Abstract
We propose a rigorous comparison of information flow monitors with respect to two dimensions: soundness and transparency.
For soundness, we notice that the standard information flow security definition called Termination-Insensitive Noninterference (TINI) allows the presence of termination channels, however it does not describe whether the termination channel was present in the original program, or it was added by a monitor. We propose a stronger notion of noninterference, that we call Termination-Aware Noninterference (TANI), that captures this fact, and thus allows us to better evaluate the security guarantees of different monitors. We further investigate TANI, and state its formal relations to other soundness guarantees of information flow monitors. For transparency, we identify different notions from the literature that aim at comparing the behaviour of monitors. We notice that one common notion used in the literature is not adequate since it identifies as better a monitor that accepts insecure executions, and hence may augment the knowledge of the attacker. To discriminate between monitors’ behaviours on secure and insecure executions, we factorized two notions that we call true and false transparency. These notions allow us to compare monitors that were deemed to be incomparable in the past.
We analyse five widely explored information flow monitors: no-sensitive-upgrade (NSU), permissive-upgrade (PU), hybrid monitor (HM), secure multi-execution (SME), and multiple facets (MF).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This is indeed a lower bound since some monitors, like SME, also enforce termination- and time-sensitive noninterference.
- 2.
Remember that the bigger knowledge set corresponds to the smaller knowledge or to the increased uncertainty.
- 3.
Bauer et al. [8] actually provide a more subtle definition, saying a monitor should output a semantically equivalent trace.
References
A Taxonomy of Information Flow Monitors Technical report. https://team.inria.fr/indes/taxonomy
Abadi, M., Lamport, L.: Composing specifications. ACM Trans. Program. Lang. Syst. 15(1), 73–132 (1993)
Askarov, A., Sabelfeld, A., Gradual release: unifying declassification, encryption and key release policies. In: IEEE Symposium on Security and Privacy, pp. 207–221 (2007)
Askarov, A., Sabelfeld, A.: Tight enforcement of information-release policies for dynamic languages. In: Proceedings of the 22nd IEEE Computer Security Foundations Symposium, CSF 2009, pp. 43–59. IEEE Computer Society (2009)
Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In PLAS 2009, pp. 113–124 (2009)
Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. In: PLAS 2010, pp. 3:1–3:12. ACM (2010)
Austin, T.H., Flanagan, C.: Multiple facets for dynamic information flow. In: Proceeding of the 39th Symposium of Principles of Programming Languages. ACM (2012)
Bauer, L., Ligatti, J., Walker, D.: Edit automata: enforcement mechanisms for run-time security policies. Int. J. Inf. Secur. 4(1–2), 2–16 (2005)
Besson, F., Bielova, N., Jensen, T.: Hybrid information flow monitoring against web tracking. In: CSF 2013, pp. 240–254. IEEE (2013)
Bichhawat, A., Rajani, V., Garg, D., Hammer, C.: Generalizing permissive-upgrade in dynamic information flow analysis. In: Proceedings of the Ninth Workshop on Programming Languages, Analysis for Security, PLAS 2014, pp. 15:15–15:24. ACM (2014)
Clarkson, M.R., Schneider, F.B.: Hyperproperties. J. Comput. Secur. 18(6), 1157–1210 (2010)
Devriese, D., Piessens, F.: Non-interference through secure multi-execution. In: Proceeding of the Symposium on Security and Privacy, pp. 109–124. IEEE (2010)
Erlingsson, U.: The Inlined Reference Monitor Approach to Security Policy Enforcement. PhD thesis, Cornell University (2003)
Le Guernic, G., Banerjee, A., Jensen, T., Schmidt, D.A.: Automata-based confidentiality monitoring. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435, pp. 75–89. Springer, Heidelberg (2008)
Hamlen, K.W., Morrisett, G., Schneider, F.B.: Computability classes for enforcement mechanisms. ACM Trans. Program. Lang. Syst. 28(1), 175–205 (2006)
Hedin, D., Bello, L., Sabelfeld, A.: Value-sensitive hybrid information flow control for a javascript-like language. In: IEEE 28th Computer Security Foundations Symposium, CSF (2015)
Hedin, D., Sabelfeld, A.: Information-flow security for a core of JavaScript. In: Proceeding of the 25th Computer Security Foundations Symposium, pp. 3–18. IEEE (2012)
Hunt, S., Sands, D.: On flow-sensitive security types. In: POPL 2006, pp. 79–90. ACM, New York, January 2006
Le Guernic, G.: Confidentiality Enforcement Using Dynamic Information Flow Analyses. PhD thesis, Kansas State University and University of Rennes 1 (2007)
Le Guernic, G.: Precise dynamic verification of confidentiality. In: Proceeding of the 5th International Verification Workshop, CEUR Workshop Proceeding, vol. 372, pp. 82–96 (2008)
Le Guernic, G., Banerjee, A., Jensen, T., Schmidt, D.A.: Automata-based confidentiality monitoring. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435, pp. 75–89. Springer, Heidelberg (2008)
Ligatti, J., Bauer, L., Walker, D.W.: Enforcing non-safety security policies with program monitors. In: di Vimercati, S.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 355–373. Springer, Heidelberg (2005)
Almeida-Matos, A., Fragoso Santos, J., Rezk, T.: An information flow monitor for a core of DOM. In: Maffei, M., Tuosto, E. (eds.) TGC 2014. LNCS, vol. 8902, pp. 1–16. Springer, Heidelberg (2014)
McLean, J.: A general theory of composition for a class of “possibilistic” properties. IEEE Trans. Softw. Eng. 22(1), 53–67 (1996)
Russo, A., Sabelfeld, A.: Dynamic vs. Static flow-sensitive security analysis. In: Proceeding of the 23rd Computer Security Foundations Symposium, pp. 186–199. IEEE (2010)
Sabelfeld, A., Sands, D.: Declassification: dimensions and principles. J. Computer Secur. 17(5), 517–548 (2009)
Santos, J.F., Rezk, T.: An information flow monitor-inlining compiler for securing a core of javascript. In: ICT Systems Security and Privacy Protection 29th IFIP TC 11 International Conference, SEC 2014 (2014)
Schneider, F.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)
Terauchi, T., Aiken, A.: Secure information flow as a safety problem. In: Hankin, C., Siveroni, I. (eds.) SAS 2005. LNCS, vol. 3672, pp. 352–367. Springer, Heidelberg (2005)
Volpano, D., Smith, G.: Eliminating covert flows with minimum typings. In: Proceeding 10th IEEE Computer Security Foundations Workshop, pp. 156–168. Society Press (1997)
Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. J. Comput. Secur. 4(2–3), 167–187 (1996)
Zanarini, D., Jaskelioff, M., Russo, A.: Precise enforcement of confidentiality for reactive systems. In: IEEE 26th Computer Security Foundations Symposium, pp. 18–32 (2013)
Zdancewic, S.A.: Programming languages for information security. PhD thesis, Cornell University (2002)
Acknowledgment
We would like to thank Ana Almeida Matos for her valuable feedback and interesting discussions that has lead us to develop the main ideas of this paper, Aslan Askarov for his input to the definition of TANI, and anonymous reviewers for feedback that helped to improve this paper. This work has been partially supported by the ANR project AJACS ANR-14-CE28-0008.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bielova, N., Rezk, T. (2016). A Taxonomy of Information Flow Monitors. In: Piessens, F., Viganò, L. (eds) Principles of Security and Trust. POST 2016. Lecture Notes in Computer Science(), vol 9635. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-49635-0_3
Download citation
DOI: https://doi.org/10.1007/978-3-662-49635-0_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-49634-3
Online ISBN: 978-3-662-49635-0
eBook Packages: Computer ScienceComputer Science (R0)