Detecting violations of access control and information flow policies in data flow diagrams

The virtual machine in the fine-grained information flow tracking is the basis for realization of transparent cloud platform program level control. The information flow control access to sensitive information in the process, because the authority transfer security level and cannot read or write the non sensitive data, the coarse granularity information flow control is difficult to meet the actual demand of diversification, this paper proposes extended DIFC (Distributed Information Flow Control) model, this model avoids component of cloud platform virtual machine because of the higher level of security sensitive data through reading, it sends or modifies the defects of non sensitive data by transfering the authority, and effectively overcomes the defect that the existing information flow control method for the coarse granularity, and the shortcomings which unable to meet the actual demand, this model guarantees the tracking and control of fine-grained information flow within the virtual machine application, and it does not affect the original cloud service operation.

Cloud now provides a wide range of services hosted by different providers from different domains. These services can be composed together dynamically to realize important tasks. In a composite service, information may flow from one service to subsequent services from different domains. Such information flow, if not properly controlled, may cause undesired leakage of critical data. Existing works on access control for web service do not consider the information flow problem in composite services. Existing information flow control (IFC) techniques is not flexible and cannot work with domain-specific information flow control policies. Existing works on access control for web service do not consider the information flow problem in composite services. Existing information flow control (IFC) techniques are not flexible and cannot work with domain-specific information flow control policies. In this paper, we define the WS-AIFC infrastructure for enforcing access and information flow control. The major goal of WS-AIFC is to provide a new IFC mechanism that can allow each domain to define their own IFC policies while WS-AIFC is capable of preventing undesired information leakage (IFC policy violation) among benign, semi-honest service domains. The main idea in WS-AIFC is to derive and record the dependency list for each data object. The system, upon receiving an access request to a critical data object, not only validates the conventional access control policy for the access, but also extracts the data and the corresponding domains in the dependency list and consults these domains to validate their IFC policies for the indirect access. In summary, WS-AIFC empowers individual domains to control how their information flows and achieves enhanced security for service based systems.

We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in RHTT using only standard type-theoretic constructions such as monads, higher-order functions, abstract types, abstract predicates, and modules. Example security policies include conditional declassification, information erasure, and state-dependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic. The system, theorems and examples have all been formalized in Coq.

Dedicated to the memory of John C. Reynolds (1935--2013). We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in RHTT using only standard type-theoretic constructions such as monads, higher-order functions, abstract types, abstract predicates, and modules. Example security policies include conditional declassification, information erasure, and state-dependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic.

Due to multi-tenancy, access control is a very important component in SaaS (Software as a Service), especially for controlling cross-tenant accesses. Due to the potential information flow among multiple tenants, information flow control should also be carefully addressed. Existing models for SaaS access control have some limitations, especially in information flow control. In this paper, we define a new SaaS-AIFC model to provide comprehensive and improved access and information flow control in SaaS. SaaS-AIFC incorporates two advanced features. First, SaaS-AIFC integrates the advanced role mapping technique to govern the cross-tenant accesses. Role mapping is very flexible and can be very efficient for SaaS with a large number of tenants. We integrate role mapping in SaaS by developing a detailed process for mapping establishment and retrieval during validation. Second, we propose a new IFC model in SaaS-AIFC, which tracks the dependency of data objects and uses the dependency information to achieve flexible information flow control. An architecture design for realizing the SaaS-AIFC model is also proposed.

Current information systems are more and more complex. They require more interactions between different components and users. So, ensuring system security must not be limited to using an access control model but also, it is primordial to deal with information flows in a system. Thus, an important function of a security policy is to enforce access to different system elements and supervise information flows simultaneously. Several works have been undertaken to join together models of access control and information flow. Unfortunately, beyond the fact that the reference model they use is BLP which is quite rigid, these research works suggest a non integrated models which do nothing but juxtapose access control and information flow controls or are based on a misuse of a mapping between MLS and RBAC models. In this paper, we suggest to formalize DTE model in order to use it as a solution for a flexible information flow control. Then, we integrate it into an unique access control model expressive enough to handle access and flow control security rules. The expressivity of the OrBAC model makes this integration possible and quite natural.

In this paper a meta-model for information flow control is defined using the foundation of Barker's access control meta-model. The purposes for defining this meta-model is to achieve a more principled understanding of information flow control, to compare information flow control and access control at an abstract level, and to explore how information flow control and access control might be composed to yield a rich new set of ideas and systems for controlling the dissemination of sensitive information. It is shown that it is possible to define a meta-model for information flow control, that such a model is more complex compared to the access control meta-model, and that the meta-models for information flow control and access control can be composed in a conceptually straightforward way.

Making Data Flow

Guaranteeing that information processed in computing systems remains confidential is vital for many software applications. To this end, language-based security mechanisms enforce fine-grained access control policies for program variables to prevent secret information from leaking through unauthorized access. However, approaches for language-based security by information flow control mostly work post-hoc, classifying programs into whether they comply with information flow policies or not after the program has been constructed. Means for constructing programs that satisfy given information flow control policies are still missing. Following the correctness-by-construction approach, we propose a development method for specifying information flow policies first and constructing programs satisfying these policies subsequently. We replace functional pre- and postcondition specifications with confidentiality properties and define rules to derive new confidentiality specifications for each refining program construct. We discuss possible extensions including initial ideas for tool support. Applying correctness-by-construction techniques to confidentiality properties constitutes a first step towards security-by-construction.

This research is supported by the China National R&D Key Research Program (2019YFB1705703) and the In-terdisciplinary Program of SJTU, Shanghai, China (No. YG2019ZDA07).

With the advancement of web services technology, security has become an increasingly important issue. Various security standards have been developed to secure web services at the transport and message level, but application level has received less attention. The security solutions at the application level focus on access control which cannot alone ensure the confidentiality and integrity of information. The solution proposed in this paper consists on a hybrid model that combines access control (AC) and information flow control (IFC). The AC mechanism uses the concept of roles and attributes to control user access to web services' methods. The IFC mechanism uses labels to control how the roles access to the system's objects and verify the information flows between them to ensure the information confidentiality and integrity. This manuscript describes the model, gives the demonstration of the IFC model safety, presents the modeling and implementation of the model and a case study.

With the advancement of web services technology, security has become an increasingly important issue. Various security standards have been developed to secure web services at the transport and message level, but application level has received less attention. The security solutions at the application level focus on access control which cannot alone ensure the confidentiality and integrity of information. The solution proposed in this paper consists on a hybrid model that combines access control (AC) and information flow control (IFC). The AC mechanism uses the concept of roles and attributes to control user access to web services' methods. The IFC mechanism uses labels to control how the roles access to the system's objects and verify the information flows between them to ensure the information confidentiality and integrity. This manuscript describes the model, gives the demonstration of the IFC model safety, presents the modeling and implementation of the model and a case study.

Attribute-Based Access Control (ABAC) is an emerging access control model. It is increasingly gaining popularity, mainly because of its flexible and fine-grained access control. As a result, many Role-Based Access Control (RBAC) systems are migrating to ABAC. In such migrations, ABAC mining is used to create ABAC policies from existing RBAC policies. Although ABAC has several advantages, it lacks one of the crucial features required for reliable security, which is information flow control. Due to the complex nature of ABAC policies, it is challenging to analyze the information flows caused by them. In this paper, we address this problem and present an approach for realizing effective information flow control in ABAC systems. With this approach, we can create flow-secure ABAC policies using exiting RBAC policies and associated attributes. With such a flow-secure policy, we can ensure that there are no unintended information flows in the system. KeywordsAttribute-based access controlABAC miningInformation flow control

Information flow control consists of planning the interactions of composed services in order to satisfy different security restrictions concerning the propagation of information in a composition. We present the design and implementation of a decentralized workflow management solution for the control of information flow. Our contribution targets orchestration-based compositions where centralized workflow descriptions are used to derive distributed and cooperating process fragments. The derived process fragments are deployed on composed services and they enable them to establish P2P interconnections with each other with respect to the information flow policies.

Access control mechanisms are widely used with the intent of enforcing confidentiality and other policies, but few formal connections have been made between information flow and access control. Java and C# are object-oriented languages that provide fine-grained access control. An access control list specifies local policy by authorizing permissions for principals (code sources) associated with class declarations; a mechanism called stack inspection checks permissions at run time. An example is given to show how this mechanism can be used to achieve confidentiality goals in situations where a single system call serves callers of differing confidentiality levels and dynamic access control prevents release of high information to low callers. A static analysis is given which applies to such examples. The analysis is shown to ensure a noninterference property formalizing confidentiality.