Skip to main content
SpringerLink
Log in

A Taxonomy of Information Flow Monitors

  • Conference paper
Principles of Security and Trust (POST 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9635))

Included in the following conference series:

Abstract

We propose a rigorous comparison of information flow monitors with respect to two dimensions: soundness and transparency.

For soundness, we notice that the standard information flow security definition called Termination-Insensitive Noninterference (TINI) allows the presence of termination channels, however it does not describe whether the termination channel was present in the original program, or it was added by a monitor. We propose a stronger notion of noninterference, that we call Termination-Aware Noninterference (TANI), that captures this fact, and thus allows us to better evaluate the security guarantees of different monitors. We further investigate TANI, and state its formal relations to other soundness guarantees of information flow monitors. For transparency, we identify different notions from the literature that aim at comparing the behaviour of monitors. We notice that one common notion used in the literature is not adequate since it identifies as better a monitor that accepts insecure executions, and hence may augment the knowledge of the attacker. To discriminate between monitors’ behaviours on secure and insecure executions, we factorized two notions that we call true and false transparency. These notions allow us to compare monitors that were deemed to be incomparable in the past.

We analyse five widely explored information flow monitors: no-sensitive-upgrade (NSU), permissive-upgrade (PU), hybrid monitor (HM), secure multi-execution (SME), and multiple facets (MF).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    This is indeed a lower bound since some monitors, like SME, also enforce termination- and time-sensitive noninterference.

  2. 2.

    Remember that the bigger knowledge set corresponds to the smaller knowledge or to the increased uncertainty.

  3. 3.

    Bauer et al. [8] actually provide a more subtle definition, saying a monitor should output a semantically equivalent trace.

References

  1. A Taxonomy of Information Flow Monitors Technical report. https://team.inria.fr/indes/taxonomy

  2. Abadi, M., Lamport, L.: Composing specifications. ACM Trans. Program. Lang. Syst. 15(1), 73–132 (1993)

    Article  Google Scholar 

  3. Askarov, A., Sabelfeld, A., Gradual release: unifying declassification, encryption and key release policies. In: IEEE Symposium on Security and Privacy, pp. 207–221 (2007)

    Google Scholar 

  4. Askarov, A., Sabelfeld, A.: Tight enforcement of information-release policies for dynamic languages. In: Proceedings of the 22nd IEEE Computer Security Foundations Symposium, CSF 2009, pp. 43–59. IEEE Computer Society (2009)

    Google Scholar 

  5. Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In PLAS 2009, pp. 113–124 (2009)

    Google Scholar 

  6. Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. In: PLAS 2010, pp. 3:1–3:12. ACM (2010)

    Google Scholar 

  7. Austin, T.H., Flanagan, C.: Multiple facets for dynamic information flow. In: Proceeding of the 39th Symposium of Principles of Programming Languages. ACM (2012)

    Google Scholar 

  8. Bauer, L., Ligatti, J., Walker, D.: Edit automata: enforcement mechanisms for run-time security policies. Int. J. Inf. Secur. 4(1–2), 2–16 (2005)

    Google Scholar 

  9. Besson, F., Bielova, N., Jensen, T.: Hybrid information flow monitoring against web tracking. In: CSF 2013, pp. 240–254. IEEE (2013)

    Google Scholar 

  10. Bichhawat, A., Rajani, V., Garg, D., Hammer, C.: Generalizing permissive-upgrade in dynamic information flow analysis. In: Proceedings of the Ninth Workshop on Programming Languages, Analysis for Security, PLAS 2014, pp. 15:15–15:24. ACM (2014)

    Google Scholar 

  11. Clarkson, M.R., Schneider, F.B.: Hyperproperties. J. Comput. Secur. 18(6), 1157–1210 (2010)

    Article  Google Scholar 

  12. Devriese, D., Piessens, F.: Non-interference through secure multi-execution. In: Proceeding of the Symposium on Security and Privacy, pp. 109–124. IEEE (2010)

    Google Scholar 

  13. Erlingsson, U.: The Inlined Reference Monitor Approach to Security Policy Enforcement. PhD thesis, Cornell University (2003)

    Google Scholar 

  14. Le Guernic, G., Banerjee, A., Jensen, T., Schmidt, D.A.: Automata-based confidentiality monitoring. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435, pp. 75–89. Springer, Heidelberg (2008)

    Google Scholar 

  15. Hamlen, K.W., Morrisett, G., Schneider, F.B.: Computability classes for enforcement mechanisms. ACM Trans. Program. Lang. Syst. 28(1), 175–205 (2006)

    Article  Google Scholar 

  16. Hedin, D., Bello, L., Sabelfeld, A.: Value-sensitive hybrid information flow control for a javascript-like language. In: IEEE 28th Computer Security Foundations Symposium, CSF (2015)

    Google Scholar 

  17. Hedin, D., Sabelfeld, A.: Information-flow security for a core of JavaScript. In: Proceeding of the 25th Computer Security Foundations Symposium, pp. 3–18. IEEE (2012)

    Google Scholar 

  18. Hunt, S., Sands, D.: On flow-sensitive security types. In: POPL 2006, pp. 79–90. ACM, New York, January 2006

    Google Scholar 

  19. Le Guernic, G.: Confidentiality Enforcement Using Dynamic Information Flow Analyses. PhD thesis, Kansas State University and University of Rennes 1 (2007)

    Google Scholar 

  20. Le Guernic, G.: Precise dynamic verification of confidentiality. In: Proceeding of the 5th International Verification Workshop, CEUR Workshop Proceeding, vol. 372, pp. 82–96 (2008)

    Google Scholar 

  21. Le Guernic, G., Banerjee, A., Jensen, T., Schmidt, D.A.: Automata-based confidentiality monitoring. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435, pp. 75–89. Springer, Heidelberg (2008)

    Google Scholar 

  22. Ligatti, J., Bauer, L., Walker, D.W.: Enforcing non-safety security policies with program monitors. In: di Vimercati, S.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 355–373. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  23. Almeida-Matos, A., Fragoso Santos, J., Rezk, T.: An information flow monitor for a core of DOM. In: Maffei, M., Tuosto, E. (eds.) TGC 2014. LNCS, vol. 8902, pp. 1–16. Springer, Heidelberg (2014)

    Google Scholar 

  24. McLean, J.: A general theory of composition for a class of “possibilistic” properties. IEEE Trans. Softw. Eng. 22(1), 53–67 (1996)

    Article  Google Scholar 

  25. Russo, A., Sabelfeld, A.: Dynamic vs. Static flow-sensitive security analysis. In: Proceeding of the 23rd Computer Security Foundations Symposium, pp. 186–199. IEEE (2010)

    Google Scholar 

  26. Sabelfeld, A., Sands, D.: Declassification: dimensions and principles. J. Computer Secur. 17(5), 517–548 (2009)

    Article  Google Scholar 

  27. Santos, J.F., Rezk, T.: An information flow monitor-inlining compiler for securing a core of javascript. In: ICT Systems Security and Privacy Protection 29th IFIP TC 11 International Conference, SEC 2014 (2014)

    Google Scholar 

  28. Schneider, F.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)

    Article  Google Scholar 

  29. Terauchi, T., Aiken, A.: Secure information flow as a safety problem. In: Hankin, C., Siveroni, I. (eds.) SAS 2005. LNCS, vol. 3672, pp. 352–367. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  30. Volpano, D., Smith, G.: Eliminating covert flows with minimum typings. In: Proceeding 10th IEEE Computer Security Foundations Workshop, pp. 156–168. Society Press (1997)

    Google Scholar 

  31. Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. J. Comput. Secur. 4(2–3), 167–187 (1996)

    Article  Google Scholar 

  32. Zanarini, D., Jaskelioff, M., Russo, A.: Precise enforcement of confidentiality for reactive systems. In: IEEE 26th Computer Security Foundations Symposium, pp. 18–32 (2013)

    Google Scholar 

  33. Zdancewic, S.A.: Programming languages for information security. PhD thesis, Cornell University (2002)

    Google Scholar 

Download references

Acknowledgment

We would like to thank Ana Almeida Matos for her valuable feedback and interesting discussions that has lead us to develop the main ideas of this paper, Aslan Askarov for his input to the definition of TANI, and anonymous reviewers for feedback that helped to improve this paper. This work has been partially supported by the ANR project AJACS ANR-14-CE28-0008.

Author information

Authors and Affiliations

  1. Inria, Sophia Antipolis, France

    Nataliia Bielova & Tamara Rezk

Authors
  1. Nataliia Bielova
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tamara Rezk
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nataliia Bielova .

Editor information

Editors and Affiliations

  1. KU Leuven, Leuven, Belgium

    Frank Piessens

  2. King’s College London, London, UK

    Luca Viganò

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Bielova, N., Rezk, T. (2016). A Taxonomy of Information Flow Monitors. In: Piessens, F., Viganò, L. (eds) Principles of Security and Trust. POST 2016. Lecture Notes in Computer Science(), vol 9635. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-49635-0_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-49635-0_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-49634-3

  • Online ISBN: 978-3-662-49635-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation