Developing a Security Typed Java Servlet

Dedicated to the memory of John C. Reynolds (1935--2013). We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in RHTT using only standard type-theoretic constructions such as monads, higher-order functions, abstract types, abstract predicates, and modules. Example security policies include conditional declassification, information erasure, and state-dependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic.

We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in RHTT using only standard type-theoretic constructions such as monads, higher-order functions, abstract types, abstract predicates, and modules. Example security policies include conditional declassification, information erasure, and state-dependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic. The system, theorems and examples have all been formalized in Coq.

Access control mechanisms are widely used with the intent of enforcing confidentiality and other policies, but few formal connections have been made between information flow and access control. Java and C# are object-oriented languages that provide fine-grained access control. An access control list specifies local policy by authorizing permissions for principals (code sources) associated with class declarations; a mechanism called stack inspection checks permissions at run time. An example is given to show how this mechanism can be used to achieve confidentiality goals in situations where a single system call serves callers of differing confidentiality levels and dynamic access control prevents release of high information to low callers. A static analysis is given which applies to such examples. The analysis is shown to ensure a noninterference property formalizing confidentiality.

Current information systems are more and more complex. They require more interactions between different components and users. So, ensuring system security must not be limited to using an access control model but also, it is primordial to deal with information flows in a system. Thus, an important function of a security policy is to enforce access to different system elements and supervise information flows simultaneously. Several works have been undertaken to join together models of access control and information flow. Unfortunately, beyond the fact that the reference model they use is BLP which is quite rigid, these research works suggest a non integrated models which do nothing but juxtapose access control and information flow controls or are based on a misuse of a mapping between MLS and RBAC models. In this paper, we suggest to formalize DTE model in order to use it as a solution for a flexible information flow control. Then, we integrate it into an unique access control model expressive enough to handle access and flow control security rules. The expressivity of the OrBAC model makes this integration possible and quite natural.

The virtual machine in the fine-grained information flow tracking is the basis for realization of transparent cloud platform program level control. The information flow control access to sensitive information in the process, because the authority transfer security level and cannot read or write the non sensitive data, the coarse granularity information flow control is difficult to meet the actual demand of diversification, this paper proposes extended DIFC (Distributed Information Flow Control) model, this model avoids component of cloud platform virtual machine because of the higher level of security sensitive data through reading, it sends or modifies the defects of non sensitive data by transfering the authority, and effectively overcomes the defect that the existing information flow control method for the coarse granularity, and the shortcomings which unable to meet the actual demand, this model guarantees the tracking and control of fine-grained information flow within the virtual machine application, and it does not affect the original cloud service operation.

The security of software-intensive systems is frequently attacked. High fines or loss in reputation are potential consequences of not maintaining confidentiality, which is an important security objective. Detecting confidentiality issues in early software designs enables cost-efficient fixes. A Data Flow Diagram (DFD) is a modeling notation, which focuses on essential, functional aspects of such early software designs. Existing confidentiality analyses on DFDs support either information flow control or access control, which are the most common confidentiality mechanisms. Combining both mechanisms can be beneficial but existing DFD analyses do not support this. This lack of expressiveness requires designers to switch modeling languages to consider both mechanisms, which can lead to inconsistencies. In this article, we present an extended DFD syntax that supports modeling both, information flow and access control, in the same language. This improves expressiveness compared to related work and avoids inconsistencies. We define the semantics of extended DFDs by clauses in first-order logic. A logic program made of these clauses enables the automated detection of confidentiality violations by querying it. We evaluate the expressiveness of the syntax in a case study. We attempt to model nine information flow cases and six access control cases. We successfully modeled fourteen out of these fifteen cases, which indicates good expressiveness. We evaluate the reusability of models when switching confidentiality mechanisms by comparing the cases that share the same system design, which are three pairs of cases. We successfully show improved reusability compared to the state of the art. We evaluated the accuracy of confidentiality analyses by executing them for the fourteen cases that we could model. We experienced good accuracy.

2 - Foundational Security and Access Control Concepts

News

The continuing frequency and seriousness of security incidents underline the critical importance of application security. Decentralized information flow control (DIFC), a promising tool for improving application security, gives application developers fine-grained control over security policy and privilege management. DIFC developers can partition much application functionality into untrusted components bound by a kernel- or language-enforced security policy. Unless a (usually smaller and less exposed) trusted component is exploited, the effects of an application compromise are contained by the policy. Although system-based DIFC can simultaneously achieve high performance and effective isolation, it offers a challenging programming model. Fine-grained policy specifications are spread over several application pieces. Common programming errors may be indistinguishable from policy exploit attempts, the system cannot expose developers to information about these errors, complicating debugging. Static checking (as in language based systems) and new system primitives can reduce these problems, but for dynamic applications like web servers, they do not eliminate them. In this paper we propose subsystems that make decentralized information flow more manageable. First, a policy description language specifies an application-wide security policy in one localized place; communication restrictions are compiled into lower-level labels. Second, information flow-safe debugging mechanisms let developers debug DIFC applications without violating security policies. Although these mechanisms are preliminary, we demonstrate their effectiveness using applications similar to those developed for Asbestos and other DIFC systems.

The continuing frequency and seriousness of security incidents underline the critical importance of application security. Decentralized information flow control (DIFC), a promising tool for improving application security, gives application developers fine-grained control over security policy and privilege management. DIFC developers can partition much application functionality into untrusted components bound by a kernel- or language-enforced security policy. Unless a (usually smaller and less exposed) trusted component is exploited, the effects of an application compromise are contained by the policy.Although system-based DIFC can simultaneously achieve high performance and effective isolation, it offers a challenging programming model. Fine-grained policy specifications are spread over several application pieces. Common programming errors may be indistinguishable from policy exploit attempts, the system cannot expose developers to information about these errors, complicating debugging. Static checking (as in language based systems) and new system primitives can reduce these problems, but for dynamic applications like web servers, they do not eliminate them.In this paper we propose subsystems that make decentralized information flow more manageable. First, a policy description language specifies an application-wide security policy in one localized place; communication restrictions are compiled into lower-level labels. Second, information flow-safe debugging mechanisms let developers debug DIFC applications without violating security policies. Although these mechanisms are preliminary, we demonstrate their effectiveness using applications similar to those developed for Asbestos and other DIFC systems.

Research in the field of information security systems and access control were initiated in the early seventies by United States Department of Defense, following the emergence of new technical, scientific and social challenges. Since, many models of security have been set up to answer to some specific needs with more or less accuracy in term of security. This manuscript gives a survey on the current security models with a specific classification in term of their use: Access Control, Flow Control and Administration. This manuscript is the subject of an assessment of advantages and drawbacks of access control models cited in literature and also the efficiency of their security policies. Finally, a presentation of the contributions of Flow Control and Administration models that allow the reinforcement of the security.

On the basis of analyzing the access control demands of web application systems, this paper proposed an extended role-based access control model: RBAC4WAS, and gives the formal descriptions of the extended parts. At the same time this paper shows an application of RBAC4WAS and proposes a unified access control solution (UACS), discusses principles of UACS and its implement methods in detail.

Aim/Purpose: Violations of Information Systems (IS) security policies continue to generate great anxiety amongst many organizations that use information systems, partly because these violations are carried out by internal employees. This article addresses IS security policy violations in organizational settings, and conceptualizes and problematizes IS security violations by employees of organizations from a paradox perspective. Background: The paradox is that internal employees are increasingly being perceived as more of a threat to the security of organizational systems than outsiders. The notion of paradox is exemplified in four organizational contexts of belonging paradox, learning paradox, organizing paradox and performing paradox. Methodology : A qualitative conceptual framework exemplifying how IS security violations occur as paradoxes in context to these four areas is presented at the end of this article. Contribution: The article contributes to IS security management practice and suggests how IS security managers should be positioned to understand violations in light of this paradox perspective. Findings: The employee generally in the process of carrying out ordinary activities using computing technology exemplifies unique tensions (or paradoxes in belonging, learning, organizing and performing) and these tensions would generally tend to lead to policy violations when an imbalance occurs. Recommendations for Practitioners: IS security managers must be sensitive to employees tensions. Future Research: A quantitative study, where statistical analysis could be applied to generalize findings, could be useful.

The call to ‘speak truth to power’, now employed most frequently as a banal protest trope or a generalized call to action, originates in the title of a pamphlet in which intellectual leaders of the Quaker faith opposed the ongoing Cold War and advocated its peaceful resolution. They offered an account of the polarization of the geopolitical landscape that moved beyond the continuing threat of horrific violence to reckon with what a contemporary economist might call the opportunity costs of militarization. Those costs were both moral and material; resources devoted to the production and strategic deployment of expensive weapons were resources that could not be devoted to improving standards of living for the world’s neediest people. For the writers, the most important kind of power was the power to choose between using American might to achieve military domination and using it to advance the cause of human wellbeing. The pamphlet authors’ appeal to the power to choose between domination andhuman flourishing remains fundamental, and yet their conceptions of both the exercise of domination and the exercise of principled resistance now seem dated in one critical respect. To understand both domination and resistance in the twenty-first century, we must take account of the ways that networked information technologies mediate the ongoing dialogue between truth and power. That relationship cannot be understood via simple deterministic equivalencies. Arguments about the freedom-enhancing potential of the network too often rely on a conception of networked information technologies as inherently connective and egalitarian in their operation, but they are neither. Between truth and poweris the code – the technical infrastructures that facilitate information flows between people, and between people and the entities that wield power in their lives – and the code has fractal effects on both power and truth. Code can become a means for resisting domination or a vehicle for embedding it, but even that formulation is too simple. Through its capacities to authorize, exclude and modulate information flows, code can become a means for multiplying and extending power, and for privatizing and fragmenting truth. The problem of control over information flows thus emerges as an importantvantage point from which to interrogate ‘the idea of Power itself, and its impact on [twenty-first] century life’. Although states do attempt to control information flows in various ways, this problem does not map neatly to the exercise of state power, nor does it map to traditional conceptions of power as (capacity for) physical force. Questions about the extent of private control of information flows also have become flash points for public anger about the capacity for self-determination, or lack thereof, enjoyed by ordinary people. Such anger is not frivolous; access to information and control of information are intimately related to the choice between domination and flourishing. Debates about state censorship are highly visible, but they represent only one piece of a larger puzzle, which concerns the extent to which global circuits of information flow are settling into patterns that serve larger constellations of economic and political power. Law and legal institutions are intimately involved in this process, and not only as a means of representation and resistance. Law too stands between truth and power, and code and law together have become tools for structuring contests over the material conditions of understanding, participation and self-determination. This chapter uses the evolving landscape of law and policy in the areas of copy-right and information privacy/data protection to explore the issues of control and power in the emerging networked information society. It considers three interrelated sets of developments. The second section describes patterns of information flow in the domains of copyright and information privacy/data protection, and considers the distinctive kinds of power relations that they are producing. The third section explores the evolving conceptualization of legal rights in the two domains, and traces the ways that the ongoing production and reproduction of private economic power are reshaping shared understandings of what the law guarantees. We see there that both copyright law and information privacy/data protection law have become entry points for neoliberalization within narratives about fundamental rights of authorship, cultural participation, and privacy. In the fourth section, we see that processes of neoliberalization do not involve only concepts. Pressures to reinforce private control of information flows are catalysing farreaching changes in the structure of governance institutions, altering not only the interpretation of fundamental legal guarantees but also the mechanisms by which legal rights and obligations are defined and enforced. A more systematic integration of questions about control over information flows within traditional legal narratives about fundamental rights and human development is urgently needed, but I argue that it is also important to consider the ways that established institutional pathwaysfor defining and vindicating rights and promoting development agendas are being circumvented by emerging networked governance institutions.

Access control mechanisms are often used with the intent of enforcing confidentiality and integrity policies, but few rigorous connections have been made between information flow and runtime access control. The Java virtual machine and the .NET runtime system provide a dynamic access control mechanism in which permissions are granted to program units and a runtime mechanism checks permissions of code in the calling chain. We investigate a design pattern by which this mechanism can be used to achieve confidentiality and integrity goals: a single interface serves callers of more than one security level and dynamic access control prevents release of high information to low callers. Programs fitting this pattern would be rejected by previous flow analyses. We give a static analysis that admits them, using permission-dependent security types. The analysis is given for a class-based object-oriented language with features including inheritance, dynamic binding, dynamically allocated mutable objects, type casts and recursive types. The analysis is shown to ensure a noninterference property formalizing confidentiality and integrity.