JFlow: practical mostly-static information flow control
Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
A semantic approach to secure information flow
Science of Computer Programming - Special issue on mathematics of program construction
A sound type system for secure flow analysis
Journal of Computer Security
Certification of programs for secure information flow
Communications of the ACM
A Per Model of Secure Information Flow in Sequential Programs
ESOP '99 Proceedings of the 8th European Symposium on Programming Languages and Systems
Eliminating Covert Flows with Minimum Typings
CSFW '97 Proceedings of the 10th IEEE workshop on Computer Security Foundations
High Integrity Software: The SPARK Approach to Safety and Security
High Integrity Software: The SPARK Approach to Safety and Security
Enforcing security and safety models with an information flow analysis tool
Proceedings of the 2004 annual ACM SIGAda international conference on Ada: The engineering of correct and reliable software for real-time & distributed systems using Ada and related technologies
A Temporal Logic Characterisation of Oservational Determinism
CSFW '06 Proceedings of the 19th IEEE workshop on Computer Security Foundations
Fast probabilistic simulation, nontermination, and secure information flow
Proceedings of the 2007 workshop on Programming languages and analysis for security
Gradual Release: Unifying Declassification, Encryption and Key Release Policies
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Expressive Declassification Policies and Modular Static Enforcement
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Automata-based confidentiality monitoring
ASIAN'06 Proceedings of the 11th Asian computing science conference on Advances in computer science: secure software and related issues
Adversaries and information leaks (Tutorial)
TGC'07 Proceedings of the 3rd conference on Trustworthy global computing
Cryptographically-Masked flows
SAS'06 Proceedings of the 13th international conference on Static Analysis
ESOP '09 Proceedings of the 18th European Symposium on Programming Languages and Systems: Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009
Non-Interference for Deterministic Interactive Programs
Formal Aspects in Security and Trust
AuraConf: a unified approach to authorization and confidentiality
Proceedings of the 7th ACM SIGPLAN workshop on Types in language design and implementation
Unifying facets of information integrity
ICISS'10 Proceedings of the 6th international conference on Information systems security
From exponential to polynomial-time security typing via principal types
ESOP'11/ETAPS'11 Proceedings of the 20th European conference on Programming languages and systems: part of the joint European conferences on theory and practice of software
Flexible dynamic information flow control in Haskell
Proceedings of the 4th ACM symposium on Haskell
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
A multi-compositional enforcement on information flow security
ICICS'11 Proceedings of the 13th international conference on Information and communications security
Multiple facets for dynamic information flow
POPL '12 Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Non-termination and secure information flow
Mathematical Structures in Computer Science - Programming Language Interference and Dependence
Limiting information leakage in event-based communication
Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security
From dynamic to static and back: riding the roller coaster of information-flow control research
PSI'09 Proceedings of the 7th international Andrei Ershov Memorial conference on Perspectives of Systems Informatics
A semantic framework for declassification and endorsement
ESOP'10 Proceedings of the 19th European conference on Programming Languages and Systems
Runtime enforcement of information flow security in tree manipulating processes
ESSoS'12 Proceedings of the 4th international conference on Engineering Secure Software and Systems
Language-based control and mitigation of timing channels
Proceedings of the 33rd ACM SIGPLAN conference on Programming Language Design and Implementation
Gained and Excluded Private Actions by Process Observations
Fundamenta Informaticae - Concurrency Specification and Programming (CS&P)
Addressing covert termination and timing channels in concurrent information flow systems
Proceedings of the 17th ACM SIGPLAN international conference on Functional programming
Precise enforcement of progress-sensitive security
Proceedings of the 2012 ACM conference on Computer and communications security
Towards a practical secure concurrent language
Proceedings of the ACM international conference on Object oriented programming systems languages and applications
Enforcing information flow policies by a three-valued analysis
MMM-ACNS'12 Proceedings of the 6th international conference on Mathematical Methods, Models and Architectures for Computer Network Security: computer network security
Faceted execution of policy-agnostic programs
Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security
A verified information-flow architecture
Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
Journal of Computer Security - CSF 2010
Hi-index | 0.00 |
Current tools for analysing information flow in programs build upon ideas going back to Denning's work from the 70's. These systems enforce an imperfect notion of information flow which has become known as termination-insensitive noninterference. Under this version of noninterference, information leaks are permitted if they are transmitted purely by the program's termination behaviour (i.e., whether it terminates or not). This imperfection is the price to pay for having a security condition which is relatively liberal (e.g. allowing while-loops whose termination may depend on the value of a secret) and easy to check. But what is the price exactly? We argue that, in the presence of output, the price is higher than the "one bit" often claimed informally in the literature, and effectively such programs can leak all of their secrets. In this paper we develop a definition of termination-insensitive noninterference suitable for reasoning about programs with outputs. We show that the definition generalises "batch-job" style definitions from the literature and that it is indeed satisfied by a Denning-style program analysis with output. Although more than a bit of information can be leaked by programs satisfying this condition, we show that the best an attacker can do is a brute-force attack, which means that the attacker cannot reliably (in a technical sense) learn the secret in polynomial time in the size of the secret. If we further assume that secrets are uniformly distributed, we show that the advantage the attacker gains when guessing the secret after observing a polynomial amount of output is negligible in the size of the secret.