Abstract
Information flow security provides a strong notion of end-to-end security in computing systems. However sometimes the policies for information flow security are limited in their expressive power, hence complicating the matter of specifying policies even for simple systems. These limitations often become apparent in contexts where confidential information is released under specific conditions.
We present a novel policy language for expressing permissible information flow under expressive constraints on the execution traces for programs. Based on the policy language we propose a security condition shown to be a generalized intransitive non-interference condition. Furthermore a flow-logic based static analysis is presented and shown capable of guaranteeing the security of programs analysed.
This work has in part been supported by the EU research project #016004, Software Engineering for Service-Oriented Overlay Computers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bell, D.E., LaPadula, L.J.: Secure computer systems: Mathematical foundations. Technical Report MTR-2547, vol. 1, MITRE Corp. Bedford, MA (1973)
Broberg, N., Sands, D.: Flow locks: Towards a core calculus for dynamic flow policies. In: Proc. European Symposium on Programming, pp. 180–196 (2006)
Chong, S., Myers, A.C.: Security policies for downgrading. In: CCS 2004. Proceedings of the 11th ACM conference on Computer and communications security, New York, NY, USA, pp. 198–209. ACM Press, New York (2004)
Chong, S., Myers, A.C.: Language-based information erasure. In: CSFW, pp. 241–254 (2005)
Cohen, E.S.: Information transmission in computational systems. ACM SIGOPS Operating Systems Review 11(5), 133–139 (1977)
Denning, D.E.: A lattice model of secure information flow. Comm. of the ACM 19(5), 236–243 (1976)
Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proc. IEEE Symp. on Security and Privacy, pp. 11–20 (April 1982)
Gorla, D., Pugliese, R.: Resource access and mobility control with dynamic privileges acquisition. In: Baeten, J.C.M., Lenstra, J.K., Parrow, J., Woeginger, G.J. (eds.) ICALP 2003. LNCS, vol. 2719, pp. 119–132. Springer, Heidelberg (2003)
Haigh, J.T., Young, W.D.: Extending the Non-Interference Version of MLS for SAT. In: IEEE Symposium on Security and Privacy, pp. 232–239. IEEE Computer Society Press, Los Alamitos (1986)
Hansen, R.R., Probst, C.W., Nielson, F.: Sandboxing in myklaim. In: Proc. ARES 2006 (2006)
Hopcroft, J.E., Motwani, R., Ullman, J.D.: Introduction to automata theory, languages, and computation, 2nd edn. Addison-Wesley, London (2001)
Kemmerer, R.A.: A practical approach to identifying storage and timing channels. In: IEEE Symposium on Security and Privacy, pp. 66–73 (1982)
Mantel, H., Sands, D.: Controlled declassification based on intransitive noninterference. In: Chin, W.-N. (ed.) APLAS 2004. LNCS, vol. 3302, pp. 129–145. Springer, Heidelberg (2004)
Matos, A.A., Boudol, G.: On declassification and the non-disclosure policy. In: Proc. IEEE Computer Security Foundations Workshop, pp. 226–240 (2005)
McHugh, J.: Covert Channel Analysis. Handbook for the Computer Security Certification of Trusted Systems (1995)
Myers, A.C.: Jflow: Practical mostly-static information flow control. In: POPL, pp. 228–241 (1999)
Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: SOSP, pp. 129–142 (1997)
Nielson, H.R., Nielson, F.: Flow logic: A multi-paradigmatic approach to static analysis. In: The Essence of Computation, pp. 223–244 (2002)
Rushby, J.: Noninterference, Transitivity, and Channel-Control Security Policies. Technical Report CSL-92-02, SRI International (December 1992)
Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1), 5–19 (2003)
Sabelfeld, A., Sands, D.: Dimensions and principles of declassification. In: Proc. IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos (2005)
Sabelfeld, A., Sands, D.: Probabilistic noninterference for multi-threaded programs. In: CSFW, pp. 200–214 (2000)
Tolstrup, T.K., Nielson, F., Riis, H.: Information Flow Analysis for VHDL. In: Proc. Eighth International Conference on Parallel Computing Technologies. LNCS, Springer, Heidelberg (2005)
Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. J. Computer Security 4(3), 167–187 (1996)
Volpano, D.M., Smith, G.: Probabilistic noninterference in a concurrent language. Journal of Computer Security 7(1) (1999)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tolstrup, T.K., Nielson, F., Hansen, R.R. (2007). Locality-Based Security Policies. In: Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., Schneider, S. (eds) Formal Aspects in Security and Trust. FAST 2006. Lecture Notes in Computer Science, vol 4691. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75227-1_13
Download citation
DOI: https://doi.org/10.1007/978-3-540-75227-1_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-75226-4
Online ISBN: 978-3-540-75227-1
eBook Packages: Computer ScienceComputer Science (R0)