Hostname: page-component-76fb5796d-25wd4 Total loading time: 0 Render date: 2024-04-25T07:55:50.264Z Has data issue: false hasContentIssue false
  • English
  • Français

Modelling declassification policies using abstract domain completeness

Published online by Cambridge University Press:  27 October 2011

ISABELLA MASTROENI  and
ANINDYA BANERJEE
ISABELLA MASTROENI
Affiliation:
Università di Verona, Verona, Italy Email: isabella.mastroeni@univr.it
ANINDYA BANERJEE
Affiliation:
IMDEA Software Institute, Madrid, Spain Email: anindya.banerjee@imdea.org
Get access Rights & Permissions [Opens in a new window]

Abstract

This paper explores a three dimensional characterisation of a declassification-based non-interference policy and its consequences. Two of the dimensions consist of specifying:

  1. (a) the power of the attacker, that is, what public information a program has that an attacker can observe; and

  2. (b) what secret information a program has that needs to be protected.

Both these dimensions are regulated by the third dimension:

  1. (c) the choice of program semantics, for example, trace semantics or denotational semantics, or any semantics in Cousot's semantics hierarchy.

To check whether a program satisfies a non-interference policy, one can compute an abstract domain that over-approximates the information released by the policy and then check whether program execution can release more information than permitted by the policy. Counterexamples to a policy can be generated by using a variant of the Paige–Tarjan algorithm for partition refinement. Given the counterexamples, the policy can be refined so that the least amount of confidential information required for making the program secure is declassified.

Type
Paper
Information
Mathematical Structures in Computer Science , Volume 21 , Special Issue 6: Programming Language Interference and Dependence , December 2011 , pp. 1253 - 1299
Copyright
Copyright © Cambridge University Press 2011

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

Alur, R., Cerny, P. and Zdancewic, S. (2006) Preserving secrecy under refinement. In: Proceedings of the International Colloquium on Automata, Languages and Programming (ICALP '06). Springer-Verlag Lecture Notes in Computer Science 4052 107118.CrossRefGoogle Scholar
Amtoft, T., Bandhakavi, S. and Banerjee, A. (2006) A Logic for Information Flow in Object-Oriented Programs. In: Proceedings of the 33rd Annual ACM Symposium on Principles of Programming Languages, ACM Press 91102.Google Scholar
Askarov, A. and Sabelfeld, A. (2007a) Gradual release: Unifying declassification, encryption and key release policies. In: Proceedings IEEE Symposium on Security and Privacy, IEEE Computer Society Press.Google Scholar
Askarov, A. and Sabelfeld, A. (2007b) Localized delimited release: Combining the what and the where dimensions of information release. In: PLAS '07: Proceedings of the 2007 workshop on Programming languages and analysis for security, ACM Press 5360.CrossRefGoogle Scholar
Banerjee, A., Giacobazzi, R. and Mastroeni, I. (2007) What you lose is what you leak: Information leakage in declassification policies. In: Proceedings of the 23th International Symposium on Mathematical Foundations of Programming Semantics (MFPS '07). Electronic Notes in Theoretical Computer Science 1514.Google Scholar
Banerjee, A., Naumann, D. A. and Rosenberg, S. (2008) Expressive declassification policies and modular static enforcement. In: Proceedings IEEE Symposium on Security and Privacy, IEEE Computer Society Press.Google Scholar
Bell, D. E. and LaPadula, L. J. (1973) Secure computer systems: Mathematical foundations and model. Technical Report M74-244, MITRE Corporation, Bedford, MA.Google Scholar
Clark, D., Hunt, S. and Malacaria, P. (2004) Quantified interference: Information theory and information flow (extended abstract).Google Scholar
Cohen, E. S. (1977) Information transmission in computational systems. ACM SIGOPS Operating System Review 11 (5)133139.CrossRefGoogle Scholar
Cousot, P. (2002) Constructive design of a hierarchy of semantics of a transition system by abstract interpretation. Theoretical Computer Science 277 (1–2)47103.CrossRefGoogle Scholar
Cousot, P. and Cousot, R. (1977) Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of the 4th ACM SIGACT–SIGPLAN symposium on Principles of programming languages (POPL '77), ACM Press 238252.Google Scholar
Cousot, P. and Cousot, R. (1979) Systematic design of program analysis frameworks. In: Proceedings of the 6th ACM SIGACT–SIGPLAN symposium on Principles of programming languages (POPL '79), ACM Press 269282.Google Scholar
Darvas, A., Hähnle, R. and Sands, D. (2005) A theorem proving approach to analysis of secure information flow. In: Hutter, D. and Ullmann, M. (eds.) Security in Pervasive Computing: Second International Conference (SPC 2005). Springer-Verlag Lecture Notes in Computer Science 3450 193209.CrossRefGoogle Scholar
Di Pierro, A., Hankin, C. and Wiklicky, H. (2002) Approximate non-interference. In: Proceedings of the IEEE Computer Security Foundations Workshop, IEEE Computer Society Press 117.Google Scholar
Dijkstra, E. W. (1975) Guarded commands, nondeterminism and formal derivation of programs. Communications of The ACM 18 (8)453457.CrossRefGoogle Scholar
Giacobazzi, R. and Mastroeni, I. (2004) Abstract non-interference: Parameterizing non-interference by abstract interpretation. In: Proceedings of the 31st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '04), ACM Press 186197.Google Scholar
Giacobazzi, R. and Mastroeni, I. (2005) Adjoining declassification and attack models by abstract interpretation. In: Sagiv, S. (ed.) Proceedings of the European Symposium on Programming (ESOP '05). Springer-Verlag Lecture Notes in Computer Science 3444 295310.CrossRefGoogle Scholar
Giacobazzi, R. and Quintarelli, E. (2001) Incompleteness, counterexamples and refinements in abstract model-checking. In: Cousot, P. (ed.) Proceedings of the 8th International Static Analysis Symposium (SAS'01). Springer-Verlag Lecture Notes in Computer Science 2126 356373.CrossRefGoogle Scholar
Giacobazzi, R., Ranzato, F. and Scozzari, F. (2000) Making abstract interpretations complete. Journal of the ACM. 47 (2)361416.CrossRefGoogle Scholar
Goguen, J. A. and Meseguer, J. (1984) Unwinding and inference control. In Proceedings IEEE Symposium on Security and Privacy, IEEE Computer Society Press 7586.Google Scholar
Gorelick, G. (1975) A complete axiomatic system for proving assertions about recursive and non-recursive programs. Technical Report 75, Department of Computer Science, University of Toronto.Google Scholar
Hunt, S. and Mastroeni, I. (2005) The PER model of abstract non-interference. In: Hankin, C. and Siveroni, I. (eds.) Proceedings of The 12th International Static Analysis Symposium (SAS '05). Springer-Verlag Lecture Notes in Computer Science 3672 171185.CrossRefGoogle Scholar
Joshi, R. and Leino, K. R. M. (2000) A semantic approach to secure information flow. Science of Computer Programming 37 113138.CrossRefGoogle Scholar
Kahn, G. (1987) Natural semantics. In: Proceedings of Symposium on Theoretical Aspects of Computer Science. Springer-Verlag Lecture Notes in Computer Science 247 2239.CrossRefGoogle Scholar
Li, P. and Zdancewic, S. (2005) Downgrading policies and relaxed noninterference. In: Proceedings of the 32nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '05), ACM Press 158170.Google Scholar
Mastroeni, I. (2005) On the role of abstract non-interference in language-based security. In: Yi, K. (ed.) Third Asian Symposium on Programming Languages and Systems (APLAS '05). Springer-Verlag Lecture Notes in Computer Science 3780 418433.CrossRefGoogle Scholar
Mastroeni, I. (2008) Deriving bisimulations by simplifying partitions. In: Proceedings of the 9th International Conference on Verification, Model Checking and Abstract Interpretation (VMCAI'08). Springer-Verlag Lecture Notes in Computer Science 4905 147171.Google Scholar
Miné, A. (2006) The octagon abstract domain. Higher-Order and Symbolic Computation 19 31100.CrossRefGoogle Scholar
Myers, A. C., Chong, S., Nystrom, N., Zheng, L. and Zdancewic, S. (2001) Jif: Java information flow. Software release.Google Scholar
Myers, A. C., Sabelfeld, A. and Zdancewic, S. (2004) Enforcing robust declassification. In: Proceedings IEEE Symposium on Security and Privacy, IEEE Computer Society Press 2134.Google Scholar
Paige, R. and Tarjan, R. E. (1987) Three partition refinement algorithms. SIAM Journal on Computing 16 (6)977982.CrossRefGoogle Scholar
Ranzato, F. and Tapparo, F. (2005) An abstract interpretation-based refinement algorithm for strong preservation. In: Halbwachs, N. and Zuck, L. (eds.) Proceedings of TACAS: Tools and Algorithms for the Construction and Analysis of Systems. Springer-Verlag Lecture Notes in Computer Science 3440 140156.CrossRefGoogle Scholar
Sabelfeld, A. and Myers, A. C. (2004) A model for delimited information release. In: Yonezaki, N., Futatsugi, K. and Mizoguchi, F. (eds.) Proceedings of the International Symposium on Software Security (ISSS'03). Springer-Verlag Lecture Notes in Computer Science 3233 174191.CrossRefGoogle Scholar
Sabelfeld, A. and Myers, A. C. (2003) Language-based information-flow security. IEEE J. on selected ares in communications 21 (1)519.CrossRefGoogle Scholar
Sabelfeld, A. and Sands, D. (2001) A PER model of secure information flow in sequential programs. Higher-Order and Symbolic Computation 14 (1)5991.CrossRefGoogle Scholar
Sabelfeld, A. and Sands, D. (2007) Declassification: Dimensions and principles. Journal of Computer Security.Google Scholar
Schmidt, D. A. (2006) Comparing completeness properties of static analyses and their logics. In: Kobayashi, N. (ed.) Proceedings 2006 Asian Programming Languages and Systems Symposium (APLAS'06). Springer-Verlag Lecture Notes in Computer Science 4279 183199.CrossRefGoogle Scholar
Unno, H., Kobayashi, N. and Yonezawa, A. (2006) Combining type-based analysis and model checking for finding counterexamples against non-interference. In: Proceedings of the Workshop on Programming languages and analysis for security (PLAS '06), ACM Press 1726.Google Scholar
Winskel, G. (1993) The formal semantics of programming languages: an introduction, MIT press.CrossRefGoogle Scholar
Zdancewic, S. and Myers, A. C. (2001) Robust declassification. In Proceedings of the IEEE Computer Security Foundations Workshop, IEEE Computer Society Press 1523.Google Scholar