Declassification with Explicit Reference Points
نویسندگان
چکیده
Noninterference requires that public outputs of a program must be completely independent from secrets. While this ensures that secrets cannot be leaked, it is too restrictive for many applications. For instance, the output of a knowledge-based authentication mechanism needs to reveal whether an input matches the secret password. The research problem is to allow such exceptions without giving up too much. Though a number of solutions has been developed, the problem is not yet satisfactorily solved. In this article, we propose a framework to control what information is declassified. Our contributions include a policy language, a semantic characterization of information flow security, and a sound security type system. The main technical novelty is the explicit treatment of so called reference points, which allows us to offer substantially more flexible control of what is released than in existing approaches.
منابع مشابه
Dependency-Based Information Flow Analysis with Declassification in a Program Logic
We present a deductive approach for the analysis of secure information flows with support for fine-grained policies that include declassifications in the form of delimited information release. By explicitly tracking the dependencies of program locations as a computation history, we maintain high precision, while avoiding the need for comparing independent program runs. By considering an explici...
متن کاملOwnership Downgrading for Ownership Types
Ownership types support information hiding by providing object-based encapsulation. However the static restrictions they impose on object accessibility can limit the expressiveness of ownership types. In order to deal with real applications, it is sometimes necessary to admit mechanisms for dynamically exposing otherwise encapsulated information. The need for policies and mechanisms to control ...
متن کاملA Logical Account of Secure Declassification
Declassification is a vital ingredient for practical use of secure systems. Strong noninterference as a security policy does not account for declassification but is attractive as a baseline security policy because it provides an end-toend account of security. Several recent efforts to formulate an end-to-end policy for declassification seem inconclusive and have focused on apparently different ...
متن کاملFlow-Sensitive Automaton-Based Monitoring of a Declassification Policy
Declassification policies aim to guarantee trusted release of confidential information. The semantic security conditions of declassification policies focus on different dimensions. In order to prevent the special attacks aiming to compromise the mechanisms of declassification, it is important for a declassification policy to combine different dimensions. Moreover, current body of work on the en...
متن کاملA Design for a Security-Typed Language with Certificate-Based Declassification
This paper presents a calculus that supports information-flow security policies and certificate-based declassification. The decentralized label model and its downgrading mechanisms are concisely expressed in the polymorphic lambda calculus with subtyping (System F≾). We prove a conditioned version of the noninterference theorem such that authorization for declassification is justified by digita...
متن کامل