An Axiomatic Approach to Information Flow in Programs

Andrews, Gregory R.; Reitman, Richard P.

doi:10.1145/357084.357088

Cited by 129 publications

(76 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There is evidence of both cases in the literature. For example, the instrumented semantics with flow sensitivity can be found in work by Andrews and Reitman [2], Mizuno and Oldehoeft [34], and Banâtre and Bryce [7]. All of these semantics are approximate: security constraints of executing one a of a conditional are computed based on both the branch that is taken and the branch that is not taken (cf.…”

Section: On Instrumented Security Semanticsmentioning

confidence: 99%

“…Property 2 of not looking aside). For example, the intuitively secure program if h = h then l := 1 else l := 0 is considered to have flow from h to l, and is rejected by Andrews and Reitman's semantics [2] when h is high and l is low (similar examples can be constructed for the other work [34], [7] mentioned above).…”

Section: On Instrumented Security Semanticsmentioning

confidence: 99%

“…Another implication is impossibility of permissive dynamic instrumented security semantics for information flow. Instrumented security semantics (e.g., [2], [34], [7], [37]) defines information flows in programs by instrumenting standard semantics with security operations. Variables are instrumented with security labels, which are propagated by the semantics along with ordinary values.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Dynamic vs. Static Flow-Sensitive Security Analysis

Russo

Sabelfeld

2010

2010 23rd IEEE Computer Security Foundations Symposium

155

216

View full text Add to dashboard Cite

Abstract-This paper seeks to answer fundamental questions about trade-offs between static and dynamic security analysis. It has been previously shown that flow-sensitive static information-flow analysis is a natural generalization of flowinsensitive static analysis, which allows accepting more secure programs. It has been also shown that sound purely dynamic information-flow enforcement is more permissive than static analysis in the flow-insensitive case. We argue that the step from flow-insensitive to flow-sensitive is fundamentally limited for purely dynamic information-flow controls. We prove impossibility of a sound purely dynamic information-flow monitor that accepts programs certified by a classical flow-sensitive static analysis. A side implication is impossibility of permissive dynamic instrumented security semantics for information flow, which guides us to uncover an unsound semantics from the literature. We present a general framework for hybrid mechanisms that is parameterized in the static part and in the reaction method of the enforcement (stop, suppress, or rewrite) and give security guarantees with respect to terminationinsensitive noninterference for a simple language with output.

show abstract

Section: On Instrumented Security Semanticsmentioning

confidence: 99%

Section: On Instrumented Security Semanticsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Dynamic vs. Static Flow-Sensitive Security Analysis

Russo

Sabelfeld

2010

2010 23rd IEEE Computer Security Foundations Symposium

155

216

View full text Add to dashboard Cite

show abstract

“…The account is not entirely satisfactory, since the details of the multi-level analysis are not made explicit, but the conclusion is that the dependency analysis subsumes multi-level security analysis. This is also implicit in Andrews and Reitman's information flow logic [AR80], whereby a logical flow deduction is made independently of a particular policy assigning security levels to variables. The principal typings result of [HS06] confirms that conclusion but also shows that (a) dependency analysis is itself a special case of flow-sensitive multi-level security analysis and (b) if multi-level security in a given lattice is the property of interest, dependency analysis doesn't provide any additional precision.…”

Section: Related Workmentioning

confidence: 99%

From Exponential to Polynomial-Time Security Typing via Principal Types

Hunt

Sands

2011

Programming Languages and Systems

View full text Add to dashboard Cite

Abstract. Hunt and Sands (POPL'06) studied a flow sensitive type (FST) system for multi-level security, parametric in the choice of lattice of security levels. Choosing the powerset of program variables as the security lattice yields a system which was shown to be equivalent to Amtoft and Banerjee's Hoare-style independence logic (SAS'04). Moreover, using the powerset lattice, it was shown how to derive a principal type from which all other types (for all choices of lattice) can be simply derived. Both of these earlier works gave "algorithmic" formulations of the type system/program logic, but both algorithms are of exponential complexity due to the iterative typing of While loops. Later work by Hunt and Sands (ESOP'08) adapted the FST system to provide an erasure type system which determines whether some input is correctly erased at a designated time. This type system is inherently exponential, requiring a double typing of the erasure-labelled input command. In this paper we start by developing the FST work in two key ways: (1) We specialise the FST system to a form which only derives principal types; the resulting type system has a simple algorithmic reading, yielding principal security types in polynomial time. (2) We show how the FST system can be simply extended to check for various degrees of termination sensitivity (the original FST system is completely termination insensitive, while the erasure type system is fully termination sensitive). We go on to demonstrate the power of these techniques by combining them to develop a type system which is shown to correctly implement erasure typing in polynomial time. Principality is used in an essential way to reduce type derivation size from exponential to linear.

show abstract

“…Finally, we sketch some related efforts and some future research directions. 2 An Overview of the Type System…”

Section: Introductionmentioning

confidence: 99%

A type-based approach to program security

Volpano

Smith

1997

Lecture Notes in Computer Science

147

131

View full text Add to dashboard Cite

Abstract. This paper presents a type system which guarantees that well-typed programs in a procedural programming language satisfy a noninterference security property. With all program inputs and outputs classified at various security levels, the property basically states that a program output, classified at some level, can never change as a result of modifying only inputs classified at higher levels. Intuitively, this means the program does not "leak" sensitive data. The property is similar to a notion introduced years ago by Goguen and Meseguer to model security in multi-level computer systems [7]. We also give an algorithm for inferring and simplifying principal types, which document the security requirements of programs.

show abstract

An Axiomatic Approach to Information Flow in Programs

Cited by 129 publications

References 11 publications

Dynamic vs. Static Flow-Sensitive Security Analysis

Dynamic vs. Static Flow-Sensitive Security Analysis

From Exponential to Polynomial-Time Security Typing via Principal Types

A type-based approach to program security

Contact Info

Product

Resources

About