Enforcing robust declassification and qualified robustness

Authors:
Andrew C. Myers;Andrei Sabelfeld;Steve Zdancewic
Affiliations:
Department of Computer Science, Cornell University;Department of Computer Science, Chalmers University of Technology, Sweden and Cornell University;Department of Computer and Information Science, University of Pennsylvania
Venue:
Journal of Computer Security - Special issue on CSFW17
Year:
2006

Citing 38
Cited 29

The formal semantics of programming languages: an introduction

The formal semantics of programming languages: an introduction
A decentralized model for information flow control

Proceedings of the sixteenth ACM symposium on Operating systems principles
Secure information flow in a multi-threaded imperative language

POPL '98 Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
The SLam calculus: programming with secrecy and integrity

POPL '98 Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
A core calculus of dependency

Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Transforming out timing leaks

Proceedings of the 27th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Verifying secrets and relative secrecy

Proceedings of the 27th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
A semantic approach to secure information flow

Science of Computer Programming - Special issue on mathematics of program construction
Information flow inference for free

ICFP '00 Proceedings of the fifth ACM SIGPLAN international conference on Functional programming
Probabilistic noninterference in a concurrent language

Journal of Computer Security
A sound type system for secure flow analysis

Journal of Computer Security
Certification of programs for secure information flow

Communications of the ACM
A lattice model of secure information flow

Communications of the ACM
Protecting privacy using the decentralized label model

ACM Transactions on Software Engineering and Methodology (TOSEM)
Information flow inference for ML

POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Cryptography and data security

Cryptography and data security
Secure program partitioning

ACM Transactions on Computer Systems (TOCS)
A Per Model of Secure Information Flow in Sequential Programs

Higher-Order and Symbolic Computation
Connection policies and controlled interference

CSFW '95 Proceedings of the 8th IEEE workshop on Computer Security Foundations
What is Intransitive Noninterference?

CSFW '99 Proceedings of the 12th IEEE workshop on Computer Security Foundations
Confidentiality for Mobile Code: The Case of a Simple Payment Protocol

CSFW '00 Proceedings of the 13th IEEE workshop on Computer Security Foundations
Secure Introduction of One-Way Functions

CSFW '00 Proceedings of the 13th IEEE workshop on Computer Security Foundations
Probabilistic Noninterference for Multi-Threaded Programs

CSFW '00 Proceedings of the 13th IEEE workshop on Computer Security Foundations
Secure Information Flow and Pointer Confinement in a Java-like Language

CSFW '02 Proceedings of the 15th IEEE workshop on Computer Security Foundations
Approximate Non-Interference

CSFW '02 Proceedings of the 15th IEEE workshop on Computer Security Foundations
Quantifying Information Flow

CSFW '02 Proceedings of the 15th IEEE workshop on Computer Security Foundations
Using Replication and Partitioning to Build Secure Distributed Systems

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Robust Declassification

CSFW '01 Proceedings of the 14th IEEE workshop on Computer Security Foundations
Absorbing covers and intransitive non-interference

SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
Providing flexibility in information flow control for object oriented systems

SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Modelling Downgrading in Information Flow Security

CSFW '04 Proceedings of the 17th IEEE workshop on Computer Security Foundations
Downgrading policies and relaxed noninterference

Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Belief in Information Flow

CSFW '05 Proceedings of the 18th IEEE workshop on Computer Security Foundations
Language-Based Information Erasure

CSFW '05 Proceedings of the 18th IEEE workshop on Computer Security Foundations
Dimensions and Principles of Declassification

CSFW '05 Proceedings of the 18th IEEE workshop on Computer Security Foundations
On the secure implementation of security protocols

ESOP'03 Proceedings of the 12th European conference on Programming
Handling encryption in an analysis for secure information flow

ESOP'03 Proceedings of the 12th European conference on Programming
Language-based information-flow security

IEEE Journal on Selected Areas in Communications

Trusted declassification:: high-level policy for a security-typed language

Proceedings of the 2006 workshop on Programming languages and analysis for security
Run-time principals in information-flow type systems

ACM Transactions on Programming Languages and Systems (TOPLAS)
Cryptographically sound implementations for typed information-flow security

Proceedings of the 35th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Cryptographically-masked flows

Theoretical Computer Science
Who Can Declassify?

Formal Aspects in Security and Trust
Integrating hardware and software information flow analyses

Proceedings of the 2009 ACM SIGPLAN/SIGBED conference on Languages, compilers, and tools for embedded systems
Encoding information flow in Aura

Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security
A language for information flow: dynamic tracking in multiple interdependent dimensions

Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security
A security-preserving compiler for distributed programs: from information-flow policies to cryptographic mechanisms

Proceedings of the 16th ACM conference on Computer and communications security
Declassification: Dimensions and principles

Journal of Computer Security - 18th IEEE Computer Security Foundations Symposium (CSF 18)
On declassification and the non-disclosure policy

Journal of Computer Security - 18th IEEE Computer Security Foundations Symposium (CSF 18)
Encoding information flow in AURA

ACM SIGPLAN Notices
Blunting Differential Attacks on PIN Processing APIs

NordSec '09 Proceedings of the 14th Nordic Conference on Secure IT Systems: Identity and Privacy in the Internet Age
A lattice-based approach to mashup security

ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Type-based analysis of PIN processing APIs

ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Deductive verification of cryptographic software

Innovations in Systems and Software Engineering
Unifying facets of information integrity

ICISS'10 Proceedings of the 6th international conference on Information systems security
Collaborative Planning with Confidentiality

Journal of Automated Reasoning
Compiling information-flow security to minimal trusted computing bases

ESOP'11/ETAPS'11 Proceedings of the 20th European conference on Programming languages and systems: part of the joint European conferences on theory and practice of software
An introduction to security API analysis

Foundations of security analysis and design VI
Multi-run security

ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Information-flow types for homomorphic encryptions

Proceedings of the 18th ACM conference on Computer and communications security
Cryptographically-Masked flows

SAS'06 Proceedings of the 13th international conference on Static Analysis
A semantic framework for declassification and endorsement

ESOP'10 Proceedings of the 19th European conference on Programming Languages and Systems
Decentralized delimited release

APLAS'11 Proceedings of the 9th Asian conference on Programming Languages and Systems
Noninterference via symbolic execution

FMOODS'12/FORTE'12 Proceedings of the 14th joint IFIP WG 6.1 international conference and Proceedings of the 32nd IFIP WG 6.1 international conference on Formal Techniques for Distributed Systems
Scheduler-Independent declassification

MPC'12 Proceedings of the 11th international conference on Mathematics of Program Construction
Formal verification of side-channel countermeasures using self-composition

Science of Computer Programming
Sapper: a language for hardware-level security policy enforcement

Proceedings of the 19th international conference on Architectural support for programming languages and operating systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Noninterference requires that there is no information flow from sensitive to public data in a given system. However, many systems release sensitive information as part of their intended function and therefore violate noninterference. To control information flow while permitting information release, some systems have a downgrading or declassification mechanism, but this creates the danger that it may cause unintentional information release. This paper shows that a robustness property can be used to characterize programs in which declassification mechanisms cannot be controlled by attackers to release more information than intended. It describes a simple way to provably enforce this robustness property through a type-based compile-time program analysis. The paper also presents a generalization of robustness that supports upgrading (endorsing) data integrity.