Information Flow Monitoring as Abstract Interpretation for Relational Logic

Abstract: A number of systems have been developed for dynamic information flow control (IFC). In such systems, the security policy is expressed by labeling input and output channels; it is enforced by tracking and checking labels on data. Systems have been proven to enforce some form of noninterference (NI), formalized as a property of two runs of the program. In practice, NI is too strong and it is desirable to enforce some relaxation of NI that allows downgrading under constraints that have been classified as 'what', … Show more

“…they both evaluate the conditional expression b to 1. The third basic form is conditional agreement [2], [23], Bb ⇒ Ae, which can be used to encode multilevel security policies as well as to encode conditional downgrading (e.g., [11], [20]).…”

“…We introduce a concrete monitoring semantics which serves as basis to define the security property by interpreting annotation commands with respect to both the actual execution (major run) and all possible alternatives (minor runs). Readers familiar with Chudnov et al [23] may see this as a principled account of their notion of "tracking set", adapted to denotational semantics. Sections IV and V derive monitors as abstract interpretations of this ideal monitor.…”

“…Chudnov et al [23] suggest that an IF monitor should be viewed as computing an abstract interpretation to account for alternate runs vis-à-vis the monitored run. The key observation is that typical IF policies are 2-safety [25]: a violation has the form of a pair of runs, so the monitored run (major run) need only be checked with respect to each alternate (minor run) individually.…”

“…This view offers a path to more sophisticated monitoring and systematic development of monitors for real world languages and platforms, and modular machine checked correctness proofs. But the paper [23] is devoid of Galois connections or other trappings of abstract interpretation! It offers only a rational reconstruction of an existing monitor for the simple while language, augmented with downgrading and intermediate release policies.…”

“…Contribution: ideal monitor We reformulate the idea of "tracking set" in Chudnov et al [23] as a novel variation of the standard notion of collecting semantics [28], which serves as specification for-and basis for deriving-static analyses. We generalize collecting semantics to depend on the major run, in an ideal monitor which we prove embodies checking of noninterference for the major execution.…”

Calculational Design of Information Flow Monitors

“…they both evaluate the conditional expression b to 1. The third basic form is conditional agreement [2], [23], Bb ⇒ Ae, which can be used to encode multilevel security policies as well as to encode conditional downgrading (e.g., [11], [20]).…”

“…We introduce a concrete monitoring semantics which serves as basis to define the security property by interpreting annotation commands with respect to both the actual execution (major run) and all possible alternatives (minor runs). Readers familiar with Chudnov et al [23] may see this as a principled account of their notion of "tracking set", adapted to denotational semantics. Sections IV and V derive monitors as abstract interpretations of this ideal monitor.…”

“…Chudnov et al [23] suggest that an IF monitor should be viewed as computing an abstract interpretation to account for alternate runs vis-à-vis the monitored run. The key observation is that typical IF policies are 2-safety [25]: a violation has the form of a pair of runs, so the monitored run (major run) need only be checked with respect to each alternate (minor run) individually.…”

“…This view offers a path to more sophisticated monitoring and systematic development of monitors for real world languages and platforms, and modular machine checked correctness proofs. But the paper [23] is devoid of Galois connections or other trappings of abstract interpretation! It offers only a rational reconstruction of an existing monitor for the simple while language, augmented with downgrading and intermediate release policies.…”

“…Contribution: ideal monitor We reformulate the idea of "tracking set" in Chudnov et al [23] as a novel variation of the standard notion of collecting semantics [28], which serves as specification for-and basis for deriving-static analyses. We generalize collecting semantics to depend on the major run, in an ideal monitor which we prove embodies checking of noninterference for the major execution.…”

Calculational Design of Information Flow Monitors

Monitoring Hyperproperties by Combining Static Analysis and Runtime Verification

Algorithms for Monitoring Hyperproperties