A Calculus for Flow-Limited Authorization: Technical Report

Real-world applications routinely make authorization decisions based on dynamic computation. Rea-soning about dynamically computed authority is challenging. Integrity of the system might be compro-mised if attackers can improperly influence the authorizing computation. Confidentiality can also becompromised by authorization, since authorization decisions are often based on sensitive data such asmembership lists and passwords. Previous formal models for authorization do not fully address the se-curity implications of permitting trust relationships to change, which limits their ability to reason aboutauthority that derives from dynamic computation. Our goal is a way to construct dynamic authorizationmechanisms that do not violate confidentiality or integrity.We introduce the Flow-Limited Authorization Calculus (FLAC), which is both a simple, expressivemodel for reasoning about dynamic authorization and also an information flow control language for se-curely implementing various authorization mechanisms. FLAC combines the insights of two previousmodels: it extends the Dependency Core Calculus with features made possible by the Flow-LimitedAuthorization Model. FLAC provides strong end-to-end information security guarantees even for pro-grams that incorporate and implement rich dynamic authorization mechanisms. These guarantees in-clude noninterference and robust declassification, which prevent attackers from influencing informationdisclosures in unauthorized ways. We prove these security properties formally for all FLAC programsand explore the expressiveness of FLAC with several examples.