Abstract

Because information flow control mechanisms often rely on an underlying authorization mechanism, their security guarantees can be subverted by weaknesses in authorization. Conversely, the security of authorization can be subverted by information flows that leak information or that influence how authority is delegated between principals. We argue that interactions between information flow and authorization create security vulnerabilities that have not been fully identified or addressed in prior work. We explore how the security of decentralized information flow control (DIFC) is affected by three aspects of its underlying authorization mechanism: first, delegation of authority between principals, second, revocation of previously delegated authority, third, information flows created by the authorization mechanisms themselves. It is no surprise that revocation poses challenges, but we show that even delegation is problematic because it enables unauthorized downgrading. Our solution is a new security model, the Flow-Limited Authorization Model (FLAM), which offers a new, integrated approach to authorization and information flow control. FLAM ensures robust authorization, a novel security condition for authorization queries that ensures attackers cannot influence authorization decisions or learn confidential trust relationships. We discuss our prototype implementation and its algorithm for proof search.

Highlights

  • A major concern of computer security is the protection of information

  • To give Flow-Limited Authorization Model (FLAM) the expressive power of some previous authorization systems, such as role-based access control (RBAC) [33] and the Decentralized Label Model (DLM) [63], we introduce another way to construct principals

  • We have demonstrated that FLAM can be used to provide robust authorization in realistic authorization mechanisms by developing a prototype implementation and using it to implement ARBAC97 [76], an expressive role-based access control model

Read more

Summary

INTRODUCTION

A major concern of computer security is the protection of information. There are several dimensions of information worthy of protection, but of particular interest are its confidentiality and integrity. The narrow interactions between authorization and information flow in these DIFC systems permit many details of the authorization mechanism to be abstracted away At this high level of abstraction, many existing approaches to authorization would seem applicable to DIFC settings, including authorization logics [2, 49, 78], role-based access control (RBAC) [33], and trust management [9, 51, 83]. This level of abstraction omits important aspects of authorization mechanisms that impact the security of the information they are meant to protect—especially in the distributed, decentralized, and dynamic settings most relevant to modern applications. This approach extends the notion of a principal’s authority or privilege level from the set of actions a principal may perform to include the set of flows of a principal may receive or influence

Modeling information flow and authorization
Building information security abstractions
Enforcing flow-limited authorization in Haskell
CHAPTER 2 VULNERABILITIES IN EXISTING APPROACHES
Delegation loopholes
Poaching attacks
Leaking information via authorization
Vulnerabilities in other systems
Unifying principals and policies
Authority projections
The information flow ordering
Owned principals
FLAM normal form
Secure reasoning with dynamic trust
System model and trust configuration
Flow-limited judgments
Robust derivations
Speaking for other principals
Rules for flow-limited reasoning
Robust authorization
FLAM prototype
Efficient flow-limited query processing
Example
Dynamic authorization mechanisms
Commitment schemes
Bearer credentials with caveats
The FLAM principal lattice
Flow-Limited Authorization Calculus
Examples revisited
Bearer credentials
Properties of says
Dynamic hand-off
Delegation invariance
Noninterference
Robust declassification
Run-time and type-level principals
Expressing and solving acts for constraints
An algorithm for solving actsFor constraints
Creating new delegations
Enforcing information flow control with acts-for constraints
Safely enabling new flows
Secure programming with Flame
Flow-limited authorization with Macaroons
CHAPTER 6 RELATED WORK
CONCLUSION
FLAM acts-for proof search algorithm
Normalization algorithm
Proofs of FLAC noninterference and robustness
Commitment scheme verification
Haskell source: embargoed secret messages with macaroons

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.