Downgrading policies and relaxed noninterference

LiPeng,; ZdancewicSteve,

doi:10.1145/1047659.1040319

Cited by 51 publications

(79 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is claimed to be closely related to intransitive noninterference (discussed below). Here, however, we argue that the lattice of labels from [42] is closely related to the lattice of equivalence relations, and thus the class of declassification properties that can be expressed is similar to the equivalence-relation class. The semantic interpretation of a label l [42, Def.…”

Section: Relaxed Noninterferencementioning

confidence: 83%

“…Li and Zdancewic [42] express downgrading policies by labelling subprograms with sets of lambda-terms which specify how an integer can be leaked. 4 They show that these labels form a lattice based on the amount of information that they leak.…”

Section: Relaxed Noninterferencementioning

confidence: 99%

“…In [42] the equality relation (≡) in the above definition is taken to be a particular decidable syntactic equivalence. We will refer to this original definition as an intensional interpretation of labels.…”

Section: Relaxed Noninterferencementioning

confidence: 99%

“…This should guarantee that the attacker cannot leak secrets faster than if he literally used the policy functions. However, it should be noted that the syntactic equivalence from [42] (which include, amongst other things, callby-name β-equivalence) is not complexity-preserving for the call-by-value computation model used therein. See [72] for an exploration of complexity preservation issues.…”

Section: Relaxed Noninterferencementioning

confidence: 99%

“…This argument applies to partial release [16,27,28,38,70] and delimited release [68]. 7 Relaxed noninterference [42] aims to provide more than just "what" properties, and does so through the use of a decidable notion of equivalence (as discussed in Section 2.1). Thus semantic consistency fails when we transform outside of this relation.…”

Section: What: Models Capturing What Is Released Are Generally Semantmentioning

confidence: 99%

See 4 more Smart Citations

Declassification: Dimensions and principles

Sabelfeld

Sands

2009

JCS

173

167

View full text Add to dashboard Cite

Computing systems often deliberately release (or declassify) sensitive information. A principal security concern for systems permitting information release is whether this release is safe: is it possible that the attacker compromises the information release mechanism and extracts more secret information than intended? While the security community has recognised the importance of the problem, the state-of-the-art in information release is, unfortunately, a number of approaches with somewhat unconnected semantic goals. We provide a road map of the main directions of current research, by classifying the basic goals according to what information is released, who releases information, where in the system information is released and when information can be released. With a general declassification framework as a longterm goal, we identify some prudent principles of declassification. These principles shed light on existing definitions and may also serve as useful "sanity checks" for emerging models.1 Note that in this article we will refer to both intentional, meaning deliberate, and intensional, meaning the opposite of extensional, when discussing declassification.A. Sabelfeld and D. Sands / Declassification: Dimensions and principles 519 clear distinctions, seeking to crystallise the security assurance provided by some known approaches.• Secondly, we identify some common semantic principles for declassification mechanisms:semantic consistency, which states that security definitions should be invariant under equivalence-preserving transformations; conservativity, which states that the definition of security should be a weakening of noninterference; monotonicity of release, which states that adding declassification annotations cannot make a secure program become insecure. Roughly speaking: the more you choose to declassify, the weaker the security guarantee; and non-occlusion, which states that the presence of declassifications cannot mask other covert information leaks.These principles help shed light on existing approaches and should also serve as useful "sanity checks" for emerging models.This article is a revised and extended version of a paper published in the IEEE Computer Security Foundations Workshop 2005 [71]. Compared to the earlier version, we overview some new work on declassification that has appeared under 2005 [32,34,35,37,43,50], consider "why" and "how" as other possible dimensions of declassification, sketch challenges for enforcing declassification policies along the dimensions, discuss dimensions of endorsement (the dual of declassification for integrity), and make other changes and improvements throughout. Dimensions of declassificationThis section provides a classification of the basic declassification goals according to four axes: what information is released, who releases information, where in the system information is released and when information can be released. WhatPartial, or selective, information flow policies [15,16,27,28,38,70] regulate what information may be released. Partial release g...

show abstract

Section: Relaxed Noninterferencementioning

confidence: 83%

Section: Relaxed Noninterferencementioning

confidence: 99%

Section: Relaxed Noninterferencementioning

confidence: 99%

Section: Relaxed Noninterferencementioning

confidence: 99%

Section: What: Models Capturing What Is Released Are Generally Semantmentioning

confidence: 99%

See 3 more Smart Citations

Declassification: Dimensions and principles

Sabelfeld

Sands

2009

JCS

173

167

View full text Add to dashboard Cite

show abstract

Security-Typed Languages for Implementation of Cryptographic Protocols: A Case Study

Askarov

Sabelfeld

2005

Computer Security – ESORICS 2005

View full text Add to dashboard Cite

Security protocols are critical for protecting modern communication infrastructures and are therefore subject to thorough analysis. However practical implementations of these protocols lack the same level of attention and thus may be more exposed to attacks. This paper discusses security assurance provided by security-typed languages when implementing cryptographic protocols. Our results are based on a case study using Jif, a Java-based security-typed language, for implementing a non-trivial cryptographic protocol that allows playing online poker without a trusted third party. The case study deploys the largest program written in a security-typed language to date and identifies insights ranging from security guarantees to useful patterns of secure programming.

show abstract

Provably Correct Runtime Enforcement of Non-interference Properties

Venkatakrishnan

DuVarney

et al. 2006

Information and Communications Security

View full text Add to dashboard Cite

Non-interference has become the standard criterion for ensuring confidentiality of sensitive data in the information flow literature. However, application of non-interference to practical software systems has been limited. This is partly due to the imprecision that is inherent in static analyses that have formed the basis of previous non-interference based techniques. Runtime approaches can be significantly more accurate than static analysis, and have often been more successful in practice. However, they can only reason about explicit information flows that take place via assignments in a program. Implicit flows that take place without involving assignments, and can be inferred from the structure and/or semantics of the program, are missed by runtime techniques. This paper seeks to bridge the gap between the accuracy provided by runtime techniques and the completeness provided by static analysis techniques. In particular, we develop a hybrid technique that relies primarily on runtime information-flow tracking, but augments it with static analysis to reason about implicit flows that arise due to unexecuted paths in a program. We prove that the resulting technique preserves non-interference, while providing some of the traditional benefits of dynamic analysis such as improved accuracy.

show abstract

Downgrading policies and relaxed noninterference

Cited by 51 publications

References 23 publications

Declassification: Dimensions and principles

Declassification: Dimensions and principles

Security-Typed Languages for Implementation of Cryptographic Protocols: A Case Study

Provably Correct Runtime Enforcement of Non-interference Properties

Contact Info

Product

Resources

About