Article

Robust Declassification

Authors:

Steve Zdancewic,

Andrew C. MyersAuthors Info & Claims

CSFW '01: Proceedings of the 14th IEEE workshop on Computer Security Foundations

Page 5

Published: 11 June 2001 Publication History

Abstract

Abstract: Security properties based on information flow, such as noninterference, provide strong guarantees that confidentiality is maintained. However, programs often need to leak some amount of confidential information in order to serve their intended purpose, and thus violate noninterference. Real systems that control information flow often include mechanisms for downgrading or declassifying information; however, declassification can easily result in the unexpected release of confidential information. This paper introduces a formal model of information flow in systems that include intentional information leaks and shows how to characterize what information leaks. Further, we define a notion of robustness for systems that include information leaks introduced by declassification. Robust systems have the property that an attacker is unable to exploit declassification channels to obtain more confidential information than was intended to be released. We show that all systems satisfying a noninterference-like property are robust; for other systems, robustness involves a nontrivial interaction between confidentiality and integrity properties. We expect this model to provide new tools for the characterization of information flow properties in the presence of intentional information leaks.

References

[1]

M. Abadi and A. D. Gordon. A calculus for cryptographic protocols: The spi calculus. Information and Computation, 148(1):1-70, January 1999.

Digital Library

[2]

M. Abadi and L. Lamport. Composing specifications. ACM Transactions on Programming Languages and Systems, 14(4):1-60, October 1992.

Digital Library

[3]

W. R. Bevier, R. M. Cohen, and W. D. Young. Connection policies and controlled interference. In Proc. of the 8th IEEE Computer Security Foundations Workshop, pages 167-176, 1995.

Digital Library

[4]

W. R. Bevier and W. D. Young. A state-based approach to non-interference. In Proc. of the 7th IEEE Computer Security Foundations Workshop, pages 11-21, 1994.

[5]

R. De Nicola and F. Vaandrager. Three logics for branching simulation. Journal of the Association of Computing Machinery, 42(2):458-487, 1995.

Digital Library

[6]

E. Ferrari, P. Samarati, E. Bertino, and S. Jajodia. Providing flexibility in information flow control for object-oriented systems. In Proc. IEEE Symposium on Security and Privacy, pages 130-140, Oakland, CA, USA, May 1997.

Digital Library

[7]

J. A. Goguen and J. Meseguer. Security policies and security models. In Proc. IEEE Symposium on Security and Privacy, pages 11-20, Apr. 1982.

[8]

J. A. Goguen and J. Meseguer. Unwinding and inference control. In Proc. IEEE Symposium on Security and Privacy, pages 75-86, Apr. 1984.

[9]

J. Landauer and T. Redmond. A lattice of information. In Proc. of the 6th IEEE Computer Security Foundations Workshop, pages 65-70. IEEE Computer Society Press, June 1993.

[10]

N. Lynch and F. Vaandrager. Forward and backward simulations - Part I: Untimed systems. Information and Computation, 121(2):214-233, September 1995. Also, Technical Memo MIT/LCS/TM-486.b (with minor revisions), Laboratory for Computer Science, Massachusetts Institute of Technology.

Digital Library

[11]

H. Mantel. Possibilistic definitions of security: An assembly kit. In Proc. of the 13th IEEE Computer Security Foundations Workshop, pages 185-199, Cambridge, United Kingdom, 2000.

Digital Library

[12]

H. Mantel. Unwinding possibilistic security properties. In ESORICS 2000, volume 1895 of Lecture Notes in Computer Science, pages 238-254. Springer-Verlag, 2000.

Digital Library

[13]

J. K. Millen. Unwinding forward correctibility. In Proc. of the 7th IEEE Computer Security Foundations Workshop, pages 2-10, 1994.

[14]

A. C. Myers. JFlow: Practical mostly-static information flow control. In Proc. 26th ACM Symp. on Principles of Programming Languages (POPL), San Antonio, TX, USA, Jan. 1999.

Digital Library

[15]

A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In Proc. IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 1998.

[16]

A. C. Myers and B. Liskov. Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering and Methodology, 9(4), 2000.

Digital Library

[17]

S. Pinsky. Absorbing covers and intransitive non-interference. In Proc. IEEE Symposium on Security and Privacy, 1995.

Digital Library

[18]

A. W. Roscoe and M. H. Goldsmith. What is intransitive noninterference? In Proc. of the 12th IEEE Computer Security Foundations Workshop, 1999.

Digital Library

[19]

J. Rushby. Noninterference, transitivity and channel-control security policies. Technical report, SRI, 1992.

[20]

P. Ryan. A CSP formulation of non-interference and unwinding. Cipher, pages 19-30, 1991.

Digital Library

[21]

S. Schneider. Security properties and CSP. In Proc. IEEE Symposium on Security and Privacy, 1996.

Digital Library

[22]

A. Zakinthinos and E. S. Lee. A general theory of security properties and secure composition. In Proc. IEEE Symposium on Security and Privacy, Oakland, CA, 1997.

Digital Library

Cited By

Soares LCanesche MPereira F(2023)Side-channel Elimination via Partial Control-flow LinearizationACM Transactions on Programming Languages and Systems10.1145/359473645:2(1-43)Online publication date: 26-Jun-2023
https://dl.acm.org/doi/10.1145/3594736
Sigurbjarnarson HNelson LCastro-Karney BBornholt JTorlak EWang XArpaci-Dusseau AVoelker G(2018)NickelProceedings of the 13th USENIX conference on Operating Systems Design and Implementation10.5555/3291168.3291190(287-305)Online publication date: 8-Oct-2018
https://dl.acm.org/doi/10.5555/3291168.3291190
Hunger CVilanova LPapamanthou CEtsion YTiwari M(2018)DATS - Data Containers for Web ApplicationsACM SIGPLAN Notices10.1145/3296957.317321353:2(722-736)Online publication date: 19-Mar-2018
https://dl.acm.org/doi/10.1145/3296957.3173213
Show More Cited By

Index Terms

Robust Declassification
1. Security and privacy
  1. Systems security
    1. Information flow control
    2. Operating systems security

Index terms have been assigned to the content through auto-classification.

Recommendations

Enforcing robust declassification and qualified robustness
Special issue on CSFW17

Noninterference requires that there is no information flow from sensitive to public data in a given system. However, many systems release sensitive information as part of their intended function and therefore violate noninterference. To control ...
Enforcing Robust Declassification
CSFW '04: Proceedings of the 17th IEEE workshop on Computer Security Foundations

Noninterference requires that there is no informationflow from sensitive to public data in a given system. However,many systems perform intentional release of sensitiveinformation as part of their correct functioning and thereforeviolate ...
A Type System for Robust Declassification

Language-based approaches to information security have led to the development of security type systems that permit the programmer to describe confidentiality policies on data. Security type systems are usually intended to enforce noninterference, a ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

CSFW '01: Proceedings of the 14th IEEE workshop on Computer Security Foundations

June 2001

Copyright © Copyright (c) 2001 Institute of Electrical and Electronics Engineers, Inc. All rights reserved.

Publisher

IEEE Computer Society

United States

Publication History

Published: 11 June 2001

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

78
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Soares LCanesche MPereira F(2023)Side-channel Elimination via Partial Control-flow LinearizationACM Transactions on Programming Languages and Systems10.1145/359473645:2(1-43)Online publication date: 26-Jun-2023
https://dl.acm.org/doi/10.1145/3594736
Sigurbjarnarson HNelson LCastro-Karney BBornholt JTorlak EWang XArpaci-Dusseau AVoelker G(2018)NickelProceedings of the 13th USENIX conference on Operating Systems Design and Implementation10.5555/3291168.3291190(287-305)Online publication date: 8-Oct-2018
https://dl.acm.org/doi/10.5555/3291168.3291190
Hunger CVilanova LPapamanthou CEtsion YTiwari M(2018)DATS - Data Containers for Web ApplicationsACM SIGPLAN Notices10.1145/3296957.317321353:2(722-736)Online publication date: 19-Mar-2018
https://dl.acm.org/doi/10.1145/3296957.3173213
Bastys IPiessens FSabelfeld AAlvim MDelaune S(2018)Prudent Design Principles for Information Flow ControlProceedings of the 13th Workshop on Programming Languages and Analysis for Security10.1145/3264820.3264824(17-23)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3264820.3264824
Ferraiuolo AZhao MMyers ASuh GLie DMannan MBackes MWang X(2018)HyperFlowProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243743(1583-1600)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243743
Giacobazzi RMastroeni I(2018)Abstract Non-InterferenceACM Transactions on Privacy and Security10.1145/317566021:2(1-31)Online publication date: 5-Feb-2018
https://dl.acm.org/doi/10.1145/3175660
Hunger CVilanova LPapamanthou CEtsion YTiwari MShen XTuck JBianchini RSarkar V(2018)DATS - Data Containers for Web ApplicationsProceedings of the Twenty-Third International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3173162.3173213(722-736)Online publication date: 19-Mar-2018
https://dl.acm.org/doi/10.1145/3173162.3173213
Li XNielson FRiis Nielson HMurray TStefan D(2016)Future-dependent Flow Policies with Prophetic VariablesProceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security10.1145/2993600.2993603(29-42)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2993600.2993603
Buiras Pvan Delft BClarkson MJia L(2015)Dynamic Enforcement of Dynamic PoliciesProceedings of the 10th ACM Workshop on Programming Languages and Analysis for Security10.1145/2786558.2786563(28-41)Online publication date: 4-Jul-2015
https://dl.acm.org/doi/10.1145/2786558.2786563
Waye LBuiras PKing DChong SRusso A(2015)It's My PrivilegeProceedings of the 11th International Workshop on Security and Trust Management - Volume 933110.1007/978-3-319-24858-5_13(203-219)Online publication date: 21-Sep-2015
https://dl.acm.org/doi/10.1007/978-3-319-24858-5_13
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents