Controlling the What and Where of Declassification in Language-Based Security
نویسندگان
چکیده
c © Springer-Verlag Berlin Heidelberg 2007 Abstract. While a rigorous information flow analysis is a key step in obtaining meaningful end-to-end confidentiality guarantees, one must also permit possibilities for declassification. Sabelfeld and Sands categorized the existing approaches to controlling declassification in their overview along four dimensions and according to four prudent principles [16]. In this article, we propose three novel security conditions for controlling the dimensions where and what, and we explain why these conditions constitute improvements over prior approaches. Moreover, we present a type-based security analysis and, as another novelty, prove a soundness result that considers more than one dimension of declassification.
منابع مشابه
Scheduler-Independent Declassification
The controlled declassification of secrets has received much attention in research on information-flow security, though mostly for sequential programming languages. In this article, we aim at guaranteeing the security of concurrent programs. We propose the novel security property WHAT&WHERE that allows one to limit what information may be declassified where in a program. We show that our proper...
متن کاملA Semantic Framework for Declassification and Endorsement
Language-based information flow methods offer a principled way to enforce strong security properties, but enforcing noninterference is too inflexible for realistic applications. Security-typed languages have therefore introduced declassification mechanisms for relaxing confidentiality policies, and endorsement mechanisms for relaxing integrity policies. However, a continuing challenge has been ...
متن کاملFlow Policy Awareness for Distributed Mobile Code
Several programming constructs have recently been pro-posed with the purpose of enabling the programmer to en-code declassifying information flows within a program thatcomplies with information flow security policies. Theseconstructs may or may not incorporate some means for con-trolling when, where, what, or by whom the declassifica-tion can be set up. In the context of...
متن کاملInference of Usable Declassification Policies
We explore the inference of fine-grained human readable declassification policies as a step towards providing security guarantees that are proportional to a programmer’s effort: the programmer should receive weak (but sound) security guarantees for little effort, and stronger guarantees for more effort. We present declassification policies that can specify what information is released under wha...
متن کاملA Logical Account of Secure Declassification
Declassification is a vital ingredient for practical use of secure systems. Strong noninterference as a security policy does not account for declassification but is attractive as a baseline security policy because it provides an end-toend account of security. Several recent efforts to formulate an end-to-end policy for declassification seem inconclusive and have focused on apparently different ...
متن کامل