.