research-article

Public Access

Using Architecture to Reason about Information Security

Authors:

Ron Van Der MeydenAuthors Info & Claims

ACM Transactions on Information and System Security (TISSEC), Volume 18, Issue 2

Article No.: 8, Pages 1 - 30

https://doi.org/10.1145/2829949

Published: 09 December 2015 Publication History

Abstract

We demonstrate, by a number of examples, that information flow security properties can be proved from abstract architectural descriptions, which describe only the causal structure of a system and local properties of trusted components. We specify these architectural descriptions of systems by generalizing intransitive noninterference policies to admit the ability to filter information passed between communicating domains. A notion of refinement of such system architectures is developed that supports top-down development of architectural specifications and proofs by abstraction of information security properties. We also show that, in a concrete setting where the causal structure is enforced by access control, a static check of the access control setting plus local verification of the trusted components is sufficient to prove that a generalized intransitive noninterference policy is satisfied.

Supplementary Material

a8-chong-apndx.pdf (chong.zip)

Supplemental movie, appendix, image and software files for, Using Architecture to Reason about Information Security

Download
348.20 KB

References

[1]

AADL 2009. Architecture Analysis and Design Language (AADL). SAE Standard AS5506/A.

[2]

Jim Alves-Foss, W. Scott Harrison, Paul Oman, and Carol Taylor. 2006. The MILS architecture for high-assurance embedded systems. International Journal of Embedded Systems 2, 3/4, 239--247.

[3]

Torben Amtoft, Josiah Dodds, Zhi Zhang, Andrew W. Appel, Lennart Beringer, John Hatcliff, Xinming Ou, and Andrew Cousino. 2012. A certificate infrastructure for machine-checked proofs of conditional information flow. In Proceedings of the Conference on Principles of Security and Trust. 369--389.

Digital Library

[4]

Torben Amtoft, John Hatcliff, Edwin Rodríguez, Robby, Jonathan Hoag, and David Greve. 2008. Specification and checking of software contracts for conditional information flow. In Proceedings of the 15th International Symposium on Formal Methods. 229--245.

Digital Library

[5]

Mark Anderson, Chris North, John Griffin, Robert Milner, John Yesberg, and Kenneth Yiu. 1996. Starlight: Interactive link. In Proceedings of the Annual Computer Security Applications Conference. 55--63.

Digital Library

[6]

Aslan Askarov and Stephen Chong. 2012. Learning is change in knowledge: Knowledge-based security for dynamic policies. In Proceedings of the 25th IEEE Computer Security Foundations Symposium. IEEE, Los Alamitos, CA, 308--322.

Digital Library

[7]

Aslan Askarov and Andrew Myers. 2010. A semantic framework for declassification and endorsement. In Proceedings of the 19th European Symposium on Programming.

Digital Library

[8]

Aslan Askarov and Andrei Sabelfeld. 2007a. Gradual release: Unifying declassification, encryption and key release policies. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 207--221.

Digital Library

[9]

Aslan Askarov and Andrei Sabelfeld. 2007b. Localized delimited release: Combining the what and where dimensions of information release. In Proceedings of the 2007 Workshop on Programming Languages and Analysis for Security. ACM, New York, NY, 53--60.

Digital Library

[10]

Anindya Banerjee, David A. Naumann, and Stan Rosenberg. 2008. Expressive declassification policies and modular static enforcement. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA.

Digital Library

[11]

Gilles Barthe, Salvador Cavadini, and Tamara Rezk. 2008. Tractable enforcement of declassification policies. In Proceedings of the 21st IEEE Computer Security Foundations Symposium. IEEE, Los Alamitos, CA.

Digital Library

[12]

David Basin, Jürgen Doser, and Torsten Lodderstedt. 2006. Model driven security: From UML models to access control infrastructures. ACM Transactions on Software Engineering and Methodology 15, 1, 39--91.

Digital Library

[13]

David Elliott Bell and Leonard J. LaPadula. 1976. Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report ESD-TR-75-306. Mitre Corporation, Bedford, MA.

[14]

David Bibighaus. 2006. Applying the Doubly Labeled Transition System to the Refinement Paradox. Ph.D. Dissertation. Naval Postgraduate School, Monterey, CA.

[15]

Holger Blasum, Sergey Tverdyshev, Bruno Langenstein, Jonas Maebe, Bjorn De Sutter, Bertrand Leconte, Benoit Triquet, Kevin Mller, Michael Paulitsch, Axel Sding-Freiherr von Blomberg, and Axel Tillequin. 2014. EUROMILS: MILS Architecture White Paper. Available at http://www.euromils.eu.

[16]

Carolyn Boettcher, Raytheon DeLong, John Rushby, and Wilmar Sifre. 2008. The MILS component integration approach to secure information sharing. In Proceedings of the 27th IEEE/AIAA Digital Avionics Systems Conference. 1.C.2-1--1.C.2-14.

[17]

Annalisa Bossi, Ricardo Focardi, Carlo Piazza, and Sabina Rossi. 2003. Refinement operators and information flow security. In Proceedings of the International Conference on Software Engineering and Formal Methods. 44--53.

[18]

Denis Bytschkow, Jean Quilbeuf, Georgeta Igna, and Harald Ruess. 2014. Distributed MILS architectural approach for secure smart grids. In Proceedings of the 2nd International Workshop on Smart Grid Security. 16--29.

[19]

Alexander G. Camek, Christian Buckl, and Alois Knoll. 2013. Future cars: Necessity for an adaptive and distributed multiple independent levels of security architecture. In Proceedings of the 2nd ACM International Conference on High Confidence Networked Systems. 17--24.

Digital Library

[20]

Stephen Chong and Ron van der Meyden. 2009. Deriving epistemic conclusions from agent architecture. In Proceedings of the Conference on Theoretical Aspects of Rationality and Knowledge (TARK'09). 61--70.

Digital Library

[21]

Ronald Fagin, Joseph Y. Halpern, Yoram Moses, and Moshe Y. Vardi. 1995. Reasoning about Knowledge. MIT Press, Cambridge, MA.

Digital Library

[22]

Riccardo Focardi and Roberto Gorrieri. 1994. A classification of security properties for process algebras. Journal of Computer Security 3, 1, 5--33.

Digital Library

[23]

David Garlan, Robert T. Monroe, and David Wile. 2000. Acme: Architectural description of component-based systems. In Foundations of Component-Based Systems, G. T. Leavens and M. Sitaraman (Eds.). Cambridge University Press, 47--68.

Digital Library

[24]

Joseph A. Goguen and Jose Meseguer. 1982. Security policies and security models. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 11--20.

[25]

Joseph A. Goguen and Jose Meseguer. 1984. Unwinding and inference control. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 75--86.

[26]

John Graham-Cumming and Jeff Sanders. 1991. On the refinement of noninterference. In Proceedings of the IEEE Computer Security Foundations Workshop. 35--42.

[27]

David Greve, Matthew Wilding, and W. Mark Vanfleet. 2003. A separation kernel formal security policy. In Proceedings of the 4th International Workshop on the ACL2 Prover and Its Applications.

[28]

Joshua D. Guttman and Paul D. Rowe. 2014. A cut principle for information flow. arXiv:1410.4617.

[29]

J. Thomas Haigh and William D. Young. 1987. Extending the noninterference version of MLS for SAT. IEEE Transactions on Software Engineering 13, 2, 141--150.

Digital Library

[30]

Jorgen Hansson, Peter H. Feiler, and John Morley. 2008. Building secure systems using model-based engineering and architectural models. CrossTalk: The Journal of Defense Software Engineering 21, 9, 12.

[31]

Constance L. Heitmeyer, Myla Archer, Elizabeth I. Leonard, and John McLean. 2006. Formal specification and verification of data separation in a separation kernel for an embedded system. In Proceedings of the 13th ACM Conference on Computer and Communications Security. ACM, New York, NY, 346--355.

Digital Library

[32]

Thomas H. Hinke and Marvin Schaefer. 1975. Secure Data Management System. Technical Report RADC-TR-75-266. System Development Corporation.

[33]

Galen C. Hunt and James R. Larus. 2007. Singularity: Rethinking the software stack. Operating Systems Review 41, 2, 37--49.

Digital Library

[34]

Jeremy Jacob. 1989. On the derivation of secure components. In Proceedings of the IEEE Symposium on Security and Privacy. 242--247.

[35]

Jan Jürjens. 2005. Secure Systems Development with UML. Springer.

Digital Library

[36]

Wolfgang Kampichler and Dieter Eier. 2014. A D-MILS console subsystem for advanced ATM communication services. In Proceedings of the IEEE/AIAA 33rd Digital Avionics Systems Conference (DASC'14). 6D2:1--8.

[37]

Gregor Kiczales. 1996. Aspect-oriented programming. ACM Computing Surveys 28, 4es, Article No. 154.

Digital Library

[38]

Alexander Lux and Heiko Mantel. 2009. Who can declassify? In Formal Aspects in Security and Trust. Lecture Notes in Computer Science, Vol. 5491. Springer, 35--49.

Digital Library

[39]

Heiko Mantel. 2001. Preserving information flow properties under refinement. In Proceedings of the IEEE Symposium on Security and Privacy. 78--91.

Digital Library

[40]

Heiko Mantel and Alexander Reinhard. 2007. Controlling the what and where of declassification in language-based security. In Programming Languages and Systems. Lecture Notes in Computer Science, Vol. 4421. Springer, 141--156.

Digital Library

[41]

Daryl McCullough. 1990. A hookup theorem for multilevel security. IEEE Transactions on Software Engineering 16, 6, 563--568.

Digital Library

[42]

John McLean. 1996. A general theory of composition for a class of “possibilistic” properties. IEEE Transactions on Software Engineering 22, 1, 53--67.

Digital Library

[43]

Carroll Morgan. 2006. The shadow knows: Refinement of ignorance in sequential programs. In Mathematics of Program Construction. Lecture Notes in Computer Science, Vol. 4014. Springer, 359--378.

Digital Library

[44]

Mark Moriconi and Xialei Qian. 1994. Correctness and composition of software architectures. In Proceedings of the 2nd ACM SIGSOFT Symposium on Foundations of Software Engineering. 164--174.

Digital Library

[45]

Mark Moriconi, Xialei Qian, and Robert A. Riemenschneider. 1995. Correct architecture refinement. IEEE Transactions on Software Engineering 21, 4, 356--372.

Digital Library

[46]

Mark Moriconi, Xialei Qian, Robert A. Riemenschneider, and Li Gong. 1997. Secure software architectures. In Proceedings of the IEEE Symposium on Security and Privacy. 84--893.

Digital Library

[47]

Kevin Mueller, Michael Paulitsch, Sergey Tverdyshev, and Holger Blasum. 2012. MILS-related information flow control in the avionic domain: A view on security-enhancing software architectures. In Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks Workshops. 1--6.

[48]

Toby C. Murray, Daniel Matichuk, Matthew Brassil, Peter Gammie, Timothy Bourke, Sean Seefried, Corey Lewis, Xin Gao, and Gerwin Klein. 2013. seL4: From general purpose to a proof of information flow enforcement. In Proceedings of the IEEE Symposium on Security and Privacy. 415--429.

Digital Library

[49]

Colin O'Halloran. 1992. Refinement and confidentiality. In Proceedings of the 5th Refinement Workshop. 119--139.

[50]

Kevin R. O'Neill. 2006. Security and Anonymity in Interactive Systems. Ph.D. Dissertation. Cornell University, Ithaca, NY.

Digital Library

[51]

Andrew W. Roscoe. 1995. CSP and determinism in security modelling. In Proceedings of the IEEE Symposium on Security and Privacy. 114--221.

Digital Library

[52]

Andrew W. Roscoe and Michael H. Goldsmith. 1999. What is intransitive noninterference? In Proceedings of the 12th IEEE Computer Security Foundations Workshop. IEEE, Los Alamitos, CA.

Digital Library

[53]

John Rushby. 1992. Noninterference, Transitivity, and Channel-Control Security Policies. Technical Report CSL-92-02. SRI International.

[54]

Andrei Sabelfeld and Andrew Myers. 2003. Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21, 1, 5--19.

Digital Library

[55]

Andrei Sabelfeld and David Sands. 2005. Dimensions and principles of declassification. In Proceedings of the 18th IEEE Computer Security Foundations Workshop. IEEE, Los Alamitos, CA, 255--269.

Digital Library

[56]

Thomas Santen. 2008. Preservation of probabilistic information flow under refinement. Information and Computation 206, 2--4, 213--249.

Digital Library

[57]

Fredrik Seehusen and Ketil Stolen. 2006. Information flow property preserving transformation of UML interaction diagrams. In Proceedings of the ACM Symposium on Access Control Models and Technologies. 150--159.

Digital Library

[58]

Bhavani M. Thuraisingham. 2005. Database and Applications Security: Integrating Information Security and Data Management. CRC Press.

[59]

Ron van der Meyden. 2007. What, indeed, is intransitive noninterference? In Computer Security—ESORICS 2007. Lecture Notes in Computer Science, Vol. 4734. Springer, 235--250.

Digital Library

[60]

Ron van der Meyden. 2012. Architectural refinement and notions of intransitive noninterference. Formal Aspects of Computing 24, 4--6, 769--792.

[61]

W. Mark Vanfleet, R. William Beckworth, Ben Calloni, Jahn A. Luke, Carol Taylor, and Gordon Uchenick. 2005. MILS: Architecture for high assurance embedded computing. CrossTalk: The Journal of Defense Software Engineering 18, 12--16.

[62]

Armin Wasicek and Thomas Mair. 2013. Secure information sharing in mixed criticality systems. In Proceedings of the IAENG World Conference on Engineering and Science.

[63]

Jie Zhou and Jim Alves-Foss. 2006. Architecture-based refinements for secure computer system design. In Proceedings of the International Conference on Privacy, Security, and Trust: Bridge the Gap between PST Technologies and Business Services. Article No. 15.

Digital Library

Cited By

Lu YZhang C(2020)Nontransitive Security Types for Coarse-grained Information Flow Control2020 IEEE 33rd Computer Security Foundations Symposium (CSF)10.1109/CSF49147.2020.00022(199-213)Online publication date: Jul-2020
https://doi.org/10.1109/CSF49147.2020.00022
Gerking CSchubert D(2019)Component-Based Refinement and Verification of Information-Flow Security Policies for Cyber-Physical Microservice Architectures2019 IEEE International Conference on Software Architecture (ICSA)10.1109/ICSA.2019.00015(61-70)Online publication date: Mar-2019
https://doi.org/10.1109/ICSA.2019.00015
Bauereiβ TPesenti Gritti APopescu ARaimondi F(2018)CoSMedJournal of Automated Reasoning10.1007/s10817-017-9443-361:1-4(113-139)Online publication date: 1-Jun-2018
https://dl.acm.org/doi/10.1007/s10817-017-9443-3
Show More Cited By

Index Terms

Using Architecture to Reason about Information Security
1. Security and privacy
  1. Formal methods and theory of security
    1. Formal security models
    2. Logic and verification

Recommendations

ENCoVer: Symbolic Exploration for Information Flow Security
CSF '12: Proceedings of the 2012 IEEE 25th Computer Security Foundations Symposium

We address the problem of program verification for information flow policies by means of symbolic execution and model checking. Noninterference-like security policies are formalized using epistemic logic. We show how the policies can be accurately ...
A multi-compositional enforcement on information flow security
ICICS'11: Proceedings of the 13th international conference on Information and communications security

Interactive/Reactive computational model is known to be proper abstraction of many pervasively used systems, such as clientside web-based applications. The critical task of information flow control mechanisms aims to determine whether the interactive ...
Assume but Verify: Deductive Verification of Leaked Information in Concurrent Applications
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

We consider the problem of specifying and proving the security of non-trivial, concurrent programs that intentionally leak information. We present a method that decomposes the problem into (a) proving that the program only leaks information it has ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security

ACM Transactions on Information and System Security Volume 18, Issue 2

December 2015

118 pages

ISSN:1094-9224

EISSN:1557-7406

DOI:10.1145/2807425

Editor:
David Basin
ETH Zurich, Switzerland

Issue’s Table of Contents

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2015

Accepted: 01 September 2015

Revised: 01 September 2015

Received: 01 October 2014

Published in TISSEC Volume 18, Issue 2

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Australian Research Council Discovery
National Science Foundation
Air Force Office of Scientific Research

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
951
Total Downloads

Downloads (Last 12 months)146
Downloads (Last 6 weeks)50

Reflects downloads up to 26 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lu YZhang C(2020)Nontransitive Security Types for Coarse-grained Information Flow Control2020 IEEE 33rd Computer Security Foundations Symposium (CSF)10.1109/CSF49147.2020.00022(199-213)Online publication date: Jul-2020
https://doi.org/10.1109/CSF49147.2020.00022
Gerking CSchubert D(2019)Component-Based Refinement and Verification of Information-Flow Security Policies for Cyber-Physical Microservice Architectures2019 IEEE International Conference on Software Architecture (ICSA)10.1109/ICSA.2019.00015(61-70)Online publication date: Mar-2019
https://doi.org/10.1109/ICSA.2019.00015
Bauereiβ TPesenti Gritti APopescu ARaimondi F(2018)CoSMedJournal of Automated Reasoning10.1007/s10817-017-9443-361:1-4(113-139)Online publication date: 1-Jun-2018
https://dl.acm.org/doi/10.1007/s10817-017-9443-3
Gerking CSchubert D(2018)Towards Preserving Information Flow Security on Architectural Composition of Cyber-Physical SystemsSoftware Architecture10.1007/978-3-030-00761-4_10(147-155)Online publication date: 15-Sep-2018
https://doi.org/10.1007/978-3-030-00761-4_10
Jaskolka JVillasenor J(2017)An Approach for Identifying and Analyzing Implicit Interactions in Distributed SystemsIEEE Transactions on Reliability10.1109/TR.2017.266516466:2(529-546)Online publication date: Jul-2017
https://doi.org/10.1109/TR.2017.2665164
BauereiB TGritti APopescu ARaimondi F(2017)CoSMeDis: A Distributed Social Media Platform with Formally Verified Confidentiality Guarantees2017 IEEE Symposium on Security and Privacy (SP)10.1109/SP.2017.24(729-748)Online publication date: May-2017
https://doi.org/10.1109/SP.2017.24

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents