A semantic hierarchy for erasure policies
ICISS'11 Proceedings of the 7th international conference on Information Systems Security
Implementing erasure policies using taint analysis
NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
| Hi-index | 0.00 |
Declassification and erasure are both common, and often crucial, security requirements. Declassification occurs when the confidentiality of information is weakened; erasure occurs when the confidentiality of information is strengthened, perhaps to the point of completely removing the information from the system. This dissertation presents and explores a framework for declassification and erasure information security policies, and it shows how these policies can help in building trustworthy systems. First, this dissertation demonstrates that the declassification and erasure policies can be provably enforced. It presents a type system that, in conjunction with run-time mechanisms, can enforce the declassification and erasure policies on information from the start of the program until its termination, regardless of how the information propagates through the system, or where it enters and leaves. The dissertation defines a novel, precise, end-to-end semantic security condition, noninterference according to policy, and proves that all well-typed programs satisfy it. Thus, enforcement of declassification and erasure policies provides well-defined security guarantees. Second, this dissertation investigates declassification and erasure in the presence of mutual distrust: the principals with a security concern in the system do not necessarily trust each other. Mutual distrust is pervasive. The dissertation defines decentralized robustness, a semantic security condition that ensures that each principal is convinced declassification and erasure occur only at appropriate times, regardless of the actions of principals he distrusts. A type system to enforce decentralized robustness is presented. Finally, this dissertation demonstrates the practicality of declassification and erasure policies. The enforcement mechanisms for the policies and decentralized robustness are incorporated into the Jif programming language (an extension of the Java programming language with information-flow control). The resulting language is used to implement a secure remote voting system. The use of erasure and declassification policies provides additional assurance that the voting system implementation satisfies some of its security requirements.