article

Free access

Protecting privacy using the decentralized label model

Authors:

Andrew C. Myers,

Barbara LiskovAuthors Info & Claims

ACM Transactions on Software Engineering and Methodology (TOSEM), Volume 9, Issue 4

Pages 410 - 442

https://doi.org/10.1145/363516.363526

Published: 01 October 2000 Publication History

PDF eReader

Abstract

Stronger protection is needed for the confidentiality and integrity of data, because programs containing untrusted code are the rule rather than the exception. Information flow control allows the enforcement of end-to-end security policies, but has been difficult to put into practice. This article describes the decentralized label model, a new label model for control of information flow in systems with mutual distrust and decentralized authority. The model improves on existing multilevel security models by allowing users to declassify information in a decentralized way, and by improving support for fine-grained data sharing. It supports static program analysis of information flow, so that programs can be certified to permit only acceptable information flows, while largely avoiding the overhead of run-time checking. The article introduces the language Jif, an extension to Java that provides static checking of information flow using the decentralized label model.

References

[1]

ABADI, M. 1997. Secrecy by typing in security protocols. In Proceedings of the 3rd International Conference on Theoretical Aspects of Computer Software (TIACS '97, Sept.).

Crossref

Google Scholar

[2]

ABADI, M., BANERJEE, A., HEINTZE, N., AND RIECKE, J. 1999. A core calculus of dependency. In Proceedings of the 26th ACM Symposium on Principles of Programming Languages (POPL, San Antonio, TX, Jan.). 147-160.

Crossref

Google Scholar

[3]

AGAT, J. 2000. Transforming out timing leaks. In Proceedings of 27th ACM Symposium on Principles of Programming Languages (POPL, Jan.).

Crossref

Google Scholar

[4]

ANDREWS, G. R. AND REITMAN, R. P. 1980. An axiomatic approach to information flow in programs. ACM Trans. Program. Lang. Syst. 2, 1, 56-76.

Crossref

Google Scholar

[5]

BELL, D. E. AND LAPADULA, L. J. 1976. Secure computer systems: Unified exposition and multics interpretation. Tech Rep. ESD-TR-75-306. MITRE Corp., Bedford, MA.

Google Scholar

[6]

BIBA, K. 1977. Integrity considerations for secure computer systems. Tech. Rep. ESD-TR-76-372. Electronic Systems Div., Air Force, Hanscom AFB, MA.

Google Scholar

[7]

DENNING, D. E. 1976. A lattice model of secure information flow. Commun. ACM 19,2, 236-243.

Crossref

Google Scholar

[8]

DENNING, D. E. AND DENNING, P. J. 1977. Certification of programs for secure information flow. Commun. ACM 20, 7, 504-513.

Crossref

Google Scholar

[9]

U.S. DEPARTMENT OF DEFENSE. 1985. Trusted Computer System Evaluation Criteria. DoD 5200.28-STD.

Google Scholar

[10]

FEIERTAG, R. J. 1980. A technique for proving specifications are multilevel secure: Tech. Report CSL-109 (Jan.). Computer Science Laboratory, SRI International, Menlo Park, CA.

Google Scholar

[11]

FEIERTAG, R. J., LEVITT, K. N., AND ROBINSON, L. 1977. Proving multilevel security of a system design. ACM SIGOPS Oper. Syst. Rev. 11, 5, 57-66.

Crossref

Google Scholar

[12]

FENTON, J. S. 1973. Information protection systems. Ph.D. Dissertation. University of Cambridge, Cambridge, UK.

Google Scholar

[13]

FENTON, J. S. 1974. Memoryless subsystems. Computing 17, 2 (May), 143-147.

Google Scholar

[14]

FERRARI, E., SAMARATI, P., BERTINO, E., AND JAJODIA, S. 1997. Providing flexibility in information flow control for object-oriented systems. In Proceedings of the 1997 IEEE Computer Society Symposium on Research in Security and Privacy (Oakland, CA, May). IEEE Computer Society Press, Los Alamitos, CA, 130-140.

Crossref

Google Scholar

[15]

FOCARDI, R. AND GORRIERI, R. 1997. The compositional security checker: a tool for the verification of information flow security properties. IEEE Trans. Softw. Eng. 23,9, 550-571.

Crossref

Google Scholar

[16]

GOGUEN, J. A. AND MESEGUER, J. 1982. Security policies and security models. In Proceedings of the 1982 IEEE Computer Society Symposium on Research in Security and Privacy (Oakland, CA, May). IEEE Computer Society Press, Los Alamitos, CA, 11-20.

Google Scholar

[17]

GOGUEN, J. A. AND MESEGUER, J. 1984. Unwinding and inference control. In Proceedings of the IEEE Symposium on Security and Privacy (Apr.). 75-86.

Google Scholar

[18]

GOSLING, J., JOY, B., AND STEELE, G. 1996. The Java Language Specification. Addison-Wesley, Reading, MA.

Crossref

Google Scholar

[19]

GRAY, J. W. I. 1990. Probabilistic interference. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 170-179.

Google Scholar

[20]

GRAY, J. W. I. 1991. Towards a mathematical foundation for information flow security. In Proceedings of the 1991 IEEE Symposium on Research in Security and Privacy (May). IEEE Computer Society Press, Los Alamitos, CA, 21-34.

Google Scholar

[21]

HEINTZE, N. AND RIECKE, J. G. 1998. The SLam calculus: programming with secrecy and integrity. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '98, San Diego, CA, Jan. 19-21), D. B. MacQueen and L. Cardelli, Chairs. ACM Press, New York, NY, 365-377.

Crossref

Google Scholar

[22]

KANG, M. H., MOSKOWITZ, I. S., AND LEE, D. C. 1995. A network version of the pump. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA, May). IEEE Computer Society Press, Los Alamitos, CA.

Crossref

Google Scholar

[23]

KARGER, P. A. AND WRAY, J. C. 1991. Storage channels in disk arm optimization. In Proceedings of the 1991 IEEE Symposium on Research in Security and Privacy (May). IEEE Computer Society Press, Los Alamitos, CA.

Google Scholar

[24]

LAMPSON, B., ABADI, M., BURROWS, M., AND WOBBER, E. 1991. Authentication in distributed systems: Theory and practice. In Proceedings of the 13th ACM Symposium on Operating System Principles (SOSP, Pacific Grove, CA). ACM Press, New York, NY, 165-182.

Crossref

Google Scholar

[25]

LINDHOLM, T. AND YELLIN, F. 1996. The Java Virtual Machine. Addison-Wesley, Reading, MA.

Crossref

Google Scholar

[26]

MCCOLLUM, C. J., MESSING, J. R., AND NOTARGIACOMO, L. 1990. Beyond the pale of MAC and DAC--Defining new forms of access control. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 190-200.

Google Scholar

[27]

MCCULLOUGH, D. 1987. Specifications for multi-level security and a hook-up property. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA, May). 161-166.

Google Scholar

[28]

MCILROY, M. D. AND REEDS, J. A. 1992. Multilevel security in the UNIX tradition. Softw. Pract. Exper. 22, 8 (Aug.), 673-694.

Crossref

Google Scholar

[29]

MCLEAN, J. 1990. Security models and information flow. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 180-187.

Google Scholar

[30]

MCLEAN, J. 1994. A general theory of composition for trace sets closed under selective interleaving functions. In Proceedings of the 1994 IEEE Computer Society Symposium on Research in Security and Privacy (Oakland, CA, May). IEEE Computer Society Press, Los Alamitos, CA, 79-93.

Crossref

Google Scholar

[31]

MILLEN, J. K. 1976. Security kernel validation in practice. Commun. ACM 19, 5 (May), 243-250.

Crossref

Google Scholar

[32]

MILLEN, J. K. 1981. Information flow analysis of formal specifications. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 3-8.

Google Scholar

[33]

MILLEN, J. K. 1987. Covert channel capacity. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA, May).

Google Scholar

[34]

MORRISETT, G., WALKER, D., CRARY, K., AND GLEW, N. 1998. From system F to typed assembly language. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '98, San Diego, CA, Jan. 19-21), D. B. MacQueen and L. Cardelli, Chairs. ACM Press, New York, NY, 85-97.

Crossref

Google Scholar

[35]

MYERS, A. C. 1999. JFlow: Practical mostly-static information flow control. In Proceedings of the 26th ACM Symposium on Principles of Programming Languages (POPL, San Antonio, TX, Jan.). 228-241.

Crossref

Google Scholar

[36]

MYERS, A. C. 1999. Mostly-static decentralized information flow control. Ph.D. Dissertation. Massachusetts Institute of Technology, Cambridge, MA.

Crossref

Google Scholar

[37]

MYERS, A. C. AND LISKOV, B. 1998. Complete, safe information flow with decentralized labels. In Proceedings of the 1998 IEEE Computer Society Symposium on Research in Security and Privacy (Oakland, CA, May). IEEE Computer Society Press, Los Alamitos, CA.

Google Scholar

[38]

NECULA, G. C. 1997. Proof-carrying code. In Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '97, Paris, France, Jan. 15-17), P. Lee, Chair. ACM Press, New York, NY, 106-119. http://www-nt.cs.berkeley.edu/home/ necula/public_html/popl97.ps.gz.

Crossref

Google Scholar

[39]

PALSBERG, J. AND ORBAEK, P. 1995. Trust in the calculus. In Proceedings of the 2nd International Symposium on Static Analysis (Sept.). Springer-Verlag, New York, NY, 314-329.

Crossref

Google Scholar

[40]

POTTIER, F. AND CONCHON, S. 2000. Information flow inference for free. In Proceedings of ACM SIGPLAN International Conference on Functional Programming (ICFP, Sept.).

Crossref

Google Scholar

[41]

SANDHU, R. S. 1996. Role hierarchies and constraints for lattice-based access controls. In Proceedings of the Fourth European Symposium on Research in Computer Security (ESO- RICS96, Rome, Italy, Sept. 25-27), E. Bertino, Ed. Springer-Verlag, New York, NY.

Crossref

Google Scholar

[42]

SMITH, G. AND VOLPANO, D. 1998. Secure information flow in a multi-threaded imperative language. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '98, San Diego, CA, Jan. 19-21), D. B. MacQueen and L. Cardelli, Chairs. ACM Press, New York, NY, 355-364.

Crossref

Google Scholar

[43]

STOUGHTON, A. 1981. Access flow: A protection model which integrates access control and information flow. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 9-18.

Google Scholar

[44]

SUTHERLAND, D. 1986. A model of information. In Proceedings on 9th National Security Conference (Gaithersburg, MD). 175-183.

Google Scholar

[45]

VOLPANO, D., SMITH, G., AND IRVINE, C. 1996. A sound type system for secure flow analysis. J. Comput. Secur. 4, 3, 167-187.

Crossref

Google Scholar

[46]

WITTBOLD, J. T. AND JOHNSON, D. M. 1990. Information flow in nondeterministic systems. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 144-161.

Google Scholar

[47]

ZAKINTHINOS, A. AND LEE, E. S. 1997. A general theory of security properties and secure composition. In Proceedings of the 1997 IEEE Computer Society Symposium on Research in Security and Privacy (Oakland, CA, May). IEEE Computer Society Press, Los Alamitos, CA.

Crossref

Google Scholar

Cited By

View all

Cambronero MMartínez MLlana LRodríguez RRusso A(2024)Towards a GDPR-compliant cloud architecture with data privacy controlled through sticky policiesPeerJ Computer Science10.7717/peerj-cs.189810(e1898)Online publication date: 29-Mar-2024
https://doi.org/10.7717/peerj-cs.1898
Hainry EKapron BMarion JPéchoux RSobocinski PLago UEsparza J(2024)Declassification Policy for Program Complexity AnalysisProceedings of the 39th Annual ACM/IEEE Symposium on Logic in Computer Science10.1145/3661814.3662100(1-14)Online publication date: 8-Jul-2024
https://dl.acm.org/doi/10.1145/3661814.3662100
Kancherla GHong JPark J(2024)Student Research Abstract: Least Privilege Persistent-Storage Access in Web BrowsersProceedings of the 39th ACM/SIGAPP Symposium on Applied Computing10.1145/3605098.3635173(1797-1799)Online publication date: 8-Apr-2024
https://dl.acm.org/doi/10.1145/3605098.3635173
Show More Cited By

Index Terms

Protecting privacy using the decentralized label model
1. Security and privacy
  1. Systems security
    1. Information flow control
    2. Operating systems security

Recommendations

Enforcing robust declassification and qualified robustness
Special issue on CSFW17

Noninterference requires that there is no information flow from sensitive to public data in a given system. However, many systems release sensitive information as part of their intended function and therefore violate noninterference. To control ...
Security policies for downgrading
CCS '04: Proceedings of the 11th ACM conference on Computer and communications security

A long-standing problem in information security is how to specify and enforce expressive security policies that control information flow while also permitting information release (i.e., declassification) where appropriate. This paper presents security ...
Expressive Declassification Policies and Modular Static Enforcement
SP '08: Proceedings of the 2008 IEEE Symposium on Security and Privacy

This paper provides a way to specify expressive declassification policies, in particular, when, what, and where policies that include conditions under which downgrading is allowed. Secondly, an end-to-end semantic property is introduced, based on a ...

Reviews

Reviewer: Jonathan K. Millen

The decentralized label model is a policy for labeling data in a computer system to preserve confidentiality and integrity. Its philosophical roots are in the Denning lattice model, in which static analysis of programming language statements uncovers both explicit and implicit information flows through a program from inputs to outputs. These labels are not the standard sensitivity/compartment lattice labels, but rather discretionary or owner-controlled labels like Graubart's reader/writer sets, which can be enforced, and which propagate when data is copied or computed. Instead of listing all (contributing) writers and all (permitted) readers, these labels specify each owner's policy as a list of permitted readers; combining data results in concatenating the owners' policies, and only principals in the intersection of the reader lists may read the data. By keeping the owners' policies separate, owners may relax their own policy, called "declassification." The rights of owners to do this, as well as to read data, are automatically acquired by their superiors in an "acts-for" hierarchy. These features make the proposed model more practical. Another important advance in practicality is the implementation as an extension of Java, called Jif, with a compiler that performs the static label checking. A separate dual model is needed to deal with integrity, and some trust still resides in the operating system to ensure that only checked programs can access protected data.

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Software Engineering and Methodology

ACM Transactions on Software Engineering and Methodology Volume 9, Issue 4

Oct. 2000

188 pages

ISSN:1049-331X

EISSN:1557-7392

DOI:10.1145/363516

Issue’s Table of Contents

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 October 2000

Published in TOSEM Volume 9, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

401
Total Citations
View Citations
2,993
Total Downloads

Downloads (Last 12 months)230
Downloads (Last 6 weeks)23

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Cambronero MMartínez MLlana LRodríguez RRusso A(2024)Towards a GDPR-compliant cloud architecture with data privacy controlled through sticky policiesPeerJ Computer Science10.7717/peerj-cs.189810(e1898)Online publication date: 29-Mar-2024
https://doi.org/10.7717/peerj-cs.1898
Hainry EKapron BMarion JPéchoux RSobocinski PLago UEsparza J(2024)Declassification Policy for Program Complexity AnalysisProceedings of the 39th Annual ACM/IEEE Symposium on Logic in Computer Science10.1145/3661814.3662100(1-14)Online publication date: 8-Jul-2024
https://dl.acm.org/doi/10.1145/3661814.3662100
Kancherla GHong JPark J(2024)Student Research Abstract: Least Privilege Persistent-Storage Access in Web BrowsersProceedings of the 39th ACM/SIGAPP Symposium on Applied Computing10.1145/3605098.3635173(1797-1799)Online publication date: 8-Apr-2024
https://dl.acm.org/doi/10.1145/3605098.3635173
Baramashetru CTapia Tarifa SOwe O(2024)Assuring GDPR Conformance Through Language-Based CompliancePrivacy and Identity Management. Sharing in a Digital World10.1007/978-3-031-57978-3_4(46-63)Online publication date: 23-Apr-2024
https://doi.org/10.1007/978-3-031-57978-3_4
Baramashetru CTapia Tarifa SOwe O(2024)Integrating Data Privacy Compliance in Active Object LanguagesActive Object Languages: Current Research Trends10.1007/978-3-031-51060-1_10(263-288)Online publication date: 29-Jan-2024
https://doi.org/10.1007/978-3-031-51060-1_10
Prabowo SAbdurohman MNuha HSutikno S(2024)A Data Protection Design for Online Exam Proctoring in Compliance with the Indonesian Personal Data Protection LawIntelligent Systems and Applications10.1007/978-3-031-47715-7_36(523-535)Online publication date: 30-Jan-2024
https://doi.org/10.1007/978-3-031-47715-7_36
Xu YZhang MWang XChen JLiang RZhen YZhen C(2024)A Review of Code Vulnerability Detection Techniques Based on Static AnalysisComputational and Experimental Simulations in Engineering10.1007/978-3-031-44947-5_21(251-272)Online publication date: 25-Jan-2024
https://doi.org/10.1007/978-3-031-44947-5_21
Mondal PAlgehed MArden O(2023)Flow-limited authorization for consensus, replication, and secret sharing1Journal of Computer Security10.3233/JCS-23004831:5(615-645)Online publication date: 13-Oct-2023
https://doi.org/10.3233/JCS-230048
Geraldo ECosta Seco JHildebrandt T(2023)Data-Dependent Confidentiality in DCR GraphsProceedings of the 25th International Symposium on Principles and Practice of Declarative Programming10.1145/3610612.3610619(1-13)Online publication date: 22-Oct-2023
https://dl.acm.org/doi/10.1145/3610612.3610619
Sarkar AKrook RRusso AClaessen KMcDonell TVazou N(2023)HasTEE: Programming Trusted Execution Environments with HaskellProceedings of the 16th ACM SIGPLAN International Haskell Symposium10.1145/3609026.3609731(72-88)Online publication date: 30-Aug-2023
https://dl.acm.org/doi/10.1145/3609026.3609731
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

References

Cited By

Index Terms

Recommendations

Enforcing robust declassification and qualified robustness

Security policies for downgrading

Expressive Declassification Policies and Modular Static Enforcement

Reviews

Access critical reviews of Computing literature here

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations