Flow-Limited Authorization

Arden, Owen; Liu, Jed; Myers, Andrew C.

doi:10.1109/csf.2015.42

Cited by 31 publications

(77 citation statements)

References 64 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Each example shows code that type-checks under existing informationflow type systems even though it contains insecure information flows, which we are able to characterize in a new way. These examples use the notation of the flow-limited authorization model (FLAM) [4], which offers an expressive way to state both information flow restrictions and authorization policies. However, the problems observed in these examples are not specific to FLAM; they arise in all previous information-flow models that support downgrading (e.g., [8,15,21,25,32,42,47]).…”

Section: Motivationmentioning

confidence: 99%

See 1 more Smart Citation

Nonmalleable Information Flow Control

Cecchetti

Myers

Arden

2017

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

Noninterference is a popular semantic security condition because it offers strong end-to-end guarantees, it is inherently compositional, and it can be enforced using a simple security type system. Unfortunately, it is too restrictive for real systems. Mechanisms for downgrading information are needed to capture real-world security requirements, but downgrading eliminates the strong compositional security guarantees of noninterference.We introduce nonmalleable information flow, a new formal security condition that generalizes noninterference to permit controlled downgrading of both confidentiality and integrity. While previous work on robust declassification prevents adversaries from exploiting the downgrading of confidentiality, our key insight is transparent endorsement, a mechanism for downgrading integrity while defending against adversarial exploitation. Robust declassification appeared to break the duality of confidentiality and integrity by making confidentiality depend on integrity, but transparent endorsement makes integrity depend on confidentiality, restoring this duality. We show how to extend a security-typed programming language with transparent endorsement and prove that this static type system enforces nonmalleable information flow, a new security property that subsumes robust declassification and transparent endorsement. Finally, we describe an implementation of this type system in the context of Flame, a flow-limited authorization plugin for the Glasgow Haskell Compiler. * Work done while at Harvard University arXiv:1708.08596v2 [cs.CR] 31 Aug 2017Proof. This follows by induction on the typing derivation for values.Lemma 2 (Substitution). If Γ, x : τ 1 ; pc $ e : τ and Γ; pc $ v : τ 1 , then Γ; pc $ erx Þ Ñ vs : τ .Proof. By induction on the derivation of Γ, x : τ 1 ; pc $ e : τ using Lemma 1.Lemma 3 (pc reduction). If Γ; pc $ e : τ and pc 1 Ď pc, then Γ; pc 1 $ e : τ .Proof. By induction on the derivation of Γ; pc $ e : τ .Theorem 8 (Subject reduction). If Γ; pc $ e : τ and xe, ty ÝÑ Ñ xe 1 , t 1 y then Γ; pc $ e 1 : τ .Proof. This proof follows by an inductive case analysis on the operational semantics in Figures 18 and 22. There are a few interesting cases.Case B-EXPAND: This case handles a context (B), we will do a sub-case analysis on each such expression type.

show abstract

Section: Motivationmentioning

confidence: 99%

“…T now uses its authority to declassify both bids and send them to all parties. Since both bids have high integrity, this declassification is legal according to existing typing rules introduced to enforce (qualified) robust declassification [4,10,26].…”

mentioning

confidence: 99%

Nonmalleable Information Flow Control

Cecchetti

Myers

Arden

2017

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…For this purpose, we use an authorization logic [2] based on the Flow-Limited Authorization Model (FLAM) [5]. We briefly describe our logic, highlighting where it differs from FLAM.…”

Section: Representing Authoritymentioning

confidence: 99%

“…Aura [20] and Fine [38] implement access control using proof-carrying authentication, where proofs of formulas in an authorization logic are used as capabilities [4]. Our access control logic is inspired by the Flow-Limited Authorization Model [5], which uses projections to describe attenuated authority without requiring additional constructs such as roles or groups.…”

Section: Inlined Reference Monitorsmentioning

confidence: 99%

“…Rule CLOSURE-LEFT shows that D ; r p ← D q holds when there is some principal s such that at the time of closure creation (i.e., with delegation set D ), s believed that p acted for q (premise D ; s p q), and moreover, right now (i.e., with delegation set D) principal r trusts principal To query whether a particular set of delegations satisfies an acts-for relation, we use a proof search algorithm adapted from FLAM [5]. We give examples of using delegations to implement different authorization mechanisms in Section 4.…”

Section: Representing Authoritymentioning

confidence: 99%

See 1 more Smart Citation

Extensible access control with authorization contracts

et al. 2016

View full text Add to dashboard Cite

Existing programming language access control frameworks do not meet the needs of all software components. We propose an expressive framework for implementing access control monitors for components. The basis of the framework is a novel concept: the authority environment. An authority environment associates rights with an execution context. The building blocks of access control monitors in our framework are authorization contracts: software contracts that manage authority environments. We demonstrate the expressiveness of our framework by implementing a diverse set of existing access control mechanisms and writing custom access control monitors for three realistic case studies.

show abstract

Adaptive Security Policies

Nielson

Hansen

Nielson

2020

Leveraging Applications of Formal Methods, Verification and Validation: Engineering Principles

View full text Add to dashboard Cite

We develop an approach to security of adaptive agents that is based on respecting the local security policies of agents rather than imposing a global security policy on all agents. In short, an agent can be assured, that it will not be able to observe any violation of its own security policy due to the changing presence of other agents in its environment. The development is performed for a version of Dijkstra's Guarded Commands with relocation primitives, channel based communication, and explicit non-determinism. At the technical level a type system enforces local security policies whereas a reference monitor ensures that relocation is permissible with local security of all agents.

show abstract

Flow-Limited Authorization

Cited by 31 publications

References 64 publications

Nonmalleable Information Flow Control

Nonmalleable Information Flow Control

Extensible access control with authorization contracts

Adaptive Security Policies

Contact Info

Product

Resources

About