Proceedings Article10.1109/SP.2008.20
Expressive Declassification Policies and Modular Static Enforcement
Anindya Banerjee,David A. Naumann,Stan Rosenberg +2 more
- 18 May 2008
- pp 339-353
TL;DR: An end-to-end semantic property is introduced, based on a model that allows observations of intermediate low states as well as termination, and static enforcement is provided by combining type-checking with program verification techniques applied to the small subprograms that carry out declassifications.
read more
Abstract: This paper provides a way to specify expressive declassification policies, in particular, when, what, and where policies that include conditions under which downgrading is allowed. Secondly, an end-to-end semantic property is introduced, based on a model that allows observations of intermediate low states as well as termination. An attacker's knowledge only increases at explicit declassification steps, and within limits set by policy. Thirdly, static enforcement is provided by combining type-checking with program verification techniques applied to the small subprograms that carry out declassifications. Enforcement is proved sound for a simple programming language and the extension to object-oriented programs is described.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
Temporal Logics for Hyperproperties
Michael R. Clarkson,Bernd Finkbeiner,Masoud Koleini,Kristopher K. Micinski,Markus N. Rabe,César Sánchez +5 more
- 05 Apr 2014
TL;DR: It is shown that the quantification over paths naturally subsumes other extensions of temporal Logic with operators for information flow and knowledge, and the model checking problem for temporal logic with path quantification is decidable.
Termination-Insensitive Noninterference Leaks More Than Just a Bit
Aslan Askarov,Sebastian Hunt,Andrei Sabelfeld,David Sands +3 more
- 06 Oct 2008
TL;DR: This paper develops a definition of termination-insensitive noninterference suitable for reasoning about programs with outputs and shows that the definition generalises "batch-job" style definitions from the literature and that it is indeed satisfied by a Denning-style program analysis with output.
Algorithms for Model Checking HyperLTL and HyperCTL
Bernd Finkbeiner,Markus N. Rabe,César Sánchez +2 more
- 18 Jul 2015
TL;DR: An automata-based algorithm for checking finite state systems for hyperproperties specified in HyperLTL and HyperCTL, and it is demonstrated that the approach enables the verification of real hardware designs for properties that could not be checked before.
215
A Perspective on Information-Flow Control
Daniel Hedin,Andrei Sabelfeld +1 more
- 01 Jan 2011
TL;DR: This document gives an account of the state-of-the-art in confidentiality and integrity policies and their enforcement with a systematic formalization of four dominant formulations of noninterference: termination-insensitive, termination-sensitive, progress- insensitive, and progress- sensitive, cast in the setting of two minimal while languages.
Paralocks: role-based information flow control and beyond
Niklas Broberg,David Sands +1 more
- 17 Jan 2010
TL;DR: This paper presents Paralocks, a language for building expressive but statically verifiable fine-grained information flow policies that combine the expressive power of Flow Locks with the ability to express policies involving run-time principles, roles, and relations.
References
•Book
Cryptography and data security
Dorothy E. Denning
- 01 Jan 1982
TL;DR: The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks.
2.2K
JFlow: practical mostly-static information flow control
Andrew C. Myers
- 01 Jan 1999
TL;DR: The new language JFlow is described, an extension to the Java language that adds statically-checked information flow annotations and provides several new features that make information flow checking more flexible and convenient than in previous models.
A sound type system for secure flow analysis
TL;DR: This work forms Denning’s approach as a type system and presents a notion of soundness for the system that can be viewed as a form of noninterference.
Termination proofs for systems code
Byron Cook,Andreas Podelski,Andrey Rybalchenko +2 more
- 11 Jun 2006
TL;DR: A new program termination prover is described that performs a path-sensitive and context-sensitive program analysis and provides capacity for large program fragments together with support for programming language features such as arbitrarily nested loops, pointers, function-pointers, side-effects, etc.
426
Noninterference, Transitivity, and Channel-Control Security Policies 1
John Rushby
- 01 Jan 2005
TL;DR: It is shown that transitive polices are precisely the “multilevel security” (MLS) polices, and that any MLS secure system satisfies the conditions of the unwinding theorem.
Related Papers (5)
Joseph A. Goguen,José Meseguer +1 more
- 26 Apr 1982
Andrei Sabelfeld,David Sands +1 more
- 01 Oct 2009